Written by Heather Kadavy
In the dynamic realm of Third-Party Risk Management (TPRM), technical expertise alone is not enough. TPRM practitioners, often serving as the linchpin between their organizations and third-party partners, must master the art of soft skills. Effective communication, negotiation prowess, and adept conflict resolution are the keys to fostering successful partnerships and ensuring the resilience of an organization's risk management strategy. Let’s dig into each some of these soft skills.
Effective Communication – a Foundation of Trust:
Soft skills start with effective communication. TPRM practitioners must convey complex risk concepts in a clear and understandable manner to diverse stakeholders. This involves tailoring communication styles based on the audience, whether addressing technical experts or presenting to C-suite executives. To start the TPRM Practitioners can enhance specific skills:
Active Listening: The ability to truly understand the concerns and perspectives of both internal teams and external partners is crucial. Active listening fosters trust and demonstrates a commitment to collaboration.
In TPRM, active listening is more than just hearing words—it's about deciphering the unspoken concerns and nuances within the intricate web of vendor relationships. Consider a scenario where a third-party vendor expresses reservations about certain security protocols. An adept TPRM practitioner actively listens, picks up on the vendor's underlying concerns and addresses them proactively. This ensures a more secure and cooperative partnership. Let’s look at an example:
Active Listening Scenario: A TPRM practitioner is conducting a meeting with a third-party vendor that provides software solutions critical to the organization's operations. The organization is concerned about potential vulnerabilities in the vendor's latest software release, and the meeting aims to address these concerns and establish a plan for enhanced security measures.
Active Listening in Action: During the meeting, the vendor expresses enthusiasm about the new features and improvements in their latest software release. The TPRM practitioner actively listens to the vendor's presentation, taking note of the vendor's pride in their product. However, as the vendor discusses the security features, the TPRM practitioner detects subtle cues—non-verbal expressions and hesitations—that suggest the vendor might not fully grasp the organization's specific security requirements and concerns. Rather than immediately interjecting with a list of demands or concerns, the TPRM practitioner employs active listening techniques:
Paraphrasing: The TPRM practitioner paraphrases key points the vendor has made to confirm understanding. For example, they might say, "It sounds like the new release has some exciting features, especially in terms of user experience and performance. Am I capturing that correctly?"
Clarifying Questions: Instead of assuming the vendor's intentions, the TPRM practitioner asks clarifying questions. For instance, they might inquire, "I'm curious about how the latest release addresses data encryption. Could you share more details on that aspect?"
Reflecting Emotions: The practitioner also pays attention to the vendor's emotional tone. If the vendor seems particularly proud of a security feature, the TPRM practitioner acknowledges that sentiment. For example, they might say, "It's clear that security is a priority for your team, and that's great to see."
By actively listening in this scenario, the TPRM practitioner gains a deeper understanding of the vendor's perspective, challenges, and strengths. This sets the stage for a more constructive and collaborative discussion about aligning the software's security features with the organization's risk management requirements. Active listening, in this context, helps build trust and ensures that both parties are on the same page before delving into more specific risk management discussions.
Clarity and Precision: In a field inundated with technical jargon, TPRM practitioners who can distill complex information into clear and concise messages are invaluable. Clear communication minimizes misunderstandings and ensures everyone is on the same page.
TPRM practitioners often find themselves straddling the line between technical intricacies and executive overviews. Picture a TPRM specialist communicating with the IT department about the intricacies of a vendor's cybersecurity measures. Here, clarity and precision becomes paramount. The practitioner translates complex technical details into a clear, concise message that the IT team can understand, facilitating a seamless alignment of risk management strategies. Let’s look at another example:
Clarity & Precision Scenario: An organization is in the process of onboarding a new third-party vendor that will handle sensitive customer data. The TPRM practitioner is tasked with communicating the organization's data protection requirements and ensuring that the vendor understands the specific security measures expected.
Clarity and Precision in Action: Instead of providing a general overview of security expectations, the TPRM practitioner uses clarity and precision to communicate the organization's requirements:
Clearly Defined Data Handling Procedures: The TPRM practitioner drafts a document outlining precise procedures for handling customer data. This document includes specific encryption standards, access controls, and guidelines for data storage and transmission.
Detailed Security Protocols: In a meeting with the vendor, the TPRM practitioner uses clear language to explain the required security protocols. For example, they specify the use of end-to-end encryption for customer data during transit and at rest, leaving no room for ambiguity.
