Step 2: Conditioning is Critical, Make Sure Your Team and Systems are Ready for 3rd Party GRC
This is the 2nd blog in a 5-part series on developing a strategic plan for Third Party Governance/Management in your organization.
With an understanding of where you are at and where you want to go with 3rd Party Governance, the next step is to make sure your team and systems are ready for the journey. The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to 3rd Party Governance, Risk Management, and Compliance (3rd Party GRC):
“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[1]
Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is true in 3rd Party GRC. What further complicates this is the exponential effect of 3rd party risk on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of 3rd party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives.
The organization needs to have holistic visibility and situational awareness into 3rd party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy.
The primary directive of a mature 3rd Party GRC program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of 3rd party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.
Organizations need to ensure that the various departments and roles involved in governing 3rd party relationships are on board and willing to work together in a cohesive strategy. The goal is to provide the greatest balance in collaborative 3rd party governance and oversight to allow for some department/business function autonomy where needed, but focuses on a common governance model and alignment that the various groups in 3rd party governance utilize. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships, as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.
The goal is to have centralized 3rd party governance oversight to create consistent and aligned strategy with a common 3rd party governance process, information and technology architecture. Organizations with this collaborative approach report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on third party performance, risk and compliance, and greater effectiveness through the ability to report and analyze 3rd party risk and compliance data. The goal should not only to manage risk and compliance, but to integrate 3rd party governance in the context of performance, objectives, and strategy in relationships.
To achieve the full benefits from an 3rd party GRC strategy, GRC 20/20 recommends the following next steps:
- Gain executive support and sponsorship of the third party governance strategy.The organization needs to work in harmony on third party governance. Different groups doing their own thing handicap the business. Executive support is critical to align the organization.
- Develop harmonized systems and processes. Key to success is identification of shared processes and information for 3rd party GRC across the enterprise. This includes identifying technology and information solutions to support integrated information and process architecture.
This team needs to be aligned to share a common vision to move to an integrated approach to 3rd party GRC across the business that includes an understanding of risk and compliance in context of performance and objectives in third party relationships.
[1]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.
Supporting 3rd Party GRC Research . . .
GRC 20/20 has defined this in our key research paper (currently being revised):
GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:
GRC 20/20 is also facilitating several upcoming workshops on this topic as well:
- Third Party Management by Design, Atlanta – April 15th
- Third Party Management by Design, Houston – April 17th
- Third Party Management by Design, Seattle – September 24th
- Third Party Management by Design, Minneapolis – September 26th
- Third Party Management by Design, Charlotte – October 7th
Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.
Really enjoying this 5-part series on 3rd party GRC, Michael. Lots of great insights and takeaways to think about. Much appreciated.