Time Required: 12 hours
CPE Credits: 14.4 cpe credits (based on 1 credit per 50 minutes)
Availability: On demand from any location, web-based, self-paced eLearning course
Curriculum: 5 chapters, each with exam at the end (80% to pass)
Prerequisite: CRVPM® Level I and CRVPM® ll
The Certified Regulatory Vendor Program Manager (CRVPM®) Level IlI expands upon existing concepts from the CRVPM Level I and Level ll courses, diving deeper and expanding upon a number of areas previously studied as well as introducing new concepts and content.
The course begins with a study of the Business Value of a 3rd Party Risk Management Program, an area that is frequently overlooked by senior executives and lost in the frenzy of managing vendors. Perceived as a necessary evil and a checklist to satisfy examiners and auditors, the purpose of the program is to drive both tangible and intangible value throughout the framework, operating model and each stage of the lifecycle in support of strategic objectives.
The Level lll course then goes on to addresses the following:
- RFP Framework
- Concentration Risk
- 3rd Party Cybersecurity
- GDPR as it applies to 3rd party risk management
Chapter 1 – The Business Value of a 3rd Party Risk Management Program
This picks up where CRVPM ll left off and dives into the 3rd party risk management program framework and each stage of its lifecycle, demonstrating the business value that should be driven from it. If you’re trying to build a business case for further investment in your program or need to better understand whether you’re on track to attain the goals you hoped to achieve through outsourcing, this will help you identify and articulate the value proposition of a sound program.
Chapter 2: Formalizing the RFP Process and Creating Transparency and Fairness
All too often there is confusion as to the difference between an RFI (Request for Information) and an RFP (Request for Proposal) and when to use them. Many RFP’s are confusing, too broad, don’t differentiate between needs and wants, and are written to the strengths of one particular vendor. This ultimately results in a less than ideal proposed solution and the client (you) turns out being the loser. This chapter dives into the RFP process and covers the following:
- Gathering business requirements
- Constraining the Boundaries of the RFP
- Involving stakeholders
- Assembling the correct RFP team
- Creating transparency throughout the process
- Evaluating responses for a fair apples-to-apples comparison
Chapter 3 – Concentration Risk
Concentration Risk has been a formal regulatory issue but has only recently been a topic of examiner focus. Having all of your eggs in one vendor’s basket is never a good thing due to the huge impact it has on business resilience. However, there are many other facets of concentration risk to be concerned about as shown below.
- 4th Party
- Reverse Concentration Risk
Attempting to tackle the many facets of concentration risk is difficult without a framework and a set of business rules to flag concentration risk outside of the institution’s tolerances. This chapter dives into the types of concentration risk, vulnerabilities, mitigating controls and the development of a Unified Concentration Risk Framework (UCRF).
Chapter 4 – 3rd Party Cybersecurity
A hot topic everywhere that everyone should be concerned about! Are your vendors as prepared as you are? Within this chapter we discuss:
- Cyber Security Landscape
- Why We Should Worry
- Cyber Security vs Cyber Resilience vs Cyber Risk
- Mitigating controls (physical, technical, administrative, contractual)
- Approach to a 3rd Party Cyber Security Risk Assessment
Chapter 5 – GDPR
GDPR has been a highly visible topic given today’s global economy, data theft, and numerous standards for data privacy and protection. With the standardization of the General Data Protection Regulation throughput the European Union, this chapter dives into the following topics:
- GDPR Articles pertaining to Vendor Management
- Key elements
- Basic Principles
- Regulatory expectations
- Who needs to comply with GDPR