This is part 1 in GRC 20/20's series of posts on Conflict Mineral Compliance and broader 3rd Party GRC . . .
No company is an island unto itself: organizations are a complex and diverse system of business relationships. Governance, risk management and compliance (GRC) challenges do not stop at traditional organizational boundaries. Organizations today struggle to identify, manage, and govern risk and compliance in extended business relationships as they stand in the shoes of their vendors, partners, suppliers, and other third parties. Business partner problems are the organizations problems that directly impact the organization’s brand, reputation, and increase exposure to compliance matters. When questions of business practice, ethics, safety, human rights, corruption and the environment arise, the organization is held accountable, and it must ensure that business partners behave appropriately.
Organizations need to understand business relationships in the context of the risk and compliance issues that impact operations and the brand. The challenge before organizations is: “Can you attest to the status of risk and compliance across the organization’s extended business relationships?” The head of procurement, for example, is often left considering supplier risk during on-boarding of a relationship but has inadequate resources and experience to effectively monitor risk ongoing.
Managing risk across third party relationships is particularly cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more. Risk, regulatory, and business environments are in a constant state of change. The business needs to be consistent in its GRC processes across business relationships as well. Manual spreadsheet and document centric processes are prone to failure, as they bury procurement and other areas of third party business relationship management, in mountains of data that is difficult to maintain, aggregate, and report on. This consumes valuable resources trying to figure things out instead of actively understanding and managing third party risk and compliance exposure.
Third party relationships — supply chain, value chain, vendors, service providers, outsourcers, agents, and contractors — cannot be left to themselves. Risk across these relationships must be monitored and managed. Business relationships must comply with regulatory requirements, corporate and regional cultures, codes of conduct, statements of social responsibility and sustainability, policies, risk limits, controls, and other business practices. Organizations need to actively demonstrate an in-compliance status throughout their extended business environment.
Managing 3rd party risk is a particular challenge in the context of conflict mineral compliance requirements across the organization’s supply chain. Organizations need an integrated approach to manage the entire supply chain exposure to conflict minerals. This requires a framework to manage supplier risk, conduct assessments, gather supporting information, report and analyze, resolve issues, and monitor a supply chain that is constantly changing.
In the next few weeks GRC 20/20 will post more articles in the Conflict Mineral series. . .