A Tsunami of Regulatory Change Overwhelms Organizations

Managing and keeping up with change is one of the greatest challenges for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and interconnected nature of change and how it impacts the organization is driving strategies to mature and improve regulatory change management as a defined process. The goal is to make regulatory change management more efficient, effective, and agile as part of an integrated GRC strategy within the organization.

The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions that are continuous, dynamic, and disruptive. Consider the scope of change organizations have to keep in sync:

  • External risk environments. External risks – such as market, geopolitical, societal, competitive, industry, and technological forces – are constantly shifting in nature, impact, frequency, scope, and velocity. 
  • Internal business environments. The organization has to stay on top of changing business environments that introduce a range of operational risks, such as change in employees, processes, employees, relationships, mergers & acquisitions, strategy, and technology.
  • Regulatory environments. Regulatory environments governing organizations are a constant shifting sea of requirements at local, regional, and international levels.The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rule making, and more has organizations struggling to stay afloat. 

Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone how they impact each other. Organizations can devote human and financial capital resources to keeping up with regulatory change, but that does not make them compliant if that change is not consistent and in sync with business and risk change. Change in economic or market risk bears down on the organization as it impacts regulator oversight and requirements. Internal processes, people, and technology changes continuously, and regulatory requirements need to be understood in the context of business change. As these internal processes, systems, and employees change, this impacts regulatory compliance and risk posture. 

Change is an intricate machine of chaotic gears and movements. Keeping current and aligned with change is one of the greatest challenges to compliance management strategies within organizations.

Regulatory Change Overwhelming the Organization

Regulatory change is overwhelming organizations. Many industries, like financial services, are past the point of treading water as they actively drown in regulatory change from the turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations, changes to existing regulations, enforcement actions, and more each year.  Regulatory change impacts the organization as it reacts to:

  • Frequency of change. In the past five years, the number of regulatory changes has more than doubled while the typical organization has not increased staff or updated processes to manage regulatory change. In financial services, according to the latest Thomson Reuters research, there was an average of 257 regulatory change events every business day in 2020, which is just in this one industry. In the past five years, the number of regulatory change updates impacting organizations has grown extensively across industries.
  • Global context.  Regulatory change is not limited to one jurisdiction but is a turbulent sea of change around the world. Regulations have a global impact on organizations and markets. In Asia, GRC 20/20 finds that there is often more concern over EU and US regulation than over-regulation from Asian countries. Inconsistency across regulations from jurisdiction to jurisdiction brings complexity to regulatory compliance. 
  • Inconsistency in regulations. Managing compliance and keeping up with regulatory changes, exams, and reporting requirements becomes complicated when faced with international requirements. Regulatory jurisdictions have varying approaches such as principle-based regulation (also called outcome-based regulation) that is popular across Europe and other countries around the world, while the United States and other countries approach a prescriptive approach to regulation that is more akin to a check box list of requirements in specifically telling the firm what has to be done. The principle-based approach gives the organization flexibility with the focus on the achievement of an outcome and not the specific process that got them there.  There are conflicting challenges in privacy regulations and other laws impacting organizations across jurisdictions.
  • Expansion into new markets.  It has become complex for organizations to remain in foreign markets as well as enter into new markets. The pressure to expand operations and services is significant as the organization seeks to grow revenue and be competitive, while at the same time being constrained by the turbulent sea of changing regulations and requirements.
  • Focus on risk assessment. Regulatory compliance is increasingly pushed to integrate with broader enterprise and operational risk strategies with a focus on delivering a specific assessment of compliance risks. For example, regulators in the US seek to ensure that compliance officers do compliance risk assessments. This is also a theme picked up on by law enforcement agencies like the U.S. Department of Justice (DoJ) and the Securities and Exchange Commission (SEC). The courts, with the United States Sentencing Commission, also evaluate the culpability of an organization on compliance based on compliance risk. The discipline of risk management is becoming a prerequisite for compliance officer skills to ensure that compliance has a seat at the enterprise risk management (ERM) / GRC table.
  • Hoards of regulatory information. Organizations are overwhelmed by information from legal, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators. Compliance and legal roles struggle to monitor a growing array of regulations, legislation, regulator findings/rulings, and enforcement actions. The volume and redundancy of information add to the problem. Managing regulatory change requires weeding through an array of redundant change notifications and getting the right information to the right person to determine the business impact of regulatory change and appropriate response. Organizations must search for the marrow of regulatory details and transform it into actionable intelligence, which can be acted upon in a measurable and consistent manner.
  • Defensible compliance. Regulators across industries are requiring that compliance is not just well documented, but is operationally effective. This can be seen in the latest DoJ Evaluation of Compliance Program guidance. Case in point, Morgan Stanley is praised by regulators as a model compliance program and is the first company in 35 years of the Foreign Corrupt Practices Acts (FCPA) history to not be prosecuted despite bribery and corruption in their Asian real estate business. One of the points the Securities and Exchange Commission (SEC) and Department of Justice (DoJ) referenced was Morgan Stanley’s ability to keep compliance current in the midst of regulatory change: “Morgan Stanley’s internal policies . . .were updated regularly to reflect regulatory developments and specific risks.” 

