3rd Party Risk & Compliance – A Significant Challenge for Large Organizations
Issues impacting corporate governance, risk management, and compliance are abundant. GRC 20/20 has identified 27 issue areas that organizations struggle with in risk and compliance – THOUGH the one that is keeping GRC 20/20 research and advisory the busiest is 3rd party risk and compliance management.
What do you mean by 3rd party risk & compliance?
Third party risk and compliance is a generic term – specific industries and organizations may refer to it as supply chain, vendor, or service provider risk and compliance management. The impact of the extended enterprise is significant on business. Organizations are dealing with numerous and global relationships. There are also specific pressures within industries to formally manage 3rd party risk (i.e., the FDIC released guidance this past summer requiring banks to manage 3rd party risk).
The specific risk and compliance concerns impacting 3rd party relationships extend across a range of issues – international labor standards, code of conduct, corporate social responsibility, operational risks, supply chain risks, environmental, health and safety, security, privacy, quality . . . the list of issues across industries is expansive.
Core processes that organizations require to manage 3rd party risk and compliance include:
- Definition and modeling of relationship, risks, compliance issues, and controls with extended business relationships;
- Communication and attestation of policies, procedures, and code of conduct;
- Delivery of compliance and code of conduct eLearning/training content;
- Ability to have business partners conduct self-assessments of risk, compliance, and controls;
- Interface for consultants and auditors to validate risk and controls and exercise right to audit clauses;
- Provide a platform for risk and compliance intelligence where the company can be alerted to new developments and issues that could impact specific relationships and/or geographies; and,
- Assessment and scoring of risk based on the business relationship and status of assessment/audit findings.
Large organizations around the world struggle and are actively looking for solutions and service offerings to answer these 3rd party risk and compliance relationship processes. Just in the past few months GRC 20/20 has interacted with several large and medium-sized banks, a major food retailer, Fortune 100 retailers, entertainment conglomerate, high-tech manufacturers, life sciences firm, insurance, major pharmaceutical benefits provider, and more. In one firm I sit on the social accountability advisory board aimed at managing international labor standards, workplace safety, and code of conduct across 5000+ vendors in a global supply chain. These issues are significant, overwhelming, growing, getting more complex, and not going away.
This is a particular golden opportunity for technology providers that provide a Software as a Service (SaaS) offering – as organizations are reluctant to open up their internal networks to accomplish 3rd party risk and compliance management.
This is just a quick synopsis of a very intricate issue that organizations are struggling with. GRC 20/20 welcomes your comments and thoughts on this topic