Andrew “Andy” Abbinanti, Corporate Vice President – Head of Third-Party Lifecycle Management & Controls at New York Life Insurance Company, holds a CTPRP and leads a team of many CTPRP holders. With foundational knowledge in third-party risk management, Abbinanti’s team has been able to optimize tools, processes, and people to drive a highly effective risk management program. Focused on broadening its perspective on risk, New York Life has pioneered a Supplier Management Working Group with dedicated vendor management teams representing business units across the company. For this capable team of CTPRP holders, it’s not about the title or passing the test – it’s about embodying a “learn it to use it” approach to third-party risk management.
What is your role in addressing third-party risk management (TPRM)?
Andy Abbinanti: I started in New York Life’s technology department integrating vendors into our ecosystem. Three years ago, I came to risk management, where I oversee our inventory of third-party services and associated inherent risks. Using a risk-based approach, we then perform control assessments of top-tier and critical vendors, partnering with our team of Information Security and Business Resiliency assessors.
My team delivers a comprehensive report which complements the controlled assessment with centralized assessments we perform around the financial condition and brand reputation. In my interactions with the business, I think “How do we support that from our perspective? Where do we plugin, where do we eliminate redundancies but also make sure we’re adding value?” We package everything, walk through the assessment process, create the report, and if there are remediation actions to follow up on, we turn it over to our issues management process.
How mature is your TPRM program?
Andy Abbinanti: We have been maturing our TPRM program and are currently in “stabilization mode,” making our tools, people, and processes work more effectively. We are focused on broadening our perspective beyond risk elements as we put more rigor behind managing the vendor lifecycle and establishing performance indicators and KRIs. We gauge how well we manage the lifecycle from onboarding to offboarding, and often neglected, but a key functional area in many companies.
What do you view as the greatest challenge you are facing in TPRM?
Andy Abbinanti: Across industries, the last two years have exposed the potential for subcontractor risk. As an example, when India was hard hit by the pandemic, risk management teams had to ask which of their third parties were heavily subcontracted in India. These answers typically require some amount of digging.
How has the CTPRP helped you in your current role?
Andy Abbinanti: The CTPRP gave me instant credibility. We were bringing in many external partners as we created our program. As we built out processes, I could challenge what didn’t seem right. I would say, “What is the industry doing? We can’t be an anomaly. We can’t go out and ask for things that aren’t common because we aren’t going to get responses. We need to be consistent and know how things are being done.”
I tell members of my team that the CTPRP certification is not just an academic exercise. The terminology and methodology you learn are put into practice. There’s credibility from getting the certification – but it’s about being able to map what you learn to a consistent, conventional way of managing risk.
Has having your CTPRP helped you grow professionally?
Andy Abbinanti: The CTPRP gave me a foundational core of third-party risk management knowledge that I was very confident in expanding and running a risk management program on. Our assessment program is based on the SIG Lite, a standard approach that is easy for us to communicate.
Do you have advice for risk management newcomers taking the CTPRP?
Andy Abbinanti: Different backgrounds, skillsets, and cultures come together on our (and any) risk management team. Most of our team has the CTPRP. When someone joins our team, I recommend that person first spend six months learning our culture and approach. Only then do I recommend taking the CTPRP course.
When you take the CTPRP with context, you can tie it back to something you know. It makes the abstract more meaningful. I can combine someone’s skillset with our methodology in inherent risk and give them some time to learn about the company. And finally, with the CTPRP, I can show this person how what we are doing fits into the greater industry.
Who could benefit from taking the CTPRP outside of the typical TPRM paradigm?
Andy Abbinanti: We aim to set a standard across our company for how business unit vendor management teams are operating and supporting contract management, commercials, performance measurements, SLAs, etc. We have established a “Supplier Management Working Group” composed of dedicated vendor management teams from within business units across our company. Risk is the foundation of this effort, so I have encouraged people in those groups to consider taking the CTPRP. The more ambassadors of risk management we have at every level of the organization, the better.
What advice would you have for someone who is considering taking the CTPRP?
Andy Abbinanti: Learn to learn! I did not take the CTPRP because I wanted to “make the grade.” I learned it because I wanted to apply the CTPRP in my work. It’s not the letters after your name, it’s not passing an exam to appease your boss. Learn it so you can use it!