The Mystery House of Third-Party Risk Management
Imagine a house built over 38 years, involving 147 different builders, without a clear design, blueprint, or architect. This might sound like an absurd way to build a home, but this is precisely what happened with the Winchester Mystery House. The resulting structure is a labyrinth of rooms, staircases leading to nowhere, and an overall confusing layout that leaves visitors baffled.
Unfortunately, this chaos is not unique to the Winchester Mystery House—it mirrors the typical organization’s approach to third-party risk management. In many organizations, third-party risk oversight is fragmented into isolated silos, resulting in a bewildering landscape of uncoordinated efforts. Over the last 38 years, organizations have had 147 different builders of third-party risk management with no design, no blueprint, and no architect. The result is a mess of confusion. The Winchester Mystery House serves as a cautionary tale, emphasizing the need for organizations to step back and design a cohesive, federated approach to third-party governance and risk management.
The Interconnected Modern Organization
In today’s business landscape, no organization is an island. Modern organizations are interconnected webs of relationships, spanning across suppliers, vendors, outsourcers, service providers, and more. The extended enterprise demands that businesses govern these relationships effectively, as third-party problems can quickly become organizational problems.
Fragmented third-party risk management through disconnected department silos leads organizations to inevitable failure. The lack of coordination, reactive processes, and scattered information blinds organizations to the risks and compliance exposures within their third-party relationships. Silos hinder the ability to see the big picture and address the complexity of the modern third-party ecosystem.
Much like the Winchester Mystery House, an organization that builds its third-party risk management without a cohesive design ends up with a confusing, inefficient, and ineffective system. Organizations face:
- Growing Risk and Regulatory Concerns: With inadequate resources, organizations struggle to monitor third-party risks and regulations, leading to finger-pointing and inefficiencies.
- Interconnected Third-Party Risks: Risks in one area can cascade into significant issues when not managed holistically.
- Silos of Third-Party Oversight: Different departments manage third-party governance independently, lacking coordination and visibility.
- Document and Email-Centric Approaches: Governing third-party relationships through documents, spreadsheets, and emails is prone to failure and inefficiency.
- Non-Integrated Legacy Technologies: Disconnected legacy systems limit the ability to govern third-party relationships effectively.
- Focus on Onboarding Only: Many organizations focus on onboarding but neglect ongoing monitoring and assessment.
- Inadequate Change Management: Organizations struggle to govern third-party relationships amid constant change【8†source】.
Third-Party GRC Management by Design: From Chaos to Clarity
A mature third-party GRC (governance, risk management, and compliance) management program delivers effectiveness, efficiency, resilience, and agility by connecting the enterprise, business units, processes, and information. A federated approach aligns third-party governance, risk management, and compliance with organizational objectives and strategy.
A federated third-party risk management program begins with a strategic plan, connecting key business functions through a common framework and policy. Organizations should focus on critical elements such as understanding third-party relationship objectives and performance in the context of risk. It is necessary to know who you do business with, keep information current, and have structured oversight, policies, assessment, monitoring, controls, and inspections of third-party risk across the lifecycle of onboarding, ongoing monitoring, to offboarding.
This requires an integrated third-party risk management strategy and process that is supported by robust third-party risk intelligence/content integrated into a third-party risk management platform that can be used across departments/functions that have a stake in third-party governance.
The Winchester Mystery House serves as a cautionary tale for organizations that approach third-party risk management without a cohesive design. By designing a federated approach to third-party risk management, organizations can avoid the pitfalls of silos and create a cohesive, effective system. A federated approach enables organizations to be aware, aligned, responsive, and agile in managing third-party relationships, ensuring they achieve objectives, manage uncertainty, and act with integrity.
GRC 20/20 is facilitating Third-Party Risk Management By Design Workshops in:
- SAN FRANCISCO: May 29 @ 1:00 pm – 5:00 pm PDT, Third-Party Risk Management by Design, SAN FRANCISCO
- LONDON: June 25 @ 10:00 am – 6:00 pm BST, Third-Party Risk Management by Design, LONDON
Michael,
What a great analogy!