Third-Party GRC: Looking Back on 2020, What Was Learned ?

Written by The GRC Pundit

Published on2021-01-28Updated on2021-01-28Discussion1 Comment on Third-Party GRC: Looking Back on 2020, What Was Learned ?

“Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.” 

Martin Luther King, Jr. 

This statement by Dr. King is true in our conduct, and it is true in an organization’s conduct and its relationships. 

The structure and reality of business today has changed. It is not the same as it was a few decades back. Brick-and-mortar walls do not define today’s business, nor is it defined by traditional employees. The modern organization is comprised of an interrelated structure of business relationships. Roaming the hallways of an organization – when there is no pandemic lockdown forcing individuals to work from home – means crossing paths with contractors, consultants, temporary workers, and more. Today’s organization is an interconnected and interdependent web of suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, partners, etc. Business today relies and thrives on third-party relationships; this is the extended enterprise. 

The business’s ability to reliably achieve corporate objectives directly depends on the governance of third-party relationships and whether the organization can reliably achieve objectives in each relationship. The organization’s ability to manage uncertainty, risk, and resiliency requires that risk be managed in third-party relationships. The integrity and ability of the organization to comply with regulations, commitments, and values are measured in the integrity of its relationships as well. 

The saying, “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization. The modern business depends on, and is defined by, the governance, risk management, and compliance of third-party relationships to ensure the organization can reliably achieve objectives, manage uncertainty, and act with integrity in each of its third-party relationships. 

The governance, risk management, and compliance of third-party relationships (third-party GRC) is in a state of growing maturity and evolution. The year 2020 has brought many third-party management lessons through the trials and tribulations worldwide, and as a result, 2021 is aiming for greater resiliency and integrity in third-party GRC. 

Looking Back on 2020: What Was Learned 

We cannot understand the 2021 trends in third-party GRC without understanding what transpired in 2020. The last year has taught organizations many lessons in third-party management which provides the foundation for the 2021 trends. 

2020 brought organizations disruption that impacted operations and third-party relationships. What started with devastating wildfires in Australia moved into a global pandemic that shut down the world and its various borders. Then, racial tensions and a focus on discrimination led to re-evaluating conduct rules within the organization and across relationships – followed by more wildfires in California, disrupting businesses. And the year concluded with significant political turmoil, controversies, and a major security breach in a third-party context for the history books with the SolarWinds breach. 

A risk event has a domino impact on the organization and its relationships. What starts with one domino of risk has a cascading effect on other risks. Consider the 2020 global crisis and pandemic of COVID-19. It began as a health and safety risk coming out of Asia. It then had a cascading influence that caused other risks to materialize and ultimately change that impact of organizations and their third parties. Third-party risk cannot be managed in isolation but must be understood in the complex web of interconnections of risk and objectives that play out from it. What originated as a health risk in a community in Asia now has a global impact that goes far beyond just an illness. 

Consider the following: 

• Risk to objectives. As the pandemic unfolded, it had a specific impact on business objectives that further impacted third-party relationships’ objectives. Adapting to the crisis, businesses had to modify corporate objectives and, as a result, objectives in each relationship. Third-party relationship objectives had been modified and risk exposure had to be monitored in the uncertainty of meeting objectives in an environment of volatility with the pandemic. This plays out from the economic and business impacts of the virus. 
• Risk of operational resilience and continuity. Organizations have increased exposure to their operations and delivery of business processes across third parties. Business continuity in many organizations had a sole focus on IT security and disaster recovery and they were not prepared for a pandemic of this nature. They were ready for a computer virus, but not a global, biological virus. As employees were cut, processes were changed, relationships with third parties modified, and a focus on work from home put in place . . . the organization scrambled and faced growing uncertainty and exposure. 
• Risk of information security. With the focus on supporting a broad work from home strategy for both employees and third parties, the organization faced increased exposure to IT security issues. Home office environments are often not secure. With the Internet of Things (IoT), the light switch, blender, or TV in the third-party employee’s home could be a source of exposure to company data and connections. Further, hackers and organized crime have taken the crisis as an opportunity to infiltrate organizations and steal data. The year ended with the SolarWinds breach in a third-party context. 
• Risk in third-party relationships. Half of the organization is typically not traditional employees but third parties. There were significant issues where service providers and outsourcers have entirely shut down because of lockdowns and were unable to support organizations and deliver services, including constrained supply chains and the inability to deliver goods. Outsourced data centers went dark and a skeleton crew of staff was left to maintain them, often remotely. 
• Risk of integrity, culture, and control. With rapidly changing processes to address the pandemic, the organization lacked controls to monitor third-party relationship changes. With reduced staff, employees were wearing multiple hats with greater exposure to segregation of duty conflicts. Individuals, either employees or third-party, were concerned about the economy and their well-being and security. Working from home offices and not in a corporate building contributed to a culture of insecurity for many. 
• Risk of fraud. In uncertain economic times and the unfolding of a recession, employees and third parties working on internal business systems and processes were under more stress to make ends meet. They might never think of stealing/ committing fraud during normal times but may choose the wrong path when faced with economic stress and uncertainty. 
• Risk of bribery and corruption. Constrained supply chains and pressure to meet objectives increased the risk of bribery and corruption. With customs, imports, and exports coming to a crawl in some countries, and borders shut down, there was greater corruption risk. Heightened exposure that someone may pay a third-party or foreign government official a bribe to expedite their goods over others, or to get specific contracts or permits at a time when not much is being done. 
• Risk of modern slavery and human rights. There was great unrest of human rights worldwide, which was an issue prior to the pandemic that has only been exacerbated further because of the pandemic. But it goes beyond civil rights and treatment of ethnic groups, it also extends into our facilities and supply chains. The pandemic hit certain areas of the world hard. Factories have lost employees to illness and death. As a result, there has been increased staffing with child or forced labor alongside poor and unwanted working conditions. 
• Risk of harassment and discrimination. Unrest abounding, combined with work from home policies for employees and third parties, contributed to growing discrimination and harassment happening because of the virus and a focus of anger on ethnic groups. People working from home and not in normal office conditions do not understand that the same corporate rules and policies apply. Communications such as email, text, and video calls have become more relaxed and individuals crossed boundaries of harassment and discrimination in statements made in these remote home offices. 

The organization’s continuity and resiliency required close monitoring of third-party relationships to maintain goods, services, and transactions during the pandemic. Enterprise risks do not stop at business boundaries but extend across third-party relationships. Risks themselves are also interconnected. What starts with a health and safety risk for the business and third-party relationships cascaded like dominos into resiliency/continuity risks, fraud risk, IT security risk, bribery/corruption risk, modern slavery/human rights risks, geopolitical risks, and more. 

2020 was the poster child for business and third-party disruption. It taught organization that to reliably achieve objectives, manage uncertainty, and act with integrity requires a 360° view of third-party relationships as they serve the organization. This requires an enterprise view of third parties to monitor the interconnections and impact of uncertainty on objectives. 

The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Third-Party GRC Management: