Increasing Exposure to Third-Party Risks
The Modern Organization is an Interconnected Mesh of Relationships
Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mesh of relationships and interactions that span traditional business boundaries. Over half of an organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.
In this context, organizations struggle to adequately govern risk in third-party business relationships. Third-party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third-party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third-parties behave appropriately.
There are particular challenges of managing bribery and corruption, social accountability, international labor standards, human rights, information security, privacy, quality, environmental, health and safety, and more across the organizations. Growing regulatory pressures from things like US FCPA, UK Bribery Act, UK Modern Slavery Act, US Conflict Minerals, EU Conflict Minerals, California Transparency in Supply Chains Act, PCI DSS, OCC Requirements, HIPAA, and much more all put pressure on third party risk management.
Inevitable Failure of Silos of Third Party Governance
Governing third-party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third-party management across the enterprise. Organizations manage third-parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third-party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.
This fragmented approach to third-party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third-party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.
Failure in third party management happens when organizations have:
- Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third-party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
- Interconnected third-party risks that are not visible. The organization’s risk exposure across third-party relationships is growing increasingly interconnected. An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
- Silos of third party oversight. Allowing different departments to go about third-party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third-party oversight and the organization breeds an anarchy approach to third-party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third-party relationships.
- Document, spreadsheet, and email centric approaches. When organizations govern third-party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third-party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third-party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
- Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third-parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
- Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third-parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third-party relationship and that due diligence needs to be conducted on a continual basis.
- Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third-party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization must monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third-party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
- Third-party performance evaluations that neglect risk and compliance. Metrics and measurements of third-parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third-party but do not include monitoring of risks, particularly compliance and ethical considerations.
When the organization approaches third-party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third-party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third-party management results in poor visibility across the organization, because there is no framework or architecture for managing third-party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third-party relationships that is supported and automated with information and technology.
Organizations need to have an approach with a supporting information and technology architecture that enables:
- Identification and management of the range of third parties across the organization
- Evaluation and monitoring of third-party risks across the organization
- Prioritization of control and mitigation efforts in context of third-party risk exposure
- Management of the lifecycle of third party relationship process from on-boarding to off-boarding
- Conducting initial and ongoing due diligence efforts of third parties based on risk exposure
- Monitoring and track individual third party relationships as well as groups of relationships (e.g., type of relationship, type of risk, geography)
- Providing a system of record and audit trail to provide evidence when under legal or regulatory scrutiny
What are your thoughts and concerns on third party management? Please post your comments below. If you have a question on third party management best practices or solutions in the market, please submit an inquiry
Third Party Management Research from GRC 20/20 . . .
GRC 20/20 will be releasing a detailed written Market Landscape: Third Party Management Solutions
later in April that includes market definition, segmentation, sizing, forecasting, solutions in the space, drivers, trends and more.
Research Briefings on Third Party Management
Strategy Perspectives on Third Party Management
Solution Perspectives on Third Party Management
Case Studies on Third Party Management