I grew up in the Northwest corner of Montana, a beautiful but wild country. From my earliest years I loved the outdoors. In fact, long before any aspirations to build a career in Governance, Risk Management & Compliance (GRC), I wanted to be a backcountry ranger in Glacier National Park. To spend time in the outdoors requires planning and a respect for the outdoors. To go trekking requires a plan of where you are going so you know who and what to bring with you on that journey. This planning is exactly what organizations need in context of 3rd party governance/management.
The greatest challenge upon organizations in the context of GRC is the governance, risk management, and compliance of the range of 3rd party relationships. We have reorganized, outsourced, and distributed business around the world. Today’s modern organization is not a traditional brick and mortar business. Organizations are now defined by a complex, intricate, interconnected, and nested web of relationships and transactions. Traditional employees no longer define who works for an organization as over half of our insiders are now outsourcers, service providers, contractors, consultants, temporary workers, suppliers, vendors, brokers, agents, dealers, intermediaries, customers, partners, and even competitors who collaborate and work with us. Their issues, challenges, and problems are your organization’s issues, challenges, and problems. These relationships bring significant value but also significant risk as well as compliance and integrity concerns.
This is compounded by the growing array of risks and regulations that impact the organization and its extended relationships. Such as:
- Anti-bribery and corruption (US FCPA, UK Bribery Act, Sapin II, OECD)
- Business/supplier continuity
- Data privacy & protection (EU GDPR, California CCPA, information security)
- Ethics & Values (vendor/supplier code of conduct)
- Geopolitical risk
- Human rights (US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, international labor standards)
- Import/export compliance
- Quality (ISO 9000)
- Environmental, Health & Safety (REACH, RoHS)
- And more . . .
GRC 20/20 defines 3rd Party GRC (or 3rd party management, or what some more narrowly call vendor risk, supplier risk, etc.) as:
“the capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in and across and down throughout an organizations third party relationships: the extended enterprise.”Adapted from the OCEG GRC Definition
The challenge and danger many organizations face in the journey to manage these relationships is a haphazard approach in which there is no careful and strategic plan. The organization, in its various departments, randomly addresses aspects of 3rd party GRC without thinking about the big picture. The result is a lot of redundancy, gaps, inefficiency, lack of agility and effectiveness, and thing slipping through the cracks. IT security has their approach, procurement is doing their thing, legal/compliance/ethics are doing something else, other groups such as quality, environmental, health and safety all have their approaches. Some are using documents, spreadsheets, and emails to govern third parties, others are using siloed commercial tools, and some are only putting out fires when a problem arises. No one sees the big picture and there is no coordinated effort to govern these relationships strategically to ensure that the value they are delivering outweighs the risk and exposure bring as well.
GRC 20/20 has identified three approaches organizations take to manage 3rd party relationships:
- Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed 3rd party initiatives never see the big picture and fail to put 3rd party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how 3rd party GRC processes can be designed to meet a range of needs. An ad hoc approach to 3rd party GRC results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about 3rd party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on 3rd party performance and strategy leading to greater exposure than any silo understood by itself.
- Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has issues as well. Organizations run the risk of having one department be in charge of 3rd party GRC that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing 3rd party relationships with the lowest common denominator and watering down 3rd party management. Further, there is no one-stop shop for everything 3rd party GRC as there are a variety of pieces to 3rd party management that need to work together.
- Federated – an integrated and collaborative approach.The federated approach is where most organizations will find the greatest balance in collaborative 3rd party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in 3rd party GRC participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in 3rd party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.
The modern organization has to have a strategic plan to govern 3rd party relationships to ensure they reliably achieve the objectives they were established for while managing the uncertainty and risk and act with the integrity and values that is expected of them. This requires a cross-department strategic plan, coordination, and collaboration on 3rd Party GRC. Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy. The strategic plan is the foundation that enables thi3rdrd party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.
The core elements of the third party strategic plan include:
- Third party governance team. The first piece of the strategic plan is building the cross-organization 3rd party governance team (e.g., committee, group). This team needs to work with 3rd party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in 3rd party GRC and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
- Third party GRC charter. With the initial collaboration and interaction of the 3rd party GRC team in place, the next step in the strategic plan is to formalize this with a 3RD party GRC charter. The charter defines the key elements of the 3rd party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of 3rd party GRC, the members of the 3rd party governance team, and define the overall goals, objectives, resources, and expectations of enterprise 3rd party GRC. The key goal of the charter is to establish alignment of 3rd party GRC to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
- Third party governance policy.The next critical item to establish in the 3rd party GRC strategic plan is the writing and approval of the 3rd party GRC policy (and supporting policies and procedures). This sets the initial 3rd party governance structure in place by defining categories of 3rd parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all 3rd party relationships be maintained with appropriate categorizations, approvals, and identification of risks.
GRC 20/20 has defined this in our key research paper (currently being revised):
GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:
GRC 20/20 is also facilitating several upcoming workshops on this topic as well:
- Third Party Management by Design, Atlanta – April 15th
- Third Party Management by Design, Houston – April 17th
- Third Party Management by Design, Seattle – September 24th
- Third Party Management by Design, Minneapolis – September 26th
- Third Party Management by Design, Charlotte – October 7th
Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.