One of the greatest challenges to organizations today is managing the extended enterprise; the web of third-party relationships that support the business and its operations. The integrity of the organization is no longer defined by traditional brick and mortar walls and employees. The integrity of the organization requires continuous monitoring and control of the governance, risk management, and compliance of third-party relationships.
I argue that we should stop calling this area vendor risk management, or third-party risk management. What is needed is third-party GRC that is integrated across the business. I define third-party GRC (modifying the OCEG GRC definition) as:
Third-Party GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in each of the organization’s third-party relationships across the extended enterprise.
There are two primary items missing from traditional vendor and third-party risk management:
- Governance. Third-party governance involves ensuring that the organization reliably achieves the objectives of each relationship. You cannot manage risk in a relationship without clearly understanding and defining the objectives of the relationship. In fact, the official definition of risk in ISO 31000 is that risk is the effect of uncertainty on objectives. Every relationship is established for a purpose. The most fundamental element of managing risk in a relationship is if we are achieving those objectives and measuring the uncertainty of achieving the objectives. You cannot do third-party risk management without starting with governance first.
- Integration. Too many vendor and third-party risk management programs are focused on silos of risk. IT security is looking at security in third-parties, privacy is looking at similar things related to personal information, but compliance is looking at conflicts of interest and anti-bribery and corruption, procurement is looking at reliability and viability of suppliers and vendors, legal may be looking at intellectual property protection and contracts, ESG/CSR is looking at human rights and ethical sourcing, or perhaps conflict minerals, quality is looking at the delivery of goods and services to requirements, EH&S is looking at traceability of components and environmental impacts, business continuity is looking at resiliency in third party relationships. Everyone has their view, but no one has a complete view of objectives, risk, and integrity in and across these relationships. For the most part, too may vendor and third-party risk management programs are exclusively fixated on IT security and privacy and not the range of other risks in these relationships.
What is needed is a federated strategy that brings 360° contextual insight into each relationship. We need to see the big picture of achieving objectives in the relationship while addressing risk and compliance. This involves a cross-department strategy to holistically address third-party GRC. A strategy that provides a framework, process, and information/technology architecture that allows greater insight into third-party GRC across procurement, IT security, privacy, legal, compliance, ethics, ethical sourcing, resiliency and continuity, and more. Where the organization can get a complete report card on the performance, risk, and integrity in each of its relationships to ensure they are doing business with the right entities and achieving objectives in the relationship.
What the organization has implemented for client relationship management (CRM) systems, we need a similar collaborative approach to managing the other side of the organization, the extended enterprise. Where CRM systems allow marketing, sales, and service and support to get a 360° view of clients and their interactions/transactions with the organization, the same is needed with third-party management to get a complete view of third-parties.
How do you get there? Here are some simple steps:
- Understand your current state. Inquire and find all the departments, functions, roles that have a stake in some element of third-party GRC in the organization. Find how they are approaching this, what is working well, and what is not.
- Define your future state. This involves developing a charter for third-party GRC to get distributed groups to work together and from there define a strategy, process, and architecture for where you want to be in three years.
- Build a business case. Measure the value the organization will achieve for an integrated and collaborative view across third-party GRC. Define how this will make the organization more efficient (e.g., time saved, money saved), more effective (e.g., complete view of delivery/objectives, continuous monitoring of risk, stronger relationships), and more agile (e.g., keeping up with change, being responsive to and containing issues).
- Start your journey. Take things in stages, break down the project plan, and start delivering on this vision.
Happy to share resources and information on this. I teach a full-day workshop on Third-Party GRC by Design and have written and advised extensively on this journey.