The Certified Third Party Risk Professional (CTPRP) certification from Shared Assessments is aimed at IT professionals responsible for managing risk associated with an organization's use of third-party vendors and service providers. Traditional third-party partners include independent contractors or subcontractors, cloud storage solution vendors, outside auditing firms, public relations firms, or any other individual or group receiving outsourced work from an organization.
Risk management specialists can often focus too exclusively on internal risk, and don't always factor in the risk presented by outside partners who perform functions which have been outsourced by the parent organization. The CTPRP cert validates individuals specialized in assessing and creating risk management solutions for an organization's third-party business partners.
Shared Assessments is a consortium of companies, IT service providers and accounting firms who have a mutual interest in establishing and maintaining a professional program dedicated to third-party risk management. Shared Assessments is a part of the Santa Fe Group, a business strategy consulting firm founded in 1996.
One of the requirements for earning CTPRP certification is a minimum of five years' experience as a risk management professional, with specific experience in third-party risk management issues. Candidates must also attend the Shared Assessments Program CTPRP Workshop, and then pass the Shared Assessments CTPRP certification exam.
The five-year professional experience requirement makes the CTPRP a "midstream" career cert, in that candidates have likely already been trained on the skills and knowledge necessary to successfully navigate the required workshop and pass the CTPRP certification exam.
That said, there is a scenario where a candidate can choose to attend the CTPRP workshop and take the certification exam before having five years of work experience. According to Shared Assessments, a candidate can attend the workshop and take the CTPRP exam after earning two years of relevant work experience, and gain the remaining work experience within three years of passing the exam. In this case, a candidate may want to take additional risk management training before registering for the CTPRP workshop and taking on the related certification exam.
Types of risk management training
Risk management training can be taken as self-paced instruction, typically through self-study books or self-paced online courses. Some online courses are based in real-time and are led by a live instructor, who presents lessons to students who are logged into a virtual classroom. There is also instructor-led training, commonly available through technical schools and university or college extension programs. Instructor-led training is a more expensive option, but offers a more dynamic and guided training experience.
Candidates taking risk management training can expect to encounter the following subjects:
- Risk identification and analysis tools
- Risk management standards and terminology
- Risk financing, including loss forecasting
- Knowledge of ISO 31000 standards
- Risk management's relationship with business continuity
- Risks specific to information technology and systems
CTPRP certification exams
In order to attain the CTPRP certification, candidates have to meet the following criteria:
- Have at least five years' experience as a risk management professional, with specific experience in third-party risk management issues
- Attend the Shared Assessments Program CTPRP Workshop
- Pass the Shared Assessments CTPRP certification exam
Up to two years of the five-year work experience requirement can be substituted through equivalent education:
- One year may be fulfilled by a Bachelor's or Master's degree in IT/IS from an accredited university.
- One year may be fulfilled by having an existing IT/IS security or risk management-related certification.
A candidate can theoretically pass the CTPRP exam then complete the work experience requirement within three years of passing the exam. CTPRP designation, however, isn't awarded until all requirements are met.
As of this writing, Shared Assessments does not explicitly provide CTPRP certification exam subjects.
CTPRP in the workplace
Once it's been earned, the CTPRP certification is valid for three years. To retain the cert, CTPRP holders must earn a number of Continuing Professional Education (CPE) hours by participating in Shared Assessment-related activities. Some CPE hours can be earned by taking part in other industry-related activities like conferences, training and workshops. CTPRP holders must also pay an annual maintenance fee, and a CTPRP renewal fee at the end of the three-year certified period.
There are a number of industry job titles related to the CTPRP certification. Some of these roles include the following:
- Risk Analyst
- Risk Manager
- Compliance Officer
- Compliance Analyst
- Risk Management Manager
- Risk Auditor
"About Shared Assessments," Shared Assessments, February 2014, https://sharedassessments.org/about/
"Certified Third Party Risk Professional (CTPRP)," Shared Assessments, February 2014, http://sharedassessments.org/certified-third-party-risk-professional-ctprp/