The course begins with a study of the Business Value of a 3rd Party Risk Management Program, an area that is frequently overlooked by senior executives and lost in the frenzy of managing vendors. Perceived as a necessary evil and a checklist to satisfy examiners and auditors, the purpose of the program is to drive both tangible and intangible value throughout the framework, operating model and each stage of the lifecycle in support of strategic objectives.
The Level lll course then goes on to addresses the following:
- RFP Framework
- Concentration Risk
- 3rd Party Cybersecurity
- GDPR as it applies to 3rd party risk management
Who Should Attend
This course is beneficial for credit union professional who manage 3rd party relationships, including Compliance, Senior Executives, 3rd Party Program Managers, Risk Officers, Procurement Staff, Governance Analysts and Auditors.
Topics
Chapter 1 – The Business Value of a 3rd Party Risk Management Program
This picks up where CRVPM ll left off and dives into the 3rd party risk management program framework and each stage of its lifecycle, demonstrating the business value that should be driven from it. If you’re trying to build a business case for further investment in your program or need to better understand whether you’re on track to attain the goals you hoped to achieve through outsourcing, this will help you identify and articulate the value proposition of a sound program.
Chapter 2 – Formalizing the RFP Process and Creating Transparency and Fairness
All too often there is confusion as to the difference between an RFI (Request for Information) and an RFP (Request for Proposal) and when to use them. Many RFP’s are confusing, too broad, don’t differentiate between needs and wants, and are written to the strengths of one particular vendor. This ultimately results in a less than ideal proposed solution and the client (you) turns out being the loser. This chapter dives into the RFP process and covers the following:
- Gathering business requirements
- Constraining the Boundaries of the RFP
- Involving stakeholders
- Assembling the correct RFP team
- Creating transparency throughout the process
- Evaluating responses for a fair apples-to-apples comparison
Chapter 3 – Concentration Risk
Concentration Risk has been a formal regulatory issue but has only recently been a topic of examiner focus. Having all of your eggs in one vendor’s basket is never a good thing due to the huge impact it has on business resilience. However, there are many other facets of concentration risk to be concerned about as shown below.
- Systemic
- Vendor-based
- Service-based
- Geographic
- 4th Party
- Economic
- Sector-based
- Reverse Concentration Risk
- Socio-Political
Attempting to tackle the many facets of concentration risk is difficult without a framework and a set of business rules to flag concentration risk outside of the institution’s tolerances. This chapter dives into the types of concentration risk, vulnerabilities, mitigating controls and the development of a Unified Concentration Risk Framework (UCRF).
Chapter 4 – 3rd Party Cybersecurity
A hot topic everywhere that everyone should be concerned about! Are your vendors as prepared as you are? Within this chapter we discuss:
- Cyber Security Landscape
- Why we should worry
- Cyber Security vs Cyber Resilience vs Cyber Risk
- Mitigating controls (physical, technical, administrative, contractual)
- Approach to a 3rd Party Cyber Security Risk Assessment
Chapter 5 – GDPR
The General Data Protection Regulation (GDPR) has been a highly visible topic given today’s global economy, data theft, and numerous standards for data privacy and protection. With the standardization of the General Data Protection Regulation throughput the European Union, this chapter dives into the Articles pertaining to Vendor Management, key elements, terms, basic principles, regulatory expectations and whether you should even be concerned about it based upon your business model and customer base.
About the presenter: Compliance Education Institute LLC
Mick Kless is the founder and CEO of RISC Associates, a regulatory compliance consultancy and compliance automation tools developer, and Compliance Education Institute, the training and education division of RISC. He is a recognized industry expert on vendor management and the creator of the Certified Regulatory Vendor Program Manager (CRVPM) course. Mick has spent more than 30 years in financial services, has focused on GLBA 501(b) issues since 2001 and has specialized in vendor management regulatory issues since 2004.
For course access questions, email support@compliance-edu.com.
Course length: 12 hours
