The third party management strategy and policy is supported and made operational through a third party management architecture. The organization requires complete situational and holistic awareness of third party relationships across operations, processes, transactions, and data to see the big picture of third party performance and risk in context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to third party management architecture. The architecture defines how organizational processes, information, and technology is structured to make third party management effective, efficient, and agile across the organization and its relationships.
There are three areas of the third party management architecture:
- Third party management process architecture
- Third party management information architecture
- Third party management technology architecture
It is critical that these architectural areas be initially defined in this order. It is the business processes that often determine the types of information needed, gathered, used, and reported. It is the information architecture combined with the process architecture that will define the organizations requirements for the technology architecture. Too many organizations put the cart before the horse and select technology for third party management first, which then dictates what their process and information architecture will be. This forces the organization to conform to a technology for third party management instead of finding the technology that best fits their process and information needs.
Third Party Management Process Architecture
Third party management architecture starts with the process architecture. Third party management processes are a part and subset of overall business processes. Processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships.
The third party management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes third party management processes, each process’s components and interactions, and how third party processes work together as well as with other enterprise processes.
While third party processes can be very detailed and vary by organization and industry, there are four general third party management process areas that organizations should have in place, these are:
- Third party identification & onboarding. This is the collection of processes aimed at automating a standard, objective approach for identifying third parties to work with and onboarding them through the collection of third party data and conducting appropriate due-diligence.
- Ongoing context monitoring. On an ongoing basis, and separate from monitoring of individual relationships, is the ongoing process to monitor external risk, regulatory, and business environments as well as the internal business environment. The purpose is to identify opportunities as well as risks and regulatory requirements that are evolving that impact the overall third party management program. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.
- Purpose & identification. This is the process to identify new third parties or existing third parties to contract with for new business purposes. Third party identification will detail the purpose of the relationship and include initial definition of performance, risk, and compliance requirements and concerns in the relationship so the proper relationship can be identified.
- Qualification & screening. Once a third party has been selected, the next step is the qualification and screening process to validate that the third party can meet the requirements of the relationship and does not introduce unwarranted risk and compliance exposure. The screening process will go through due diligence steps to ensure that the third party is the right fit for the organization. Relationships, particularly high risk ones, are to be evaluated against defined criteria to determine if the relationship should be established or avoided.
- Contracting & negotiation. Upon passing initial qualification and screening, the next sets of processes are contracting and negotiation processes to come to terms and establish the relationship.
- Registration & onboarding. When contracting and negotiation processes are complete the organization moves into registration and onboarding. The registration process may have already started in the qualification and screening phase to gather information, but concludes with setting up the third party in the system with master data records, financial and payment information, contact information, insurance, and licensing documentation. Further steps of the onboarding process will be communication of code of conduct and related policies, getting attestations to these, completing associated training requirements, and conducting initial audits and inspections (if more are needed and were not done in the qualification and screening stage).
- Third party communications & attestations. These are the set of ongoing processes to manage the communications and interactions with the third party throughout the relationship lifecycle. These are done on a periodic (e.g., annual) basis or when certain risk conditions are triggered.
- Policy communications & reminders. The regular communication and reminders to third parties about code of conduct and related policies and procedures they need to follow.
- Training. The regular training of third parties on matters of conduct, policies, and procedures.
- Attestation. The regular attestation by third parties to their behavior and conformance to policies and contractual requirements.
- Self-assessments. The regular surveys and assessments sent to third parties for them to evaluate themselves and send back to the organization.
- Reporting. The regular reporting on third parties on aspects of the relationship and in that context of performance, risk, and compliance.
- Third party monitoring & assessment. This stage includes the array of processes to continuously monitor the third party relationship over their lifecycle in the organization. These activities are the ones typically done within the organization to monitor and assess the third party relationship on an ongoing basis.
- Issue reporting & resolution. Even the most successful business relationships encounter issues. This is the process for capturing issues and their details that arise in third party relationships. Issue reporting processes may be internal and done by employees and management, by the third parties themselves, or through external sources such as customer complaints.
- Performance monitoring. Performance monitoring processes are in place to monitor the health of the relationship, satisfaction of service level agreements, and value the relationship is providing.
- Risk monitoring. Risk monitoring processes identify and evaluate potential risks relevant to each third party relationship throughout their lifecycle in the organization.
- Compliance monitoring & ongoing due diligence. The processes in place to monitor relationships for ongoing conformance to compliance requirements. This includes ongoing due diligence and screening processes.
- Audit & inspections. The processes in place to exercise right to audit clauses and do onsite inspections of third party premises and facilities.
- Forms & approvals. The set of internal processes to collect and report information and route things for approval in context of third party relationships.
- New vendor/supplier request.
- Gifts, hospitality & entertainment.
- Political & charitable contributions.
- Facilitated payments.
- Metrics & reporting. Processes to gather metrics and report on third party relationships at the relationship level or in aggregate.
- Third party re-evaluation. The processes in place to evaluate, maintain, renew, and off-board relationships.
- Relationship renewal. Managing the process of renewing contracts and relationships under existing, revised, or new terms.
- Off-boarding & retirement. The off-boarding/retire relationships that are no longer needed.
GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management Strategic Plan. Check out . . .
- Research Briefing: How to Purchase Third Party Management Solutions
- Webinar: How to Define a Third Party Management Process Lifecycle, July 19 @ 10:00 am – 11:00 am CDT
- Research Paper: Third Party Management by Design: A Federated Approach to Third Party Management, Strategy Perspective
Other webinars, that build on How to Define a Third Party Management Process Lifecycle, include:
- Recorded Webinar: How to Develop a Third Party Management Strategy
- Live Webinar: How to Design a Third Party Management Architecture, July 26 @ 10:00 am – 11:00 am CDT