GRC Archetypes: Third Party Management
Third party management is the capability to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across the organizations third party relationships/extended enterprise (adapted from the OCEG GRC definition).
Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mesh of relationships and interactions that span traditional business boundaries. Over half of an organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.
Third party compliance requirements are growing at a staggering rate. Human rights, social accountability/labor standards, privacy, security, ethical sourcing, environmental, health and safety, and quality compliance and risk requirements are growing upon organizations. GRC 20/20 is monitoring the impact of regulations such as the UK Modern Slavery Act, US Foreign Corrupt Practices Act, UK Bribery Act, OECD Anti-Bribery Convention, PCI DSS, EU GDPR, US Conflict Minerals, EU Conflict Minerals, California Transparency in Supply Chains Act, France Sapen 2, and more impact third party management strategies in organizations.
In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.
THE QUESTION: How is your organization approaching third party management? Can you map yourself to one of the following GRC archetypes of third party management?
- Fire Fighter. Your organization approaches third party management in an ad hoc fly by the seat of your pants approach. Third party management is not structured and only addressed when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the issue before you and not thinking strategically about third party management. Third party management is addressed in manual processes with documents, spreadsheets, and emails but only for reactive purposes.
- Department Islander. In this archetype, your organization has a more structured approach to third party management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in third party management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for third party management, or still be relying on manual processes with documents, spreadsheets, and emails.
- Compliance/Risk Collaborator. This is the archetype in which your organization has cross-department collaboration for third party management to provide consistent processes and structure for third party management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage third party risks to meet regulatory requirements and not a serious look at the governance, risk management, and compliance of third party relationships. Most often there is a broader third party management platform deployed to manage third party compliance, but some still rely on manual processes supported by documents, spreadsheets, and emails.
- Corporate Citizen. This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Third party management is more than meeting compliance/regulatory requirements but is about being a good corporate citizen focused on doing the right thing. It goes beyond compliance to an approach that ensures that the organizations values, ethics, code of conduct, and culture is shared and consistent across business relationships. The focus is on integrity of the organization and ensuring that this is consistent across the extended enterprise of relationships.
Too often departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third-party management across the enterprise. Organizations manage third-parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third-party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship. This fragmented approach to third-party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third-party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.
When the organization approaches third-party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third-party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third-party management results in poor visibility across the organization, because there is no framework or architecture for managing third-party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third-party relationships that is supported and automated with information and technology.
Third Party Management Workshop
GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:
- Third Party Management by Design Workshop, London
- June 27 @ 9:15 am – 2:00 pm BST
- Third Party Management by Design Workshop, Philadelphia
- November 2
Strategy Perspective on Third Party Management
Research Briefings on Third Party Management
- How to Purchase Third Party Management Solutions
- 2017 Market Landscape: GRC Intelligence & Content Solutions
Solution Perspectives on Third Party Management
- Aravo: Enabling 360° Insight & Control of Third Party Relationships
- Thomson Reuters World-Check One: Innovation in Third Party Management Technology
- Source Intelligence Network: Innovation in User Experience for Third Party Management