After you define your Third-Party GRC Strategic Plan, next comes the process of defining your third-party GRC process lifecycle . . .
The third-party GRC management strategy and policy is supported and made operational through a third-party GRC management architecture. The organization requires complete situational and holistic awareness of third-party relationships across operations, processes, transactions, and data to see the big picture of third-party performance and risk in the context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires that the organization take a strategic approach to third-party GRC management architecture. The architecture defines how organizational processes, information, and technology is structured to make third-party GRC management effective, efficient, and agile across the organization and its relationships.
The third-party GRC management architecture starts with the process architecture. Third-party management processes are a part and subset of overall business processes. Processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships.
The process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes third-party GRC management processes, each process’s components and interactions, and how third-party processes work together as well as with other enterprise processes.
While third-party GRC processes can be very detailed and vary by organization and industry, there are several general third-party management process areas that organizations should have in place, these are:
- Ongoing context monitoring. On an ongoing basis, and separate from monitoring of individual relationships, is the process of monitoring external risk, regulatory, and business environments, as well as the internal business environment. The purpose is to identify opportunities as well as risks and regulatory requirements that are evolving and impact the overall third-party GRC management program. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.
- Third-party identification & onboarding. This is the collection of processes aimed at automating a standard, objective approach for identifying third parties to work with, onboarding them through the collection of third-party data, and conducting appropriate due diligence.
- Third-party communications & attestations. These are the set of ongoing processes to manage the communications and interactions with the third-party throughout the relationship’s lifecycle. These are done on a periodic (e.g., annual) basis or when certain risk conditions are triggered.
- Third-party monitoring & assessment. This stage includes the array of processes to continuously monitor the third-party relationship over their lifecycle in the organization. These activities are the ones typically done within the organization to monitor and assess the third-party relationship on an ongoing basis.
- Forms & approvals. The set of internal processes to collect and report information and route things for approval in context of third-party relationships.
- Metrics & reporting. Processes to gather metrics and report on third-party relationships at the relationship level or in aggregate.
- Third-party re-evaluation. The processes in place to evaluate, maintain, renew, and off-board relationships.
The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on each of these 7 areas in the research paper, Third Party GRC Management by Design: