3rd Party GRC: Business Agility in a Dynamic and Distributed Environment

GRC 20/20 is providing a specific focus on 3rd Party Governance, Risk Management & Compliance (GRC) in the month of December.  This is the fastest growing part of the GRC market as organizations struggle with issues of conflict minerals, anti-bribery & corruption, social accountability, privacy, security, and more . . . 

No company is an island unto itself: Organizations are a complex and diverse system of processes and business relationships. Risk and compliance challenges do not stop at traditional organizational boundaries. Organizations today struggle to identify, manage, and govern extended business relationships as they stand in the shoes of their agents, vendors, partners, suppliers, and relationships. Business partner problems and issues are the organizations problems that directly impact the organization’s brand and reputation. When questions of business practices, compliance, and controls arise, the organization is held accountable, and it must ensure that business partners behave appropriately.

Businesses must understand business relationships in the context of the governance, risk and compliance (GRC) issues that impact business operations and brand. The challenge before organizations is: “Can you attest that risk and compliance is managed across extended business relationships?”  The head of procurement, for example, is often left with managing supplier risk across these business relationships but has inadequate processes and information to effectively monitor them.

This is challenging enough with the distributed and extended nature of business, but it becomes particularly challenging in the current dynamic ever-changing business environment.  Risk, regulatory, and business environments are in a constant state of change. The business needs to be current in its governance, risk management, and compliance processes across business relationships. Manual email, spreadsheet, and document centric processes are prone to failure, as they bury procurement and other areas of 3rd party risk/compliance resulting in mountains of documents that are difficult to maintain, aggregate, and report on: consuming valuable resources in data management instead of managing 3rd party risk and compliance.  Organizations need an integrated solution to manage 3rd party risk and compliance that brings together frameworks, content, and technology to deliver not only efficiency and effectiveness but also agility.  

Extended business relationships — supply chain, value chain, vendors, service providers, outsourcers, and contractors — cannot be left to themselves. Risk across these relationships must be monitored and managed. Business relationships must comply with regulatory requirements, corporate and regional cultures, codes of conduct, statements of social responsibility and sustainability, policies, risk limits and controls, and other business practices. Organizations need to actively demonstrate an in-compliance and in-control status throughout the extended business environment. Anything that impacts business relationships can taint the organization’s brand — such as child labor, quality issues, fraud, privacy violations, or other misconduct.

Procurement, and other parts of the business, tend to look at the formation of a business relationship and fail to foresee issues that can cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship itself.

The list of exposure areas impacting business relationships can be categorized as . . . 

  1. Operational risk.  The organization needs to ensure that business processes and information are managed to limit risk exposure to the business.  This can cover areas such as health and safety, continuity of operations, redundancy in supply chain, quality issues, and security.
  2. Financial risk & performance.  The organization needs to make sure it is doing business with stable organizations that can be relied upon.
  3. Reputation.  The organization’s brand is on the line. To make sure that the corporate brand is not tarnished the organization needs to ensure that its vendors and business relationships hold to appropriate commitments to labor standards, environmental protection, fiscal responsibility, and social responsibility.
  4. Compliance.  The organization needs assurance that its vendor and business relationships are complying with local laws and regulations as well as the laws and regulations that bear down upon the business around the world.  This covers a wide spectrum of compliance to labor, anti-bribery and corruption, quality, import/export, security, privacy, and health and safety regulations and laws.

Organizations tend to look at the formation of a business relationship and fail to foresee these issues cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship. There is a common failure to manage risk across the lifecycle of business relationships for the following reasons:

  1. Risk is only considered during the on-boarding process: Risks in extended business relationships are usually only analyzed during the on-boarding process to validate the organization is doing business with the right companies. This approach fails to recognize that additional risk is incurred over the life of the business relationship.
  2. Relationship performance evaluations neglect an integrated view of GRC: Metrics and measurements for ongoing business relationships often fail to fully analyze and monitor risk. Often, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.

Organizations are complex entities that extend to hundreds or thousands of business relationships around the world. Organizations must actively manage and monitor risk and compliance across the lifecycle of a business relationship. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak and unmonitored oversight.

In the past, risk in extended business relationships was predominantly focused on the on-boarding process. After that point, individual business areas may conduct routine audits and assessments or require attestation to a code of conduct, but it is not a coordinated or collaborative function and often lacks accountability.

Document centric processes bury the organization with mountains of out of sync data that takes time to reconcile and report.  The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships. Business needs defined processes, information, frameworks, and solutions to effectively and efficiently manage 3rd party extended business relationships. The goal is to enable business agility by providing defined and integrated accountability processes that can manage risk and compliance in the context of performance and change across  business relationships. A clearly defined approach to managing GRC across extended business relationships requires a consistent lifecycle and program supported by a common information and technology architecture. 

Upcoming Research Briefings on this topic are . . . 

 
No comments yet.

Leave a Reply