The Modern Organization is an Interconnected Web of Relationships
The structure and reality of business today has changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. Instead, the modern organization is an interconnected web of relationships, interactions, and transactions that extend far beyond traditional business boundaries. Even the smallest organization can have dozens of relationships that they depend on for goods, services, processes, and transactions. In large organizations, this can expand to tens of thousands of third-party relationships with suppliers, vendors, partners, and service providers.
With businesses increasingly relying on a complex network of third-party relationships to thrive, the governance, risk management, and compliance (GRC) of third-party relationships become even more critical. Without effective GRC, organizations will fail to manage uncertainty, avoid disruptions, act with integrity, and achieve business objectives.
In a dynamic risk environment, resiliency requires agility and the ability to navigate great uncertainty. Effectively mitigating the exposure of potentially disruptive events requires real-time and comprehensive risk intelligence with insights to both assess the current and future risk landscape and drive sagacious action.
The Inevitability of Failure: Fragmented Views of Third-Party Risk
Too often, organizations struggle to adequately govern their third-party relationships because of their reliance on outdated practices. Recent technological advances in automation, machine learning, and data science enable organizations to be more effective and do more with fewer resources, but unfortunately, too many organizations have failed to seize the opportunity to evolve beyond expensive and inefficient legacy solutions.
Failure in third-party GRC comes about when organizations rely on outdated risk practices including:
- Silos of third-party oversight. Silos of oversight occur when an organization allows different business functions to conduct third-party oversight without coordination, collaboration, and architecture. The risk posed by a third party for one business function may seem immaterial but is actually significant when factored into multiple risk exposures across all of the business functions relying on the same third party. Without a single pane of visibility into the risk in their third-party relationships, silos leave the organization blind to risk exposures that are material when aggregated.
- Limited resources to handle growing risk and regulatory concerns. Organizations are facing a barrage of increasing regulatory requirements and an ever-expanding risk landscape. While risk functions are operating with limited budgets and human teams, they need to do more with less. In reality, truly effective continuous monitoring and mitigation of today’s dynamic and ever-expanding risk landscape is beyond human capabilities alone.
- Overreliance on manual processes. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for risks to be missed amidst the extensive volume of data. In addition, when things go wrong, these manual processes neither support agility nor a robust feedback loop to improve processes going forward.
- Limited view of risk vectors. Organizations often over-rely on third-party financial and cyber risk management and suffer from risk exposure in domains such as compliance, operations, ESG, location and Nth parties. To fully understand the complete risk picture, an organization needs to have full-spectrum risk coverage.
- Scattered third-party risk solutions. When different parts of the organization use different third-party risk solutions, silos of risk data and intelligence are created that are difficult to assimilate, thus making it difficult to maintain, aggregate and provide comprehensive, accurate, and current third-party analysis. The resulting redundancies and inefficiencies make organizations less agile and impact the effectiveness of third-party risk programs.
- Overreliance on periodic assessments. For many organizations, third-party risk analysis occurs primarily during the onboarding process at the onset of the business relationship with only periodic re-assessment of risk over the length of the engagement. This approach fails to keep organizations informed in a timely manner when the risk exposure changes between assessments. Without a continuous source of real-time risk intelligence feeds, the organization lacks the ongoing situational awareness necessary for proactive risk mitigation.
- Inadequate incident response. How organizations respond to incidents can often dictate how quickly and adequately they mitigate risk. Most enterprises often respond to an incident today by sending a survey to all their third parties asking them if they have been impacted. This process takes time, often with low response rates and then has the added burden of how to assess and report on the responses. Most importantly, this is at a point in time and so often a wasted effort. Incidents and impact often unfold over time and the best approach is one that is real-time and continuous.
- Negative news services can overwhelm risk teams. Risk intelligence has the potential to overwhelm organizations. Information feeds from various sources such as legal, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators can drown the risk team as they struggle to monitor a growing array of regulations, legislation, corporate ratings, geopolitical risk, and enforcement actions. Risk intelligence that requires weeding through an exorbitant volume of notifications that includes noise and false positives to identify relevant risks only compounds the problem. One needs an intelligent system that can deliver accurate and actionable insights and remove the noise.
The bottom line: The modern business is dependent on third-party relationships and requires real-time and continuous awareness of its current and future risk landscape. A manual and point-in-time approach to third-party risk intelligence compounds the problem and can lead to elevated risk exposure. It is time for organizations to step back and move from legacy practices, defined by manual processes and periodic assessments, to a third-party risk intelligence architecture that includes integrated full-spectrum real-time feeds of situational awareness that impacts the extended enterprise and operations.
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: 360° Risk Intelligence in the Extended Enterprise:
Ensuring Agility, Resiliency & Integrity in Third-Party Performance.