I interviewed Jeannie Pumphry who discussed Third Party Risk Management.
Thank you, Jeannie, for spending your time today to discuss Third Party Risk Management. Can you start by providing a brief background of yourself?
Thank you for having me Dustin. I have been with A&M four years this coming January and I am but one of many very talented Senior Directors at A&M specializing in Strategic Sourcing and Third Party Risk Management. I have been in Supply Chain Management for about 25 years. I started my career with 8 years in the US Army Quartermaster Corp. I have performed primarily in industry in global organizations such as GE, Bank of America, Wachovia/Wells Fargo and NBCUniversal. My functional experience in Supply Chain Management includes indirect goods and services, manufacturing, Supply Chain Training, Organizational Development and Third Party Risk Management. I am certified as a Six Sigma Lean Black Belt and a Third Party Risk Program Manager.
Thank you. My first question is: Why are you so passionate about Third Party Risk Management, and can you talk about what it is and who does it impacts?
Third party risk management is about managing the risk inherently introduced through utilizing the services of a third party or outsourcing to a third party.For a point of reference, a third party,as defined by the OCC, is any business arrangement between a bank and another entity, by contract or otherwise and is mostly identified as a Vendor, Supplier, Counter Party, Joint Venture or even a Parent or Subsidiary to name a few. This also includes management of the risk introduced by a third parties third parties (sometime referred to subcontractors or fourth parties). As the practice of utilizing third parties for core business practices have grown over the years so have the risk of failed performance, data and information breaches and bad business practices. While businesses can outsource services to a third party, they cannot outsource the risk. Not only is the management of third parties a regulatory mandate it is also a business imperative.Third party risk management impacts not only the company contracting for the goods and services but also its employees, stakeholders, suppliers and customers.My passion around Third Party Risk Management is due to its close alignment and integration with Supply Management and Supply Chain Management. Due to the evolving threat landscape regulators and companies are struggling to keep current, let alone get ahead. I have been leading third-party risk management program design and operations since early 2000 with the issuance of GL BA. And have been privileged to help both companies and suppliers identify and mitigate risk within their supply chain. I think one of the toughest challenges both face is the ability to build a program nimble enough to withstand the constant change necessary to meet their business requirements as well as the regulatory guidelines for which they are accountable.
What do you see as the future of Third Party Risk Management?
Continuous change more regulatory influence - more stringent management on those third parties that are critically important to organizations; More internal and external audits of both businesses and third parties. Better understanding of the supply chain internally and better management and hopefully a program that scales based on the services provided and the risk involved with the delivery of those services.
Who needs to pay more attention to Third Party Risk Management?
What we are seeing in the industry varies based on the level of maturity. Financial services, based on their history with third-party risk management regulatory oversight, show, broadly, the greatest level of maturity in the industry. However, where they seem to be lacking is in the ability for quick change; moving from a one-size-fits-all program to a risk-based approach taking into consideration the services being provided by their third parties. An exception to the financial services maturity is in the community and mid-tier banking sectors. Prior to the OCC guidance issued in December 2013 community banks were not necessarily called out as participants to third-party risk management guidance and therefore it was not necessarily a priority within their business model. The Retail and Insurance Industry are currently feeling the impact of a less than optimum Third Party Risk Management Programs and these industries have the opportunity to learn from the financial services industry and reduce their learning curve by looking at the lessons learned from previous failed programs and by seeking guidance from those that have been there and done that to keep from experiencing the same results. So from the perspective of who needs to pay more attention, it is the market as a whole. The threat landscape is continuously evolving and businesses cannot afford to take their eyes off the prize of protecting their interest. As the threat landscape evolves, the market and the programs that they implement must evolve as well.
Well thank you, Jeannie, for sharing today.
Thank you for having me Dustin.
About Jeannie Pumphry
Integrity, Excellence and Execution - Enabling Client Success