Posted on Leave a comment

Third Party GRC vs Third Party Risk Management

Business is No Longer Brick & Mortar Walls

I was recently talking to a global manufacturer about the challenges they face in defining their organization. The challenge is that there are no more brick and mortar walls that define the organization. Their organization, like yours, is a web of third party relationships. In many areas, these relationships are further complicated as they nest themselves in other relationships in deep supply chains and subcontractors. What used to be thought of as an internal risk within the traditional brick and mortar walls of this global manufacturer is now extended across an array of relationships in the extended enterprise.

However, as we were talking, it is not just about risk management. The organization has to ensure that these extended enterprise relationships share the same values and commitments to integrity define the core organization, the global manufacturer. It also has to ensure that each of these relationships is meeting the objectives that the relationship is in place for. This gets further complicated where the organization has to not only manage the performance/objectives, risk, and compliance at the relationship level but also at the contract, facility, and/or service-level.

One financial service firm stated they cannot simply manage a service provider/outsourcer relationship at the relationship level but needs to understand the details at each contract/service-level of the relationship. They might have one relationship but have 100 contracts/service levels within that relationship. They need to manage how each contract is performing and the unique risks that each contract has.

I sat on the social accountability advisory firm for one Fortune 100 firm that was managing international labor standards across 5,000 suppliers. However, these 5,000 suppliers had an aggregate of 20,000 facilities. Social accountability cannot simply be managed at the relationship level of each supplier but had to extend into each facility servicing this global firm.

However, Organizations Focus on Third Party Risk Silos

The challenge is that many organizations approach third party risk management in isolated silos. The IT security team has their process and technology focused on security. Corporate compliance and ethics are concerned about anti-bribery and corruption and have their processes for managing this in third party relationships. Then other departments such as quality, environmental, health and safety, EST/CSR, and others have their siloed processes to govern relationships. This results in no one seeing a full spectrum of the risk and exposure in these relationships. Perhaps each area has some concerns in a relationship, but in their silo it is not a big enough concern. But if they would aggregate the concerns across silos monitoring the one relationship they should have alarms going off.

However, what is often missing, is the governance of these relationships. As organizations focus on the silos of risk they often forget to put in context how these third party relationships are delivering on the performance and objectives of the relationship.

It Is Time to Move to Third Party GRC

It is time for organizations to stop thinking about Third Party Risk Management and start doing Third Party Governance, Risk Management, and Compliance (GRC). Third Party GRC is the capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE] in and across the web of the organizations third party relationships in the extended enterprise (note: this is modified from the OCEG definition of GRC to fit Third Party GRC).

Think about it. Each relationship has a purpose. There would not be a relationship if there was no purpose for it. The organization needs processes in place to reliably achieve the objectives of the relationships – this is third party governance. Then the organization needs to manage the uncertainty in the relationship. Risk, according to ISO 31000, is the effect of uncertainty on objectives. The organization has to monitor and manage the uncertainty/risk in meeting the objectives of the relationship. Then the organization needs to ensure the integrity in the relationship, that the compliance requirements, values, and ethics are in place and aligned with the organizations.

These are three legs of one stool, and all are needed. It is more than third party risk. That only gets you a partial view. Organizations need to start thinking fo Third Party GRC in defining these programs.

Only a Few Solutions Deliver on Third Party GRC

I recently published my Third Party GRC Maturity Model. This breaks the measurement of maturity of an organization’s Third Party GRC program into 5 levels – Ad Hoc, Fragmented, Defined, Integrated, and Agile. The Ad Hoc stage is fire fighting and reactive. The Fragmented stage is manual processes at a department level. Defined is technology-enabled third party risk management at a department level. Integrated is an enterprise view of third party risk across departments. Agile is where we achieve Third Party GRC as it looks at risk and compliance in context and in balance with the objectives and performance of each relationship.

From a technology perspective, there are a lot of siloed very focused solutions that do one area of third party risk to get an organization to the Defined stage. There are a handful of solutions that can take a broad view of third party risk across departments to get an organization to the Integrated stage. There are only a few solutions on the market that can truly deliver on Agile and bring an integrated view of the objectives/performance in the context of the risk and compliance in each relationship.

Today’s business environment where the business has no boundaries and extends across an array of third parties necessitates that organizations start focusing on the Agile – Third Party GRC and not silos of third party risk management.

GRC 20/20 Third Party GRC Workshops

I will be teaching my Third Party GRC by Design workshops in the following cities in February. Registration is free but limited to those within organizations managing aspects of their third party relationships. In other words, it is not open to solution providers trying to sell products/services. Come join us . . .

Upcoming Risk Management by Design workshops are:

Upcoming Policy Management by Design workshops are:

  • Chicago, Policy Management by Design, April – details forthcoming
  • New York, Policy Management by Design, April 28th
  • London, United Kingdom, Policy Management by Design, June – details forthcoming
Leave a Reply