Dissociated data, systems, processes, and a myopic risk vision leaves the organization with fragments of the truth that fail to see the big picture of third-party performance, risk, and compliance across the enterprise and how it supports its strategy and objectives. The organization needs to have holistic visibility and situational awareness into third-party relationships across the enterprise. The complexity of business, combined with the intricacy and interconnectedness of third-party data, requires that the organization implement a third-party GRC management strategy.
The primary directive of a mature third-party GRC management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third-party relationships in the context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. In the end, third-party GRC management is more than compliance and more than risk but is also more than procurement.
The integrity of the organization relies on the integrity of its third-party relationships. As a result, organizations are re-evaluating their internal core values, ethics, and standards of conduct and how this extends and is enforced across third-party relationships. This includes a focus on human rights, privacy, environmental standards, health and safety, conduct with others (e.g., customers, partners), and security in third-party relationships.
The organization has to maintain operations amid uncertainty and change. This requires a holistic view of a third-party relationships’ objectives and performance in the context of uncertainty and risk within those relationships. The organization has to be a resilient organization with full situational awareness of the interconnected risk environment. Given the reliance on third-party relationships, this requires a holistic view of the governance, risk management, and compliance of each third-party relationship and how it serves and provides value to the organization.
Third-party GRC is a “capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]” in and across the organization’s third-party relationships.” This is adapted from the official GRC definition in the OCEG GRC Capability Model. Breaking this down, third-party GRC delivers:
- Third-party governance. It starts with integrated governance of third-party relationships and monitoring relationships across the extended enterprise to ensure they meet the objectives and purpose the relationship was established for, thus returning value to the organization.
- Third-party risk management. Understanding the governance objectives of the relationship sets the context to then assess, analyze, and monitor the uncertainty and risk in the relationship. Risk, by official definition, is the effect of uncertainty on objectives. Thus, each relationship has its objectives (or component of the relationship like contract or service level agreement), and uncertainty must be managed against those objectives.
- Third-party compliance. Compliance aims to see that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values across its third-party relationships. Compliance follows through on risk treatment plans to assure that risk is being managed within limits and that controls are in place and functioning within each relationship to mitigate risk.
GRC 20/20 has identified three approaches organizations take to manage third-party relationships:
- Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration. Distributed and siloed third-party initiatives never see the big picture and fail to put third-party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how third-party management processes can meet a range of needs. An ad hoc approach to third-party GRC management results in poor visibility into the organization’s relationships. As there is no framework for bringing the big picture together, there is no possibility to be intelligent about third-party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on third-party performance and strategy, leading to greater exposure than any silo understood by itself.
- Monarchy – one size fits all. If the anarchy approach does not work, then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of third-party GRC management that does not fully understand the breadth and scope of third-party risks and needs scattered across the entire organization. The needs of one area may shadow the needs of others. From a technology perspective, it may force many parts of the organization into managing third-party relationships with the lowest common denominator and watering down third-party management. Further, there is no one-stop shop for third-party management, as there are various pieces to third-party management that need to work together.
- Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative third-party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in third-party GRC management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third-party relationships. It allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third-party management, focusing on coordination and collaboration through a common core architecture that integrates and plays well with other systems. This is true third-party GRC management.
Value of a Third-Party GRC Approach
The lack of a coordinated strategy for third-party GRC management fails to deliver insight and context, rendering it nearly impossible to make a connection between risk management and decision-making, business strategy, objectives, and performance in and across relationships. This results in business processes, partners, employees, and systems that behave like leaves blowing in the wind.
In contrast, a third-party GRC strategy with common processes, information, and technology gets to the root of the problem. Leading organizations are adopting a common framework, architecture, and shared processes to manage third-party GRC, increase efficiencies, and enable an agile response to the needs of a dynamic and distributed business environment. Mature third-party GRC delivers better business outcomes because of stronger governance, which will:
- Lower costs, reduce redundancy, and improve efficiencies.
- Deliver consistent and accurate information.
- Continuously (e.g., daily) monitor and assess third parties by using external data sources to get updates on risk data on a daily basis.
- Improve decision-making and insight into what is happening across business relationships.
- Enable the organization to defend itself with a robust third-party governance program designed to mitigate risk and ensure integrity of relationships – aligned with the value and commitments of the organization.
The above blog is an excerpt from GRC 20/20’s latest research paper, Third Party GRC Management by Design: