Modern Organization: Interconnected Maze of RelationshipsTraditional brick and mortar business are a thing of the past. Physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, etc. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties. In this context, organizations struggle to identify and govern their third party relationships, with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation, while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.
Inevitable Failure of Silos of Third Party GovernanceThird party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them, and fail to actively manage and understand the interrelationship of third parties across the organization. The fragmented governance of third party relationships, through disconnected silos, leads the organization to inevitable failure. Reactive, document-centric, and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance. Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship, as well as the organization’s goals, objectives, and performance. Failure in third party governance comes about when organizations have:
- Growing risk and regulatory concerns with inadequate resources – Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating, which increases redundancy and inefficiency.
- Interconnected third party risks that are not connected – The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor, but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
- Silos of third party oversight –Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
- Document and email centric approaches –When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report onsupply chain data. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
- Scattered and non-integrated technologies –When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency – impacts effectiveness, while encumbering the organization when it needs to be agile.
- Processes focused on onboarding only –Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
- Inadequate processes to manage change –Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, etc. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe – in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships are changing – introducing further risk exposure.
- Third party performance evaluations that neglect risk and compliance –Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services, but do not include monitoring risks such as compliance and ethical considerations.
GRC 20/20 Events & Resources for Third Party Management Include . . .
Upcoming Third Party Management Webinars
2019 Trends in Third Party Risk, November 28 @ 10:00 am – 11:00 am CST
Best Practices for Third Party Management RFPs, November 29 @ 11:00 am – 12:00 pm CST
Efficient and Effective Third-Party Management, December 6 @ 10:00 am – 11:00 am CST
Senior Management Regime – The Next Level of Maturity, December 6 @ 8:00 am – 9:00 am CST
Strategy Perspective on Third Party Management
Research Briefings on Third Party Management
Case Studies on Organizations Doing Third Party Management
Solution Perspectives on Third Party Management Solutions
- CyberGRX: Collaborative Accountability in Third Party Cyber Risk Management
- Aravo for GDPR
- Opus’ Hiperos Information Security Solution
- SureCloud Third Party Risk Manager
- ProcessUnity Vendor Cloud
- Aravo: Enabling 360° Insight & Control of Third Party Relationships
- Thomson Reuters World-Check One: Innovation in Third Party Management Technology
- Source Intelligence Network: Innovation in User Experience for Third Party Management