Posted on Leave a comment

From Ad Hoc to Agile: Set Your Course for Third-Party GRC Maturity

This post is an excerpt from GRC 20/20’s most recent research piece, Third Party GRC Maturity Model: A New Paradigm in Governing Third Party Relationships, and upcoming webinar From Ad Hoc to Agile: Set Your Course for Third-Party GRC Maturity.

Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains.

In this context, organizations struggle to govern third party relationships. Risk and compliance challenges do not stop at organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organization’s problems and directly impact the brand, as well as reputation, while increasing exposure to risk and compliance matters. 

Fragmented governance of third party relationships through disconnected silos leads the organization to inevitable failure. A haphazard department- and document-centric approach for third party governance, risk management, and compliance (GRC) compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. 

A New Paradigm in Governing Third Party Relationships

The primary directive of a mature third party GRC management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. In the end, third party management is more than compliance and more than risk, but is also more than procurement. Using the definition for GRC[1]  – governance, risk management and compliance – third party GRC is a “capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]” in the organization’s third party relationships.  

Third party GRC is a “capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]” in the organization’s third party relationships.  

Five Stages of Third Party GRC Maturity

Mature third party GRC is a seamless part of governance and operations. It requires a top-down view of third party governance, led by the executives and the board, where third party risk management is part of the fabric of business – not an unattached layer of oversight. It also means bottom-up participation, where business functions identify and monitor transactions and relationships that expose the organization. GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey. There are five stages to the model:

1: Ad Hoc 

Organizations at the Ad Hoc stage of maturity have siloed approaches to third party governance, risk and compliance at the department level. Businesses at this stage do not understand risk and exposure in third party relationships; few if any resources are allocated to third party governance. The organization addresses third party GRC in a reactive mode — doing assessments when forced to. There is no ownership or monitoring of risk and compliance, and certainly no integration of risk and compliance information and processes in context of third party performance. 

2: Fragmented

The Fragmented stage sees departments with some focus third party GRC within respective functions — but information and processes are highly redundant and lack integration. With siloed approaches to third party GRC, the organization is still very document-centric. Processes are manual and they lack standardization, making it hard to measure effectiveness.

3: Defined

The Defined stage suggests that the organization has some areas of third party GRC that are managed well at a department level, but it lacks integration to address third party risk across departments. Organizations in the Defined stage will have defined processes for third party GRC in some departments or business functions, but there is no consistency. Third party GRC processes have the beginning of an integrated information architecture supported by technology and ongoing reporting. Accountability and oversight for certain domains such as bribery and corruption risk and compliance, and/or information security are beginning to emerge. 

4: Integrated

In the Integrated stage, the organization has a cross-department strategy for managing third party governance across risk and compliance. Third party GRC is aligned across several departments to provide consistent frameworks and processes. The organization addresses third party GRC through shared processes and information that achieve greater agility, efficiency, and effectiveness. However, not all processes and information are completely integrated, and there is not an integrated view of third party performance.

5: Agile

At the Agile stage, the organization has completely moved to an integrated approach to third party GRC across the business that includes an understanding of risk and compliance in context of performance and objectives in third party relationships. Consistent core third party GRC processes span the entire organization and its geographies. The organization benefits from consistent, relevant, and harmonized processes for third party governance with minimal overhead. 

Advancing Your Organization’s Third Party Governance Maturity 

Organizations with third party GRC processes siloed within departments operate at the Ad Hoc, Fragmented, or Defined stage. At these stages third party GRC programs manage third party risk and compliance at the departmental level and lack an integrated view with no gain in efficiencies from shared processes. 

In the Integrated and Agile maturity levels, organizations have centralized third party GRC oversight to create consistent programs around the world with a common third party GRC process, information, and technology architecture. These organizations report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on third party performance, risk, and compliance, and greater effectiveness through the ability to report and analyze third party risk and compliance data. The primary difference between the Integrated and Agile stage is the integration of third party GRC in the context of performance, objectives, and strategy in individual relationships aligned with the organization. Differences may be seen in top-down support from executive management, and when various risk and compliance functions align with strategy to collaborate and share information and processes. 

The Agile Maturity approach is where most organizations will find the greatest balance in collaborative third party governance and oversight. It allows for some department/business function autonomy where needed, but focuses on a common governance model and technology architecture that the various groups in third party GRC utilize. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third party relationships. It allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party GRC management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.


Supporting 3rd Party GRC Research . . .

GRC 20/20 has defined this in our key research papers:

Upcoming webinar:

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.GRC 20/20’s 3rd Party GRC Research

Ask GRC 20/20 an inquiry on what 3rd Party GRC solutions available in the market and what differentiates them, this is what we do – research and analysis of technology for GRC . . . .


[1]        This is the OCEG definition of GRC.

Leave a Reply