Enumerating Compliance Standards: The TPRM practitioner provides a checklist of compliance standards relevant to the industry and the organization's specific requirements. This includes regulations such as GDPR, HIPAA, or industry-specific standards, ensuring that the vendor is aware of the regulatory landscape.
Establishing Incident Response Protocols: Clarity extends to incident response. The TPRM practitioner clearly defines the steps the vendor should take in the event of a data breach, including reporting timelines, communication procedures, and remediation measures.
Benefits:
The vendor gains a clear understanding of the organization's expectations, minimizing the risk of misinterpretation.
Clarity and precision in communication reduce the likelihood of security gaps due to misunderstandings.
The organization establishes a transparent and standardized framework for data protection, enhancing overall risk management.
In this scenario, the TPRM practitioner's commitment to clarity and precision ensures that both the organization and the third-party vendor have a shared and accurate understanding of the data protection requirements. This proactive communication lays the foundation for a secure and compliant partnership, minimizing potential risks associated with mishandling sensitive customer information.
Negotiation Prowess: Striking the Right Balance:
Next, TPRM often involves negotiations with third-party vendors, internal departments, and sometimes regulatory bodies. A TPRM practitioner with strong negotiation skills can navigate these discussions effectively, ensuring that both parties feel heard and valued.
Win-Win Solutions: Rather than viewing negotiations as a zero-sum game, TPRM practitioners should strive for solutions that benefit all parties. This approach builds positive relationships and encourages long-term collaboration. Below is a practical example:
Win-Win Solutions Scenario: The organization is looking to enhance its cybersecurity measures, and the TPRM practitioner identifies a potential risk associated with the current cloud service provider's security protocols. The vendor, in turn, expresses concerns about the cost and effort involved in upgrading their security infrastructure to meet the organization's heightened standards.
Win-Win Solution: In this scenario, the TPRM practitioner recognizes the importance of both bolstering cybersecurity and maintaining a positive relationship with the vendor. Instead of insisting on immediate, extensive upgrades, the practitioner proposes a phased approach to security enhancements.
Immediate Low-Impact Changes: The organization implements quick and low-impact changes that immediately strengthen security without causing significant disruption. This could involve tightening access controls, implementing additional monitoring tools, or enhancing encryption protocols.
Collaborative Roadmap: Simultaneously, the TPRM practitioner collaborates with the vendor to create a roadmap for more substantial security upgrades over the next several months or years. This allows the vendor to plan and budget for the changes, spreading the costs and efforts more evenly.
Benefits:
The organization sees immediate improvements in its cybersecurity posture, addressing the initial risk.
The vendor is not burdened with sudden, extensive costs or disruptions to their services.
The phased approach fosters a collaborative relationship, demonstrating a commitment to working together for mutual benefit.
The vendor appreciates the organization's understanding of their constraints, enhancing the overall trust in the partnership.
In this win-win solution, both parties achieve their objectives. The organization improves its security without jeopardizing its relationship with a valued vendor, and the vendor can gradually meet the elevated security standards without significant immediate resource strain.
Preparation & Flexibility: A successful negotiation begins with thorough preparation. TPRM practitioners should anticipate potential points of contention and be flexible in adapting their strategies based on the evolving needs of the organization and its partners. An example might look like the following example:
Preparation & Flexibility Scenario: The TPRM practitioner is scheduled to conduct a comprehensive risk assessment for a new third-party vendor that provides critical software services to the organization. However, just before the assessment is set to begin, the vendor notifies the TPRM practitioner that their chief security officer, a key point of contact for the assessment, is unavailable due to unforeseen personal reasons.
Preparation and Flexibility in Action: In this scenario, the TPRM practitioner showcases preparation and flexibility to ensure the successful completion of the risk assessment:
Pre-Assessment Preparation: Knowing the critical role of the chief security officer in the assessment process, the TPRM practitioner had previously gathered essential information about the vendor's security measures. This includes reviewing documentation, policies, and previous communications to have a baseline understanding.
Understanding the Vendor's Situation: Upon receiving the notification about the unavailability of the chief security officer, the TPRM practitioner reaches out to the vendor to understand the specific circumstances and to express understanding and empathy for the situation.
Adapting the Assessment Plan: Recognizing the need for flexibility, the TPRM practitioner revisits the assessment plan. They identify areas of the assessment that can proceed with available resources and information and determine which aspects require the involvement of the chief security officer.
Rescheduling and Adjusting Timeline: The TPRM practitioner collaborates with the vendor to reschedule the assessment activities that require the chief security officer's input. They adjust the timeline to accommodate the unanticipated delay while ensuring that critical aspects of the assessment can still progress.
