The Modern Organization is an Interconnected Web of Relationships
No man is an island, entire of itself;John Donne
Every man is a piece of the continent, a part of the main.
Replace the word ‘man’ with ‘organization’, and the seventeenth-century English poet John Donne is describing the modern organization. In other words, “No organization is an island unto itself; every organization is a piece of the broader whole.”
The structure and reality of business today have changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacies, such as deep supply chains and sub-contracting relationships. Roaming the hallways of an organization means crossing paths with contractors, consultants, temporary workers, and more. Business today relies and thrives on third-party relationships; this is the extended enterprise.
In this context, organizations struggle to govern their third-party relationships and often manage risk and compliance in relationships in silos that fail to see the big picture of risk exposure and its impact on the relationship’s objectives. Risk and compliance challenges do not stop at organizational boundaries, though. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships or allowing good business relationships to sour because of weak governance. Third-party problems are the organization’s problems and directly impact the brand and reputation, increasing exposure to risk and compliance matters. When questions of delivery, business practice, ethics, privacy, safety, quality, human rights, resiliency, corruption, security, and the environment arise, the organization is held accountable. It must ensure that third-party partners behave appropriately.
The business’s ability to reliably achieve corporate objectives directly depends on the governance of third-party relationships and whether the organization has established the right relationships and can reliably achieve objectives in the relationship. In addition, the organization’s ability to manage uncertainty, risk, and resiliency in its relationships requires that the relationship’s objectives, values, and risks be managed together.
Corporate integrity and the ability of the organization to comply with regulations, commitments, and values are measured by its relationships as well. The saying, “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization.
Inevitable Failure of Silos of Third-Party Governance
Fragmented governance of third-party relationships through disconnected department silos leads the organization to inevitable failure. Siloed information and/or reactive, document-centric, and manual processes fail to actively govern relationships and manage risk and compliance in the context of the third-party relationship and broader organizational objectives and values. Silos leave the organization blind to the intricate relationships of risk and compliance exposures that fail to get aggregated and evaluated in the context of the overall relationship and its goals, objectives, and performance.
Failure in third-party governance comes about when organizations have:
- Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geopolitical risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third-party relationships; different parts of the organization end up finger-pointing, thinking others are doing this. Or the opposite happens: different parts of the organization react to the same development without collaborating, which increases redundancy and inefficiency.
- Interconnected third-party risks that are not connected. The organization’s risk exposure across third-party relationships is becoming increasingly interconnected. A risk in one area may seem minor, but when factored into other risk exposures in the same relationship can become significant. The organization lacks complete visibility or understanding of the scope of risk in third parties that are material to the organization.
- Silos of third-party oversight. This is when the organization allows different parts of the organization to go about third-party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third-party oversight. This leads to the unfortunate situation of the organization having no end-to-end visibility of third-party relationships.
- Document and email-centric approaches. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for things to get overlooked and bury silos of third-party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship, and it becomes difficult to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report on siloed third-party information. When things go wrong, document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
- Scattered and non-integrated legacy third-party risk technologies. When different parts of the organization use legacy internal third-party risk solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization is often limited in capabilities and depth in the governance of third-party relationships. This leads to a significant amount of redundancy, inefficiency, which impacts effectiveness while also encumbering the organization when it needs to be agile.
- Processes focused on onboarding only. Risk and compliance issues are often only analyzed during the onboarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third-party relationship.
- Inadequate processes to manage change. Governing third-party relationships are cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geopolitical, economic, and operational risks across the globe in the context of its third-party relationships. Just as much as the organization itself is changing, each organization’s third-party relationships are changing, introducing further risk exposure.
- Third-party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to analyze and monitor risk and compliance exposures fully. Often, metrics are focused on third-party delivery of products and services but do not include evaluating risks such as compliance, security, resiliency, and ethical considerations.
- Managing third-party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third-party management strategy, the organization and its various departments never see the big picture and fail to put third-party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third-party needs—an ad hoc approach to third-party management results in poor visibility across the organization. There is no framework or architecture for managing risk and compliance as an integrated part of the business. When the organization approaches third-party management in scattered silos that do not collaborate, there is no possibility of being intelligent about third-party performance, risk management, and compliance while understanding its impact on the organization.
This is More Than Third-Party Risk Management
Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes third-party relationships and the business’s ability to manage them.
The world of business is distributed, dynamic, and disrupted. It is distributed across a web of relationships. It is dynamic as business and relationships change day-by-day – processes change, employees change, relationships change, regulations change, risks change, and objectives change. The ecosystem of business relationships is complex, interconnected. It requires a holistic, contextual awareness of third-party GRC (governance, risk management, and compliance) rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem. This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s third-party relationships. Organizations need to see the intricate intersection of objectives, risks, and boundaries in each relationship.
Third-party risk management is not enough. Organizations are shifting their focus towards third-party GRC management. It starts with the governance of relationships. The relationship’s objectives and sub-relationships (e.g., contracts, service levels, facilities, etc.) need to be clearly defined and governed. It is only after a clear understanding of the objectives (and the governance of those objectives) that risk/uncertainty and compliance/integrity can be managed in the context of the relationship to deliver those objectives. Organizations need to develop a more assertive approach to governance of relationships to ensure greater risk, resiliency, and integrity in and across relationships to deliver value to the organization.
This challenge is even greater when third-party risk management is buried in the depths of departments and operating from silos, not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy of relationships.
The bottom line: The modern business depends on and is defined by the governance, risk management, and compliance of third-party relationships to ensure the organization can reliably achieve objectives, manage uncertainty, and act with integrity in each of its third-party relationships. A haphazard department and document centric approach for third-party risk management compounds the problem and does not solve it. It is time for organizations to step back and move from third-party risk management to third-party GRC management with a cross-functional and coordinated strategy and team to define and govern third-party relationships. Organizations need to address third-party GRC with an integrated strategy, process, and architecture to manage the ecosystem of third-party relationships with real-time information about third-party performance, risk, and compliance and how it impacts the organization.
The above blog is an excerpt from GRC 20/20’s latest research paper, Third Party GRC Management by Design: