2021 Trends in Third-Party Governance, Risk Management & Compliance (GRC)
Looking Forward in 2021: What Can Be Expected
In the previous blog we reviewed what lessons were learned in third-party risk management in 2020, we now look into 2021 and how organizations will address third-party governance, risk management, and compliance (GRC) . . .
The world of business in 2021 is distributed, dynamic, and disrupted. It is distributed across a web of relationships. It is dynamic as business and relationships change day-by-day. Processes change, employees change, relationships change, regulations change, risks change, and objectives change. The ecosystem of business relationships is complex, interconnected, and requires a holistic, contextual awareness of third-party GRC, rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem.
This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s third-party relationships. Organizations need to see the intricate intersection of objectives, risks, and boundaries in each relationship. Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes third-party relationships and the business’s ability to manage them.
This challenge is even greater when third-party risk management is buried in the depths of departments and operating from silos, not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy of relationships.
Five Strategic Trends in Third-Party GRC in 2021
These elements of distributed, dynamic, and disrupted business are driving significant changes in third-party governance strategies in organizations. In addressing third-party governance, risk management, and compliance, GRC 20/20 is observing five strategic trends organizations are focusing on in 2021:
- Integrity. The integrity of the organization relies on the integrity of its third-party relationships. Organizations are re-evaluating their internal core values, ethics, and standards of conduct in 2021 and how this extends and is enforced across third-party relationships. This includes a focus on human rights, privacy, environmental standards, health, safety, conduct with others (e.g., customers, partners), and security in third-party relationships.
- Resiliency. The organization has to maintain operations amid uncertainty and change. This requires a holistic view of third-party relationships’ objectives and performance in the context of uncertainty and risk within those relationships. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them. Given the reliance on third-party relationships, this requires a holistic view into the governance, risk management, and compliance of each third-party relationship and how it serves and provides value to the organization.
- Governance. Third-party risk management is not enough. The organization is shifting focus in 2021 to third-party GRC management. It starts with the governance of relationships. The relationship’s objectives and sub-relationships (e.g., contracts, service levels, facilities, etc.) need to be clearly defined and governed. It is only after a clear understanding of the objectives, and the governance of those objectives, that risk and uncertainty can be managed in the context of the relationship to deliver those objectives. The organization in 2021 is going to need to develop a more assertive approach to governance of relationships to ensure greater risk, resiliency, and integrity in those relationships.
- Federation. 2021 will see new third-party GRC strategies that focus on a federated approach. Instead of operating in silos of procurement, information security, privacy, compliance, ethics, quality, environmental-social-governance (ESG), and more that do not collaborate and talk to each other, the organization will develop a federated, third-party GRC strategy to manage and monitor the governance of third-party relationships, the risk (uncertainty), and compliance (integrity) within those relationships holistically. Consistency in onboarding, ongoing monitoring, auditing/inspections, incident management, assessments, and offboarding will be built across the needs of these collaborating departments.
- Integration. To support a federated, third-party GRC strategy in 2021, the organization will look to re-design Its third-party GRC technology and information architecture. This will involve moving to a solution that can manage the range of governance, risk, and compliance needs across third-party relationships and be able to integrate with ERP and procurement systems and provide robust analysis, assessment, and due diligence processes to ensure that objectives are met, while uncertainty, risk, and integrity are managed in each relationship.
Key Supporting Drivers of Third-Party GRC in 2021
The strategic drivers – integrity, resiliency, governance, federation, and integration – are supported by several key drivers impacting organizations in 2021. These are:
- Defensibility. Organizations are driven by regulators, law enforcement, external auditors, civil suits, and more to have a clear and defensible system of record of third-party risk and compliance activities. Regulator and law enforcement guidance, such as the updated U.S. Department of Justice Evaluation of Compliance Program Guidelines, are specifically looking for a robust system of record involving third-party due diligence and compliance activities.
- ESG Reporting. The focus is turning to ESG (Environmental, Social and Governance) reporting at a board level. This has had a significant focus in Europe, and interest is gaining momentum in the USA, particularly with the new Biden administration. The recent National Association of Corporate Director’s report shows this as a growing board and corporate level issue. ESG practices and reporting of an organization dictates the evaluation and monitoring of third-party relationships in this context.
- Environmental. It is a central component of ESG but also stands on its own. Environmental change is a significant focus for organizations and corporations. The World Economic Forum, in their Global Risk Report each year lists environmental risks at the top. With an incoming Biden administration in the USA, there will be a renewed focus on joining Europe in environmental regulations, which impacts the governance of third-party relationships from an environmental perspective.
- Health and Safety. The Pandemic of 2020 has brought front and center health and safety concerns to all aspects of governance, risk management, and compliance, including third-party governance. There is a renewed focus on monitoring the health and safety risks in supply chains and other third-party relationships from both a human rights and resiliency program.
- Operational Resiliency. Firms globally and across industries are focusing on operational resiliency, which involves third-party governance, business continuity, and risk management. This concept is also a particular focus of regulators in the financial services industry. The United Kingdom’s Financial Conduct Authority, Prudential Regulatory Authority, and Bank of England have been leading in operational resiliency regulation, focusing on third parties as a part of it. This has also influenced the European Union (DORA), and the United States’ Office of the Comptroller of the Currency, to release operational resiliency guidance and regulation.
- Information Security & Privacy. The EU’s GDPR and California’s CCPA are top of mind in many organizations in the context of third-party risk. The majority of data breaches happen with third parties. According to the latest Ponemon Institute Cost of a Data Breach report, a data breach’s average cost moves from $3.92 million to $4.29 million when a third-party is involved. Security has become a significant focus in third-party relationships, with the SolarWinds hack being reported at the end of 2020 – impacting over 250 organizations that use SolarWinds as a vendor/supplier.
- Human Rights & Slavery. There is an increasing focus on legislation and regulation involving human rights and slavery. From US Conflict Minerals, EU Conflict Minerals, to California Transparency in Supply Chains Act, we have had regulation in this area for several years. The end of 2020 brought us more significant reporting requirements to the UK Modern Slavery Act, and Australia is picking up enforcement of the Australia Slavery Act. These require reporting on what the organization is doing to address human rights and modern slavery across the organization and its third-party relationships. The focus on ethnic discrimination in 2020 has brought a renewed focus on discrimination practices and supply-chain/vendor code of conduct assessment and enforcement.
- Bribery & Corruption. Anti-bribery and corruption laws that impact third-party relationships have been in effect since 1977 with the US FCPA. This has picked up around the world over the decades from many other countries, such as the UK Bribery Act, Sapin-II in France, and others. Most of the bribery and corruption enforcement actions involve third-party due diligence and transaction issues. With the economic fall-out, lockdowns, restrictions in imports/exports that the pandemic brought in 2020, there is an increased risk of bribery and corruption issues as we navigate these challenges and enter recovery. Law enforcement is closely monitoring these activities with enforcement.
- Accountability Regimes. There is a sweeping array of accountability regimes/ regulations that are putting personal liability on senior management functions (e.g., executives) for the conduct, risk, compliance, control, and ethics issues. Individuals can be personally fined or go to jail. It started with the UK’s Senior Manager Regime/Certification Regime (SMCR) and has cascaded into Australia’s Banking Executive Accountability Regime (BEAR), Ireland’s Senior Executive Accountability Regime (SEAR), Hong Kong’s Manager in Charge (MIC), and in 2020, Singapore’s new accountability regime. While broad in scope, these regulations require a senior management function to be accountable for third-party risk and control. Firms that are not headquartered but have operations in these geographies still must comply as well.
The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Third-Party GRC Management:
Michael Rasmussen of GRC 20/20 will be speaking on these trends in the upcoming webinar:
2021 Trends in Third-Party Governance, Risk Management, Compliance (GRC)