No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Financial Services

How to Account for Emotional Intelligence in Third-Party Risk Management

Traditional TPRM Initiatives Often Fail to Account for the Human Element

by Ryan Spelman and Ryan Walker
January 6, 2022
in Financial Services, Risk
Illustration concept of emotional intelligence

Third-party risk management (TPRM) has grown in prominence as organizations increase their reliance on external parties, from cloud providers to credit card processors. As more enterprises invest in this critical business function, certain best practices are becoming key to a successful TPRM program.

The authors of this article, a consultant and third-party risk manager for the international retailer AutoZone and an executive at investigations firm Kroll, joined forces to examine how to build or enhance a TPRM program, with specific input from the enterprise and consulting perspective. Through this analysis, the authors developed the trust, history, improvements and process (THIP) model, recognizing the vital role of emotional intelligence or emotional quotient (EQ), to define each as key components of third-party risk program enhancement or development.

Trust: The Value of Building from Experience

Consultants are used to working with many organizations, all facing different challenges. A constant for all remains the need to build trust. What has led some to become unable to do this on their own?

As an “outsider,” one of the key benefits that a third-party consultant can give to their clients is a different perspective on where they have been and where they are going. They can also help organizations build bridges internally.

It is not just about giving an opinion; it is much more than that. It is about listening to their stories, helping them find their path and guiding them along it.

graphic detailing the TPRM modelNurturing Buy-In from the Enterprise

At the enterprise level, building a TPRM program calls for a unique set of skills, none more important than relationship-building. The first order of business is to determine the stakeholders most integral to the program’s strategic success. They will serve as the program’s brand ambassadors and are largely the sole determinant for ensuring the program’s success. It’s the job of the program leader to teach these stakeholders how to evangelize for the program so that, as the program is launched, it’s not the first time other stakeholders have heard about it.

How do you get the stakeholders to care about your program? You find a way to deliver value directly to their process or functional area. You achieve that by learning about their pain points and then help address them.

History: It Matters

A key first step is to identify what the real drivers are. What does the program need to do?

Organizations continue to face both internal and external challenges with this issue. First among them is that there are often some negative emotions associated with third-party risk. The source of this is usually one of the two areas:

  • The organization doesn’t have a program and needs one; or
  • The organization does have a program but needs a better one.

If the organization doesn’t have one, the driver is often an outside stimulus, possibly an audit, but sometimes it is the board or leadership reacting to a compliance requirement.

Being “forced” to start or expand a program is often considered a necessary evil by certain business units, especially those for whom security is just a formality.

Identifying these issues is the first step to understanding the actual pain point. We have learned that people may say that they have one challenge — doing more assessments, for example — but the stories they share may paint a different picture.

Learning about and from these experiences is just one reason why it is important to meet and talk with as many people in an organization as possible.

It’s common to encounter silos based on negative history when creating a new addition to an enterprise, especially one that will affect every single functional area. This can have a detrimental effect when attempting to ensure a new program is accepted. The best way to erase a negative history is to paint the promise of a better future. And that promise begins with building a relationship grounded in trust.

Building from individual and team experiences is vital for nurturing trust. A narrative of this kind always has a moral. Listen for the point each person is trying to share.

In third-party risk, there are different types of narratives, but they generally fall into one of the two categories:

  • The business unit involved was negatively affected because the assessment process was too long, arduous or incomplete.
  • The security/compliance unit has been let down by lax assessments, missed assessments or struggles to achieve buy-in.

These experiences, while they may seem different, represent a common theme: the breakdown of trust. So, one of the first goals should be to re-establish trust. First, so that people take recommendations seriously and second, to empower appropriate groups to implement the recommendations.

After listening to the stories and the “moral,” the next step is to start mapping relatively easy wins. Action is the best way to build trust but not in relation to the complicated challenges initially. For example, there may be an overarching problem, perhaps the need for a comprehensive inherent risk framework for all third parties, but it shouldn’t be the focus at this stage.

It is more effective to ask the business units to organize their vendors into tiers or categories of readily apparent risk instead of pushing for a much more extensive review.

In this early stage, the ability to chart a “win-win” for all sides is paramount. The first tasks may seem minor, but they are the stepping stones that can help lead an organization to where it needs to be.

Trust is built by following through on promises. How might we expedite it? By making quick-win promises and delivering quick-win results. Once trust is established, it is possible to begin introducing discrete stages of enterprise strategy. This helps in generating frequent successes and sustained team and stakeholder morale while moving toward identifying procedural gaps and removing culturally embedded obstacles.

