Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization.
The bottom line:
A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to wipe the slate clean and approach third party management by design with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.
Third Party Management by Design
The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third party management:
The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.
(Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.)
Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is true in third party management. What further complicates this is the exponential effect of third party risk on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of third party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy.
Different Approaches Organizations Take in Managing Third Parties
The primary directive of a mature third party management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.
GRC 20/20 has identified three approaches organizations take to manage third party relationships:
- Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed third party initiatives never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how third party management processes can be designed to meet a range of needs. An ad hoc approach to third party management results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about third party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on third party performance and strategy leading to greater exposure than any silo understood by itself.
- Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of third party management that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing third party relationships with the lowest common denominator and watering down third party management. Further, there is no one-stop shop for everything third party management as there are a variety of pieces to third party management that need to work together.
- Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative third party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in third party management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.
In the end, third party management is more than compliance and more than risk, but is also more than procurement. Using the definition for GRC – governance, risk management and compliance – third party management is a “capability to reliably achieve objectives [governance], while addressing uncertainty [risk], and act with integrity [compliance]” across the organization’s third party relationships.
Third Party Management Strategic Plan
Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy. The strategic plan is the foundation that enables third party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.
The core elements of the third party strategic plan include:
- Third party management governance team. The first piece of the strategic plan is building the cross-organization third party governance team (e.g., committee, group). This team needs to work with third party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in third party management and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
- Third party management charter. With the initial collaboration and interaction of the third party management team in place, the next step in the strategic plan is to formalize this with a third party management charter. The charter defines the key elements of the third party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of third party management, the members of the third party governance team, and define the overall goals, objectives, resources, and expectations of enterprise third party management. The key goal of the charter is to establish alignment of third party management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
- Third party management policy. The next critical item to establish in the third party management strategic plan is the writing and approval of the third party management policy (and supporting policies and procedures). This sets the initial third party governance structure in place by defining categories of third parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all third party relationships be maintained with appropriate categorizations, approvals, and identification of risks.
GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management Strategic Plan. Check out . . .
Related upcoming webinars, that build on How to Develop a Third Party Management Strategy