Step 3: Select the Right Equipment for the 3rd Party GRC Journey
This is the 3rd blog in a 5-part series on developing a strategic plan for Third Party Governance/Management in your organization.
Growing up in Northwest Montana I spent a lot of time in the outdoors. This led into a passion for rock climbing when I was in high school (a hobby I put aside for 25 years and am tempted to pick up again). Everything was something to climb. My friends and I would go into town late at night and climb buildings, I was in a climbing competition my senior year of high school, and then taught climbing in the Grand Tetons the summer after high school. Those were the days!
Climbing laid the foundation for me in evaluating GRC technology, and in the case of today’s topic 3rd Party Governance, Risk Management, and Compliance (3rd Party GRC) solutions. You don’t throw everything into a backpack haphazardly and start a climb. When you are climbing both space and weight are critical. You need to understand what the journey is ahead of you from start to finish and select the right equipment for you to accomplish the task. This is true of 3rd Party GRC technologies, platforms, and solutions.
There are over 140 providers of various aspects of 3rd Party GRC. Some are very narrow and do a very specific thing (e.g., financial health/risk of 3rd parties, GDPR compliance, Conflict Minerals), while others provide a broad platform to manage an array of 3rd Party GRC needs and requirements. But even the broad platforms have differences. I have been fielding a number of complaints from organizations that find the 3rd Party Modules in their Enterprise GRC Platforms to be limiting as they only manage things at the relationship level but fail to get into the contract and service level agreements. A large bank may have a relationship with a service provider or outsourcers, but there may be 100 contracts/service level agreement tied to that one relationship. The bank needs to know that 89 of those contracts touch GDPR requirements. Or a manufacturer needs to know the individual materials and components and the traceability of those materials/components down through a nested supply chain. Some solutions do not go deep or broad enough.
Third Party GRC is often a module that fails in Enterprise GRC initiatives as organizations try to bundle everything into one platform. This can work with the right solution, but as these organizations move forward with their Enterprise GRC Platform they often find that the 3rd Party GRC module is limited and does not meet the requirements of managing the details of a relationship that are critical to the organizations . . . so they end up scrapping this module and go looking for a deeper solution that can meet their needs.
The right technology architecture enables the organization to effectively manage 3rd party performance and risk across extended business relationships, and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans. There can and should be be a central core technology platform for 3rd Party GRC that connects the fabric of processes, information, and other technologies together across the organization. Many organizations see 3rd Party GRC initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:
- Documents, spreadsheets, and email.Manual spreadsheet and document-centric processes are prone to failure, as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on – consuming valuable resources. The organization ends up spending more time in data management and reconciling, as opposed to active risk monitoring of extended business relationships.
- Point solutions. Implementation of a number of point solutions that are deployed and purpose built for very specific risk and regulatory issues. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization and its relationships.
- ERP and procurement solutions.There is a range of solutions that are strong in the ERP and procurement space that have robust capabilities in contract lifecycle management, transactions, and spend analytics. However, these solutions are often weak in overall 3rd party governance, risk management, and compliance, but these players have now started to look more at 3rd Party GRC.
- Enterprise GRC platforms.Many of the leading enterprise GRC platforms have 3rd party (e.g., vendor) risk management modules. However, these solutions often have a predominant focus on risk and compliance, and do not always have the complete view of performance management of third parties. These solutions are often missing key requirements, such as third party self-registration, third party portals, and established relationships with third party data and screening providers.
- Third Party GRC Platforms.These are solutions that are built for the breadth and depth of 3rd Party GRC. Some are fully focused on just 3rd Party GRC, while a few Enterprise GRC platforms have deeper capabilities than their peers. These solutions have the broadest array of built-in (versus built-out) features to support the breadth of third party management processes. In this context they take a balanced view of 3rd party governance and management that includes performance of third parties, as well as risk and compliance needs. These solutions often integrate with ERP and procurement solutions to properly govern 3rd party relationships throughout their lifecycle, and can feed risk and compliance information into GRC platforms for enterprise risk and compliance reporting where needed.
Successful 3rd Party GRC requires a robust and adaptable information architecture that can model the complexity of 3rd party information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages:
- Master data records.This includes data on the third party such as address, contact information, and bank/financial information.
- Third party compliance requirements.Listing of compliance/regulatory requirements that are part of third party relationships.
- Third party risk and control libraries.Risks and controls to be mapped back to third parties.
- Policies and procedures.The defined policies and procedures that are part of third party relationships.
- Contracts.The contract and all related documentation for the formation of the relationship.
- SLAs, KPIs, and KRIs.Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for individual relationships, as well as aggregate sets of relationships.
- Third party databases.The information connections to third party databases used for screening and due diligence purposes, such as sanction and watch lists, politically exposed person databases, cyber-security ratings, as well as financial performance or legal proceedings.
- Transactions.The data sets of transactions in the ERP environment that are payments, goods/services received, etc.
- Forms.The design and layout of information needed for third party forms and approvals.
The right third party technology architecture choice for an organization involves integration of several components into a core third party governance platform solution to facilitate the integration and correlation of third party information, analytics, and reporting. Organizations suffer when they take a myopic view of third party management technology that fails to connect all the dots, and provide context to business analytics, performance, objectives, and strategy in the real-time business operates in. Some of the core capabilities organizations should consider in a third party governance platform are:
- Internal integration.Third party management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization – procurement system, spend analytics, ERP, and GRC. So the ability to pull and push data through integration is critical.
- External integration.With increasing due diligence and screening requirements, organizations need to ensure that their solution integrates well with third party databases. This involves the delivery of content from knowledge/content providers through the third party technology solution to rapidly assess changing regulations, risks, industry, and geopolitical events.
- Content, workflow, and task management.Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis. Standardized formats for measuring business impact, risk, and compliance.
- 360° contextual awareness.The organization should have a complete view of what is happening with third party relationships in context of performance, risk, and compliance. Contextual awareness requires that third party management have a central nervous system to capture signals found in processes, data, and transactions, as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third party relationships.
It is critical that organizations closely understand the breadth and scope of 3rd Party GRC across the organization and define a strategy and process for what they want to accomplish now, as well as 3 to 5 years from now. It is then they can evaluate and consider the right features and functionality they need in a 3rd Party GRC.
Supporting 3rd Party GRC Research . . .
GRC 20/20 has defined this in our key research paper (currently being revised):
GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:
GRC 20/20 is also facilitating several upcoming workshops on this topic as well:
- Third Party Management by Design, Atlanta – April 15th
- Third Party Management by Design, Houston – April 17th
- Third Party Management by Design, Seattle – September 24th
- Third Party Management by Design, Minneapolis – September 26th
- Third Party Management by Design, Charlotte – October 7th
Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.
Ask GRC 20/20 an inquiry on what 3rd Party GRC solutions available in the market and what differentiates them, this is what we do – research and analysis of technology for GRC . . . .