Improvements: Invention or Innovation?

Understanding third-party management in general helps identify those quick wins to build trust, but it also enables the organization to understand the bigger picture and head in the right direction. Problem-solving requires two approaches:

  • Invention: Invention is where the organization will look to build new programs. If there wasn’t something before, this is an obvious first step. But even if there was something before, if the trust in it was broken, starting anew may be the right choice. While invention is challenging, it is the best way to build trust in many cases.
  • Innovation: If there is sufficient trust in the processes that exist or the organization can salvage them, innovation is the better option. Innovation is when existing programs are looked at critically and optimized to meet all involved needs more effectively.

The key to making either of these paths successful is being prepared to listen, to identify both the short-term problems and the structural challenges and to ensure that the third-party cyber risk management process aligns with the third-party management process.

Process: Make It Count

Understanding the potential quick wins starts with understanding processes. This involves learning as much about the current process of third-party management as possible. Key to this is analyzing how the organization:

  • Views third parties: Are the third parties critical partners for the business units, or is it more transactional? This attitude will significantly impact how the client views the requirements they establish for their third parties.
  • Acquires third parties: What is the process of adding new third parties into their business process? Is it usually a formal RFP process with many opportunities to check security controls? Or is it loose and flexible, with business units having wide latitude to add or change third-party roles? The second approach will make it easier to add in new assessment processes, while the first will require a focus on inherent risks.
  • Works with third parties: How do the business units work with them? Are they closely monitoring their productivity and actions? Or is it more hands-off? Being closely aligned makes it possible to add a new assessment process, but it also makes the business units more sensitive to impacts on their work.

The worst mistake is to assume that existing processes aren’t being used; those are the types of assumptions that can lead to new silos.

EQ Equals Better Third-Party Risk Programs

This article was written to address the EQ gap associated with building or improving a TPRM program, or as they’re more commonly known, the soft skills or people skills aspect of the equation.

The THIP model was developed with the aim of closing the EQ gap and cultivating more mature, emotionally intelligent third-party risk programs. Success in this sector is dependent upon multiple factors, none more important than emotional intelligence; EQ in this context means understanding the interrelationships between people and processes and the vital impact — positive or negative — that these can have on third-party programs.

As the THIP model harnesses and nurtures key human qualities, it should serve as a more robust and sustainable basis for TPRM programs. For third-party risk managers either starting or building out a new program, we highly encourage they use the THIP model as a framework for planning actions and measuring success.


Tags: Risk AssessmentThird Party Risk Management
Previous Post

Can Regulators Keep Up With Innovation?

Next Post

Assent Compliance Raises $350M, Attains Unicorn Status

Ryan Spelman and Ryan Walker

Ryan Spelman and Ryan Walker

Ryan Spelman is a senior vice president at Kroll based in Florida. He helps organizations improve their cybersecurity posture through effective governance and assessment measures and advises on cybersecurity guidance and frameworks.
Ryan Walker is a third party risk (GRC) leader for AutoZone based in Tennessee. His experience is in data privacy, security frameworks, process engineering, departmental and programmatic creation and enterprise strategy.

Related Posts

ai policy

Planning Your AI Policy? Start Here.

by Bradford J. Kelley, Mike Skidgel and Alice Wang
May 7, 2025

Effective AI governance begins with clear policies that establish boundaries for workplace use. Bradford J. Kelley, Mike Skidgel and Alice...

robot reviewing contract

9 Emerging Use Cases for AI in TPRM

by Miriam Konradsen Ayed and Craig Moss
May 6, 2025

(Sponsored) As third-party ecosystems grow more complex, compliance teams face mounting pressure to assess and monitor external relationships effectively. Miriam...

business relationship concept hands

Relationship (Owner) Goals: Why Half Your TPRM Red Flags Stay Hidden

by Chris Audet
April 9, 2025

The front-line staff who manage vendor relationships are uniquely positioned to spot problems before they escalate, yet many organizations fail...

avengers lego figures

Uniting Forces: Cross-Functional Approaches to Insider Threat Prevention

by Rachel L. Gerstein
April 8, 2025

Creating a structured framework that brings together security, HR, IT, legal and compliance teams to fight internal vulnerabilities

Next Post
assent funding

Assent Compliance Raises $350M, Attains Unicorn Status

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights