A dynamic business environment requires the capability to actively manage risk intelligence and fluctuating risks impacting the organization and its relationships. The old paradigm of uncoordinated third-party risk management is inadequate given the volume of risk information, the pace of change, and the broader operational impact on today’s business environment and operations. Organizations need to address third-party risk intelligence with an integrated strategy and an enterprise-wide information architecture that provides 360° third-party risk situational awareness. The goal is to provide actionable and relevant risk intelligence to support third-party risk governance and oversight to ensure the organization is agile, resilient, and acting with integrity in its business relationships.
Third-Party Risk Intelligence Architecture: Core Elements
Comprehensive 360° situational awareness requires a system to gather information, weed out irrelevant information, route critical information to subject matter experts (SMEs) for analysis, track accountability, and determine the potential impact on the organization. Therefore, an effective enterprise-wide third-party risk intelligence architecture includes:
- A comprehensive risk framework. The third-party risk framework should be a hierarchical and comprehensive catalog/index of third-party risk domains with the potential to impact the organization. Third-party risk domains should be further broken into categories comprised of individual risk metrics logically grouped into related areas (e.g., ESG risk domain would include risk categories of Environmental, Social, and Governance. The Social category would include sub-category risk metrics related to diversity & inclusion, pay equality, health & safety, child labor, human rights, etc.).
- Intelligence content aggregation. The organization needs to identify the best sources of risk intelligence. Content feeds can come directly from various sources – regulators, law firms, consultancies, news feeds, blogs by experts, etc. – or from content aggregators. It must be mapped to the risk intelligence framework. The most economical and efficient way to address this need is through a risk intelligence provider that leverages automation and AI to aggregate risk content while removing noise and false positives. Additionally, there can be great efficiencies and cost savings that can be realized by leveraging a single solution that can provide a comprehensive and consistent view.
- Metrics, dashboarding & reporting. To govern and report on the third-party risk intelligence process, the organization needs the ability to monitor metrics and reports to determine process adherence, risk/performance indicators, and risk issues and exposure. The dashboards should provide the organization with a quick view into the current risk exposure and potential emerging risks, which individuals are responsible for triage and/or impact analysis and overall risk impact on the organization.
- Defined roles and responsibilities. Successful risk management requires accountability: making sure the right information gets to the right person with knowledge of the risk domain and its impact on the organization. This requires the identification of SMEs for each risk category defined in the taxonomy. This can be subdivided into SMEs with particular expertise in categories, metrics, or specific jurisdictions, or who perform specific actions as part of a series of changes to address risk developments and exposure.
- Workflow and task management. Real-time third-party risk intelligence feeds into a risk management platform providing a system of structured accountability to manage changes based on business impact analysis. Workflow and task management route details and required actions to the appropriate SMEs for further analysis with escalation capabilities when items are past due. The process tracks accountability on who is assigned risk tasks, establishes priorities, and determines the appropriate course of action. Automation is leveraged to handle routine risk mitigation actions, freeing up team members to focus on only the most critical risks that require human intervention. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis of third-party risk developments.
Third-Party Risk Intelligence Architecture: Additional Capabilities
In addition to the core elements, the following additional capabilities provide further value to a third-party risk intelligence architecture:
- Accountability. A primary directive of a third-party risk intelligence architecture is to provide accountability. Accountability needs to be tracked as risk information is routed to the right SME to review and define actions. The SME should be notified when further evaluation is necessary and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitate risk intelligence in the context of the organization’s operations and its third-party relationships.
- Business impact analysis. The architecture needs to provide the functionality to identify the impact of changes in risks on the third-party business environment and its operations and then communicate to relevant areas of the organization how the development impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag risk areas/domains to respective business relationships, services, and operations. The overall system needs to be able to keep track of changes by assessing their impact and triggering preventive and corrective actions. Furthermore, the solution ensures that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined.
- Mapping risks, policies, controls, and more. A critical component to evaluate is the architecture’s ability to link third-party risks to assessments, policies, controls, reports, and processes. The ability to map to business lines, products, and geographies allow companies to manage a risk-based approach to third-party developments and strategies. The workflow automatically alerts relevant stakeholders for necessary action and relationship changes. It also supports electronic signoffs at departmental and functional levels that roll up for executive certifications on risk exposure and acceptance. Mapping is another area where artificial intelligence/cognitive technologies are providing greater efficiency and effectiveness value for third-party risk intelligence.
- Audit trail and system of record. It is absolutely necessary that the risk architecture have a full audit trail to see who was assigned a task, what they did, what was noted, notes that were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when risks were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
- Reporting capabilities. The architecture is to provide full reporting and dashboard capabilities for clear visibility into the risks monitored, task assignments, overdue actions, and the identification of issues that pose the most significant risk to the organization’s third-party relationships. Additionally, by linking risk intelligence to the various other aspects of the platform – including relationships, processes, objectives, policies, controls, and more – the reporting should provide an aggregated view of risk across multiple relationships and business owners.
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: 360° Risk Intelligence in the Extended Enterprise:
Ensuring Agility, Resiliency & Integrity in Third-Party Performance.