Engaging Alternative Contacts: To keep the assessment moving forward, the TPRM practitioner identifies alternative contacts within the vendor organization who can provide insights and information in the absence of the chief security officer. This may include collaborating with IT teams, compliance officers, or other relevant stakeholders.
Communication and Transparency: Throughout the process, the TPRM practitioner maintains transparent communication with both the vendor and internal stakeholders. They communicate the adjusted timeline, reasons for the delay, and steps being taken to ensure a thorough and effective assessment despite the unexpected challenges.
Benefits:
The TPRM practitioner's pre-assessment preparation allows for a smoother transition when facing unexpected challenges.
Flexibility in adapting the assessment plan demonstrates resilience and the ability to navigate unforeseen obstacles.
Engaging alternative contacts ensures that the assessment continues to gather valuable information, even in the absence of the chief security officer.
Transparent communication builds trust with both the vendor and internal stakeholders, fostering a collaborative and understanding environment.
In this scenario, the TPRM practitioner's combination of preparation and flexibility enables them to navigate unforeseen challenges effectively, ensuring that the risk assessment remains comprehensive and productive despite the unexpected circumstances.
Adept Conflict Resolution: Turning Challenges into Opportunities:
Conflict is inevitable, but how it's managed can make all the difference. TPRM practitioners often find themselves mediating between internal teams and external partners, making conflict resolution a critical soft skill.
Empathy: Understanding the perspectives and concerns of all parties involved is the first step towards resolution. Empathy fosters a collaborative atmosphere where conflicts can be addressed constructively. Let’s look that the situation below to see how.
Empathy Scenario: The TPRM practitioner is conducting a meeting with a long-term third-party vendor whose services have been integral to the organization's operations. The vendor, however, is undergoing financial challenges that might impact their ability to maintain the same level of service. The organization is concerned about the potential risks associated with these challenges.
Empathy in Action: In this scenario, the TPRM practitioner demonstrates empathy in several ways:
Acknowledging the Vendor's Situation: Instead of immediately diving into the organization's concerns, the TPRM practitioner begins the conversation by acknowledging the challenges the vendor is facing. They might say, "I understand that these are challenging times, and we appreciate the partnership we've had over the years."
Open-Ended Inquiry: The TPRM practitioner employs open-ended questions to allow the vendor to express their situation more fully. For example, they might ask, "Can you share more about the specific challenges your team is currently navigating?"
Active Listening to Concerns: As the vendor details their challenges, the TPRM practitioner actively listens, paying attention to both the spoken and unspoken aspects of the conversation. They pick up on the vendor's worries about maintaining service quality despite financial constraints.
Collaborative Problem-Solving: Rather than approaching the situation with a rigid stance, the TPRM practitioner collaboratively explores potential solutions. This might involve discussing flexible payment terms, temporary adjustments to services, or exploring alternative cost-saving measures.
Benefits:
The vendor feels understood and valued, fostering a sense of trust in the partnership.
The TPRM practitioner gains insights into the vendor's perspective, enabling a more nuanced risk assessment.
Empathetic communication sets the stage for collaborative problem-solving, ensuring the organization's needs are met without jeopardizing the vendor's stability.
In this scenario, empathy enables the TPRM practitioner to navigate a challenging situation with sensitivity and understanding. By acknowledging the vendor's difficulties and actively engaging in a collaborative dialogue, the practitioner helps to foster a resilient partnership that addresses risks while preserving the relationship. Empathy, in this context, is a powerful tool for maintaining trust and ensuring the mutual success of both parties involved.
Solution-Oriented Approach: Instead of dwelling on the problem, TPRM practitioners should focus on finding solutions. A proactive and solution-oriented mindset contributes to a positive working environment. An example might be:
Solution-Oriented Approach Scenario: The TPRM practitioner discovers a potential compliance gap with a critical third-party vendor. The organization's audit has highlighted issues with the vendor's data protection measures, and there is a risk of regulatory non-compliance.
Solution-Oriented Approach in Action: In this scenario, the TPRM practitioner adopts a solution-oriented approach to address the compliance gap:
Identification of Compliance Issues: The TPRM practitioner, upon discovering the compliance gap, conducts a thorough analysis to identify the specific issues contributing to the non-compliance. This includes evaluating the vendor's current practices against regulatory requirements.
Collaborative Discussion with the Vendor: Rather than immediately raising concerns, the TPRM practitioner initiates a collaborative discussion with the vendor. They present the identified compliance issues in a non-confrontational manner, emphasizing a shared goal of maintaining regulatory adherence.
Joint Risk Assessment: The TPRM practitioner works with the vendor to conduct a joint risk assessment. This involves evaluating the potential impact of the compliance issues on both organizations and identifying feasible solutions that align with regulatory requirements.
Co-Creation of a Remediation Plan: Together with the vendor, the TPRM practitioner co-creates a remediation plan that outlines specific steps to address the compliance gaps. This plan includes timelines, responsibilities, and measurable objectives to ensure progress is tracked effectively.
Continuous Monitoring and Improvement: A solution-oriented approach extends beyond immediate fixes. The TPRM practitioner establishes a system for continuous monitoring and improvement, ensuring that the vendor's processes evolve to maintain compliance over time.
Benefits:
The vendor appreciates the collaborative and non-confrontational approach, fostering a positive working relationship.
A joint risk assessment allows for a comprehensive understanding of the compliance issues and potential impacts.
The co-created remediation plan ensures a clear roadmap for addressing the compliance gaps with measurable outcomes.
Continuous monitoring demonstrates a commitment to ongoing improvement and regulatory adherence.
In this scenario, the TPRM practitioner's solution-oriented approach transforms a compliance challenge into an opportunity for collaboration and improvement. By actively involving the vendor in the resolution process, the TPRM practitioner not only addresses immediate concerns but also lays the groundwork for a more resilient and compliant third-party relationship.
Mediation and Facilitation: TPRM practitioners need to be adept at guiding discussions and facilitating compromise. Mediation skills are essential for resolving disputes and maintaining healthy relationships. Below is an example to review:
Mediation & Facilitation Scenario: A dispute arises between the internal IT department and a third-party vendor responsible for managing the organization's cloud infrastructure. The IT department is concerned about recent downtime and performance issues, attributing them to the vendor's service delivery. The vendor, on the other hand, claims that the issues stem from the IT department's misconfiguration of certain settings.
Mediation and Facilitation in Action: In this scenario, the TPRM practitioner employs mediation and facilitation skills to resolve the dispute:
Gathering Perspectives: The TPRM practitioner initiates a meeting with representatives from both the IT department and the vendor. They provide a neutral space for each party to express their perspectives on the issues, ensuring that all concerns are heard.
Active Listening and Empathy: The TPRM practitioner actively listens to the concerns of both parties, demonstrating empathy for their respective challenges. They acknowledge the frustration felt by the IT department regarding downtime and the vendor's concerns about potential misconfigurations.
Identifying Common Ground: Through careful listening and exploration, the TPRM practitioner identifies common ground between the IT department and the vendor. Both parties share a commitment to ensuring optimal performance and reliability for the organization's cloud infrastructure.
Objective Analysis: The TPRM practitioner conducts an objective analysis of the reported issues, involving relevant technical experts from both sides. This analysis aims to identify the root causes of the problems and determine the extent to which each party's concerns are valid.
Collaborative Problem-Solving: With a clear understanding of the issues, the TPRM practitioner facilitates a collaborative problem-solving session. They guide the IT department and the vendor in jointly developing solutions, such as implementing additional monitoring tools, conducting joint performance testing, or refining configuration processes.
Agreement and Monitoring Mechanism: The TPRM practitioner assists in drafting a mutual agreement outlining the agreed-upon solutions and responsibilities of each party. Additionally, they establish a monitoring mechanism to track the implementation of the solutions and measure improvements over time.
Benefits:
The TPRM practitioner's neutral stance and facilitation skills create a collaborative atmosphere for dispute resolution.
Both the IT department and the vendor feel heard and understood, fostering a sense of trust in the mediation process.
The collaborative problem-solving approach results in actionable solutions that address the root causes of the issues.
The established monitoring mechanism ensures accountability and ongoing improvement.
In this scenario, the TPRM practitioner's mediation and facilitation skills play a crucial role in transforming a potential conflict into a collaborative effort to enhance the performance and reliability of the organization's cloud infrastructure.
Overall, as the role of TPRM practitioners continues to evolve, the importance of soft skills cannot be overstated. Effective communication, negotiation prowess, and conflict resolution abilities are the pillars upon which successful third-party relationships are built. Organizations that prioritize the development of these soft skills within their TPRM teams are better equipped to navigate the complexities of the modern business landscape, fostering collaboration, trust, and long-term success. In the delicate dance of risk management, it's the practitioners with finely honed soft skills who truly shine.