The Extended Enterprise: Tackling the Complexities of Third-Party Governance, Risk, and Compliance

Organizations today operate within an extended enterprise, a complex ecosystem of third-party relationships that span suppliers, contractors, outsourcers, service providers, and other business partnerships. One of the greatest governance, risk management, and compliance (GRC) challenges organizations face is effectively managing this intricate web of relationships, especially in an era of increasing volatility, uncertainty, and global interconnectedness.

Yesterday, I had the privilege of leading my workshop “Supplier Risk Resolution: Monitor and Manage Risk at the Scale of Your Supply Chain” in Madrid, Spain. Attendees, representing diverse global organizations, came together in an engaging discussion, diving deep into the nuances and complexities of third-party GRC. Our conversation emphasized that a robust third-party GRC strategy must be holistic, encompassing governance, risk management, and compliance . . . but starting with governance . . .

Holistic Third-Party GRC: Governance, Risk Management, Compliance

Effective third-party GRC begins with governance, setting clear objectives for each third-party relationship and continuously measuring performance against these objectives. Governance establishes the framework that guides the partnership, ensuring strategic alignment and clarity in mutual expectations. The objectives in each relationship objectives should align and support the organizations broader objectives, and the organization needs to manage performance against the objectives in the relationship.

From governance, organizations then conduct risk management, identifying, measuring, treating, and monitoring uncertainties related to achieving these objectives. This critical step ensures preparedness for potential disruptions, enabling proactive rather than reactive management. It also enables good decision making on relationships and objectives, and enables the organization to seize opportunities and not just avoid and minimize loss.

Lastly, compliance comes into play to uphold integrity within third-party relationships, ensuring alignment with the organizational values, ethics, ESG commitments, and regulatory obligations. Compliance solidifies the relationship’s foundation, fostering mutual trust and ethical alignment. The organization needs to ensure it is doing business with other like-minded committed organizations.

When executed well, third-party GRC programs yield significant benefits:

Agility. Organizations become adept at swiftly navigating uncertainty and enable the business to achieve, or even exceed, objectives in and across relationships having a compounding effect on the achievement of the organizations boarder objectives, even in volatile and risky environments.
Resilience. A robust third-party GRC strategy minimizes the impact of incidents and accelerates recovery, ensuring sustained operational resilience despite events and incidents that occur.
Integrity. Organizations build and sustain relationships with partners who reflect similar commitments to ethical standards, ESG criteria, and compliance expectations, reinforcing organizational values and brand reputation.

Challenges in Managing Third-Party Relationships

Our discussion during the workshop highlighted numerous challenges:

Navigating global change and geopolitical risks, which introduce uncertainties into international supply chains.
Managing operational resilience (including digital resilience), especially when facing disruptions such as the Suez Canal blockage or infrastructure failures like the Maryland bridge disaster.
Extending oversight beyond primary suppliers (2nd, 3rd, and 4th-tier suppliers), which significantly expands the complexity and scope of third-party governance.
Dealing with the reputational risks inherent in third-party engagements.
Adapting to varying regulations affecting international third-party relationships, especially around ESG requirements which differ by jurisdiction.
Addressing the challenge of mapping suppliers and understanding their comprehensive risk profiles.
Considering critical issues like single-source dependencies, dual-sourcing, and the inherent vulnerability in using small suppliers who lack resources yet may hold significant operational importance.
Addressing challenges of fraud, accurate monitoring, and leveraging third-party risk intelligence.
Overcoming internal silos, where third-party risk oversight responsibilities are fragmented across various departments.

Rethinking Risk: The Value at Risk and Digital Twins

Two particularly transformative insights emerged prominently during our workshop:

Measuring Risk by Value at Risk, Not Spend. Traditional models often gauge supplier risk based on expenditure levels. Yet, the true impact of risk lies in potential harm to business continuity or brand reputation. Even small suppliers with modest spending can pose enormous risks if their product or service is critical. Organizations must shift their metrics from spend-centric assessments to value-at-risk evaluations to accurately capture and mitigate risks.
Leveraging Digital Twins for Enhanced Risk Simulation. Another groundbreaking approach is the use of digital twins—virtual models that replicate the dynamics of third-party relationships and the organization itself. This technology enables organizations to simulate various risk scenarios and resilience strategies proactively, offering deep insights into potential impacts and effective responses.

In this context, organizations should also incorporate simulations, table-top exercises, and wargaming into their third-party risk management toolkit. Such exercises can reveal hidden vulnerabilities, refine response plans, and foster organizational preparedness, significantly enhancing resilience in real-world scenarios.

A Strategic Shift: Starting with Governance, Not Compliance

Finally, attendees agreed strongly that traditional approaches often mistakenly start—and sometimes end—with compliance. This approach overlooks critical governance frameworks and the core objectives that should underpin third-party engagements. Effective third-party GRC must always begin with governance, setting clear objectives (and performance against those objectives), proceed through risk management to understand uncertainties to objectives, and finally extend into compliance to assure alignment with the organizations values, ESG commitments, and regulatory/legal obligations.

By embracing these comprehensive and nuanced approaches, organizations can significantly strengthen their ability to manage third-party relationships effectively, maintaining agility, resilience, and integrity in a complex global ecosystem.