A sustainable third-party GRC strategy means looking to the future and mitigating risk instead of putting out fires. Organizations need to be intelligent about what processes, risk intelligence data/services, and technologies they deploy. With increased exposure to regulations and scrutiny of third-party relationships, how does an organization respond? It requires that the following third-party GRC elements are in place:

  • Understand performance and risk. An organization must have an integrated performance and risk-based approach to managing each third-party relationship. This includes periodic assessment (e.g., annual) of relationships. However, the risk-assessment process should also be dynamic — completed each time there is a significant business change or event that could lead to exposure. Assessments should cover the performance of third parties overall and at each sub-level (e.g., contract, service level, facility), exposure in specific markets, relationships, and geographies.
  • Approach third-party GRC in proportion to risk. How an organization implements requirements and controls is based on the proportion of risk it faces. If a certain area of the world or a business partner carries a higher risk, the organization must respond with stronger governance and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
  • Tone at the top. The board of directors and executives must fully support the third-party GRC program. Communication with top-level management must be bidirectional. Management must communicate that they support the third-party GRC program and will not tolerate corruption in any form. At the same time, they must be well-informed about the effectiveness and strategies for third-party GRC initiatives.
  • Know who you do business with. It is critical to establish a monitoring framework that catalogs third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of corruption risk in a relationship, additional preventive and detective controls must be established in response. This includes knowing your contractors and third parties’ beneficial owners and conducting background checks to understand if they are susceptible to corruption and unethical conduct.
  • Keep information current. Third-party performance evaluations, as well as due diligence and risk assessment efforts, must be kept current. These are not point-in-time efforts; they need to be done regularly or when the business becomes aware of conditions that increase risk.
  • Third-party oversight. The organization needs a group that is responsible for the oversight of third-party relationships. This often involves a collaborative effort between legal, compliance, procurement, and other business functions. This cross-functional team should have the authority to report to independent monitoring bodies, such as the board’s audit committee, to disclose issues.
  • Established policies and procedures. Organizations need documented and up-to-date policies and procedures that govern third-party relationships. This starts with a vendor/supplier code of conduct and filters down to other policies that address risks in the relationship and its activities that serve the organization. These requirements and processes must be clearly documented and adhered to.
  • Effective training and communication. Written policies are not enough — individuals need to know what is expected of them. Organizations must implement training to educate employees and business partners. This includes getting acknowledgments from employees and business partners to affirm their understanding and attestation of their commitment to behave according to established policies and procedures.
  • Implement communication and reporting processes. The organization must have channels of communication where employees and third parties can get answers. This could take the form of a helpline that allows an individual to ask questions, a FAQ database, or form processing for approval on activities and requests. The organization must also have a hotline reporting system for individuals, including those within third parties, to report misconduct.
  • Assessment and monitoring. In addition to periodic risk assessment, the organization must also have regular due diligence, assessment, and monitoring activities to ensure that policies, procedures, and controls governing third parties are in place and working. This includes the ongoing and continuous screening of third parties against external data sources, such as daily instead of annual/infrequent basis.
  • Investigations. Even in the best organization, things go wrong. Investigation processes must be in place to quickly identify potential incidents and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities. 
  • Third-party controls. Organizations must keep detailed records that fairly and accurately reflect transactions and interactions of third-party relationships. This includes contract-pricing review, due diligence, and verification of foreign business representatives, accounts payable, financial account reconciliation, and commission payments.
  • Conduct audits and inspections. Every contract with a third-party typically includes the right to audit/inspection language. The organization should establish clear and consistent practices on when and how these are conducted and follow through with them.
  • Manage business change. The organization must monitor for changes that introduce a greater risk of third-party relationships. The organization must document changes that result from observations and investigations and address deficiencies through a careful program of change management. 

The above blog is an excerpt from GRC 20/20’s latest research paper, Third Party GRC Management by Design:


Leave a Reply

Your email address will not be published. Required fields are marked *