The amount of regulatory change coming at organizations is staggering. Consider an international bank headquartered in South America that embarked on a project to build a database of regulatory requirements impacting the bank globally. The detail went down to the required level so an individual regulation may have a few requirements to more than a thousand, depending on the regulation. After eighteen months of cataloging over 81,000 requirements, they abandoned the project. The reason was that the content was already obsolete—so much had changed during the process of documenting that they did not have the resources to maintain the volume of regulatory change.  A Tier 1 Canadian bank has expressed a similar regulatory requirement documentation project demise for the same reason. If you print the United Kingdom’s Financial Conduct Authority rulebook, it comes to a stack of paper six feet tall. The U.S. Code of Federal Regulations (CFR) is over 174,000 pages. When printed and laid out end-to-end that is a paper trail that is 25 miles long, nearly as long as a marathon.

The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction.

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management:

Information & Technology Enables Third-Party GRC

After you define your Third-Party GRC Strategic Plan, and define your Third-Party GRC Processes, next comes the defining and deploying your information and architecture to enable third-party GRC/risk management . . .

The primary directive of a mature third-party governance program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third-party relationships in the context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. This is built on a defined information and technology architecture that delivers 360° contextual and situational awareness of your third-party relationships.

Third-Party GRC Management Information Architecture

Third-party GRC management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. The third-party GRC management information architecture supports the process architecture and overall third-party GRC management strategy. With processes defined and structured in the process architecture, the organization can now understand the specifics of the information architecture needed to support third-party processes. The information architecture involves the structural design, labeling, use, flow, processing, and reporting of third-party management information to support third-party management processes. 

Successful third-party GRC management information architecture will integrate information across third-party management systems, ERP, procurement solutions, and third-party databases. This requires a robust and adaptable information architecture that can model the complexity of third-party information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages:

  • Master data records. This includes data on the third-party such as an address, contact information, and bank/financial information.
  • Third-party compliance requirements. Listing of compliance/regulatory requirements that are part of third-party relationships.
  • Third-party risk and control libraries. Risks and controls to be mapped back to third parties.
  • Policies and procedures. The defined policies and procedures that are part of third-party relationships.
  • Contracts. The contract and all related documentation for the formation of the relationship.
  • SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for individual relationships, as well as aggregate sets of relationships.
  • Third-party intelligence databases and services. The information connections to third-party databases used for screening and due diligence purposes, such as sanction and watch lists, politically exposed person databases, as well as financial performance or legal proceedings.
  • Transactions. The data sets of transactions in the ERP environment include payments, goods/services received, etc.
  • Forms. The design and layout of information needed for third-party forms and approvals.

Third-Party GRC Management Technology Architecture

The third-party GRC management technology architecture operationalizes the information and process architecture to support the overall third-party GRC management strategy. The right technology architecture enables the organization to effectively manage third-party performance and risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans. 

There can and should be a central core technology platform for third-party GRC management that connects the fabric of the third-party GRC management processes, information, and other technologies together across the organization. Many organizations see third-party GRC management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of difficult data to maintain, aggregate, and report on, consuming valuable resources. The organization spends more time in data management and reconciling than active risk monitoring of extended business relationships. 
  • Point solutions. The implementation of several point solutions that are deployed and purpose-built for particular risk and regulatory issues. They typically focus on one and possibly more areas of third-party risk. The challenge here is that the organization maintains an array of disconnected solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization and its relationships.
  • ERP solutions. There is a range of strong ERP and procurement space solutions that have robust capabilities in third-party transactions and spend analytics. However, these solutions may be weak in overall third-party governance, risk management, and compliance. 
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have third-party (e.g., vendor) risk management modules. However, these solutions often have a predominant focus on risk and compliance and do not always have the complete view of performance management of third parties. These solutions often miss key requirements such as third-party self-registration, third-party portals, and established relationships with third-party data and screening providers.
  • Third-party GRC management platforms. These are solutions built specifically for third-party GRC management and often have the broadest array of built-in (versus built-out) features to support the breadth of third-party management processes. In this context, they take a balanced view of third-party governance and management that includes the performance of third parties and risk and compliance needs. These solutions often integrate with ERP and procurement solutions, or may be provided by a procurement solution, to properly govern third-party relationships throughout their lifecycle and can feed risk and compliance information into GRC platforms for enterprise risk and compliance reporting where needed.

The right third-party GRC technology architecture choice for an organization often involves integrating several components into a core third-party GRC management platform solution to facilitate the integration and correlation of third-party information, analytics, and reporting. Organizations suffer when they take a myopic view of third-party management technology that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time that business operates in.  

Some of the core capabilities organizations should consider in a third-party GRC management platform are:

  • Internal integration. Third-party management is not a single, isolated competency or technology within a company. It needs to integrate well with other technologies and competencies in the organization – procurement system, spend analytics, ERP, and GRC. The ability to pull and push data through integration is critical. 
  • External integration. With increasing due diligence and screening requirements, organizations need to ensure that their solution integrates well with third-party databases. This involves delivering content from knowledge/content providers through the third-party technology solution to rapidly assess changing regulations, risks, industry, and geopolitical events.  
  • Content, workflow, and task management. Content should be tagged to be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis—standardized formats for measuring business impact, risk, and compliance. 
  • 360° contextual awareness. The organization should have a complete view of what is happening with third-party relationships in the context of performance, risk, and compliance. Contextual awareness requires that third-party management have a central nervous system to capture signals found in processes, data, and transactions and change risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third-party relationships.

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on each of these 7 areas in the research paper, Third Party GRC Management by Design:

Shadow Policies: Increasing Legal Exposure & Liability

Are you scared of shadows? You should be, as they can cause serious legal, operational, compliance, risk, brand/reputation, and integrity liability. 

For the past several years organizations have been battling shadow IT. This is the use of information technology applications, devices, software, technology, and services within departments and bypassing IT and without their approval. Shadow IT has grown significantly over the past several years with the adoption of cloud-based applications and services. It introduces serious risk exposure to your organization through data breaches and potential compliance violations.

The risk of shadow policies is growing with organizations coming out of lockdown.

Now there is a new shadow to be scared of: shadow policies. These are rogue policies that are being written at all levels of the organization without proper review and approval. This puts the organization at significant risk to legal liability and exposure . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE NAVEX GLOBAL BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Becoming a Policy Management Pro with a New Online Resource

Policies, and in that context the management of policies, has become critical to define and guide culture and behavior in today’s distributed, dynamic, and disrupted business environment. Today’s organization can no longer take a haphazard approach to policies and the management thereof.

When an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives.

Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk, every policy is a risk document that aims to control behavioral-related risks.

The benefits of properly implementing policies

Policies, done right, articulate and build the desired corporate culture and drive . . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Understanding the Third-Party GRC Process Lifecycle

After you define your Third-Party GRC Strategic Plan, next comes the process of defining your third-party GRC process lifecycle . . .

The third-party GRC management strategy and policy is supported and made operational through a third-party GRC management architecture. The organization requires complete situational and holistic awareness of third-party relationships across operations, processes, transactions, and data to see the big picture of third-party performance and risk in the context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires that the organization take a strategic approach to third-party GRC management architecture. The architecture defines how organizational processes, information, and technology is structured to make third-party GRC management effective, efficient, and agile across the organization and its relationships.

The third-party GRC management architecture starts with the process architecture. Third-party management processes are a part and subset of overall business processes. Processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships.  

The process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes third-party GRC management processes, each process’s components and interactions, and how third-party processes work together as well as with other enterprise processes. 

While third-party GRC processes can be very detailed and vary by organization and industry, there are several general third-party management process areas that organizations should have in place, these are:

  1. Ongoing context monitoring. On an ongoing basis, and separate from monitoring of individual relationships, is the process of monitoring external risk, regulatory, and business environments, as well as the internal business environment. The purpose is to identify opportunities as well as risks and regulatory requirements that are evolving and impact the overall third-party GRC management program. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships. 
  2. Third-party identification & onboarding. This is the collection of processes aimed at automating a standard, objective approach for identifying third parties to work with, onboarding them through the collection of third-party data, and conducting appropriate due diligence.
  3. Third-party communications & attestations. These are the set of ongoing processes to manage the communications and interactions with the third-party throughout the relationship’s lifecycle. These are done on a periodic (e.g., annual) basis or when certain risk conditions are triggered.
  4. Third-party monitoring & assessment. This stage includes the array of processes to continuously monitor the third-party relationship over their lifecycle in the organization. These activities are the ones typically done within the organization to monitor and assess the third-party relationship on an ongoing basis.
  5. Forms & approvals. The set of internal processes to collect and report information and route things for approval in context of third-party relationships.
  6. Metrics & reporting.  Processes to gather metrics and report on third-party relationships at the relationship level or in aggregate.
  7. Third-party re-evaluation. The processes in place to evaluate, maintain, renew, and off-board relationships. 

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on each of these 7 areas in the research paper, Third Party GRC Management by Design:

ES-G-RC – The Role of GRC in Delivering ESG

ESG – Environmental, Social, Governance – remains front-page business news. Organizations around the world and across industries are challenged to define, implement, and report on ESG. The pressures are coming from all directions: investors, customers, employees, regulators, and activists. The reality is that ESG has teeth, and organizations have to do something about it.

Previous iterations of ESG were Corporate Social Responsibility (CSR) and Sustainability. These were often passed around the organization like a hot potato and often landed in the lap of marketing as a branding exercise. This is not the case with ESG; the risk exposure to the organization is too great. I find that the Corporate Compliance and Ethics Officer (CECO) is the most common role leading the coordinated/federated ESG strategy in the organization. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships, and transactions.

However, understanding ESG is complex. What I see happening in organizations reminds me of the parable of the blind men and the elephant. One blind man touches the tail and thinks it is a rope, another touches the body and feels a wall, and another touches a leg and says it is a tree. The same is happening with ESG as different functions/departments see what impacts them. Some focus on the E for the environment and think that is the most important since it leads the acronym ESG. Others are focused on the S, and others the G. All three are critical, and intersect with each other.

As a guide, but not exhaustive, ESG covers:

  • Environment. Climate change, natural resource utilization, pollution and waste, biodiversity, certification, carbon footprint/emissions.
  • Social. Child labor, forced labor, socio-economic inequality, privacy, personal data use, diversity and inclusion, working conditions, health and safety, product liability.
  • Governance. Corporate governance, fraud, anti-bribery and corruption, anti-money laundering, internal controls over financial reporting, security, corporate conduct and behavior, anti-competitive practices, tax transparency, ownership and structure.

There is no single global standard for ESG. There is some reporting guidance, and the most popular is the Global Reporting Initiative (GRI), and what is now the Value Reporting Foundation (the merger of the International Integrated Reporting Council (IIRC) and the Sustainability Accounting Standards Board (SASB)). Nothing is complete; they each have their different perspectives. The organization is left to develop a strategy and process that delivers what they need to report to their respective/interested stakeholder groups.

GRC the Missing Link in ESG Strategy & Processes

Organizations need more structured guidance on how to deliver on ESG strategy and processes across the diverse areas of ESG.

Enter Governance, Risk Management, and Compliance (GRC). Ironically, all the elements of ESG are part of a well-structured GRC strategy. When I first defined and used the GRC acronym back in February 2002, I had in mind a complete view of organization objectives, risks, and compliance/controls with an architecture that unifies strategy, process, accountant ability, and reporting. The OCEG GRC Capability Model supporting guidance has included all the areas/components of ESG for the past fifteen years.

The official definition of GRC, found in the GRC Capability Model, is that GRC is a capability to reliably achieve objectives [GOVERNANCE], manage uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. You start with objectives of the organization, and these can be an entity, division, department, process, project, or asset level objectives and from there have the context to manage risk/uncertainty and act with integrity.

The common core element of the ESG and GRC acronyms is the G for governance. A good ESG strategy is going to start with a strong governance structure. It is here that the organization sets clearly defined objectives for ESG overall and each component/area of ESG and varying sub-elements. Once objectives are established, the organization can assess, monitor, and manage uncertainty to those ESG objectives, risk management. From there, the organization can provide assurance and report that it is operating with integrity in the context of stated ESG statements, commitments, and obligations.

Let’s now apply the GRC Capability Model to an ESG specific context. The GRC Capability Model has four components: Learn, Align, Perform, Review. Applied specifically to ESG, this is how it works:

  1. LEARN. Here we clearly understand both the internal and external ESG context of the organization. The external context includes what is expected of the organization from stakeholders, regulators, customers, and other influencer groups for ESG. The internal context looks at what executives and employees are doing and expects and the processes, transactions, and relationships of the organization. Learn then takes a close look at the organization’s culture and how it aligns with ESG, and how it may need to adapt. Finally, it identifies and documents stakeholders that are part of the ESG program and reporting requirements and relationships.
  2. ALIGN. Next, we have to align the organization to work together as an ESG team and clearly detail the ESG objectives, risks, and controls. This starts with direction in providing an established ESG working group/committee led by someone with authority to deliver on ESG and GRC. The overall objectives of ESG are documented, and the process begins to identify the supporting objectives and related risks in ESG. These objectives and risks are assessed for uncertainty and conformance to requirements, and an overall program is designed with appropriate policies, processes, monitoring, issue reporting, and assurance.
  3. PERFORM. This then moves us to perform. Once we have the ESG/GRC process designed, it needs to become operational. This starts with clearly defined ESG related controls and policies to be implemented across the extended enterprise. From here, various groups need to be communicated and educated on their role and responsibilities in ESG. There should be clearly established incentives for achieving objectives while providing an appropriate response to issues and failures. The organization should have established processes for reporting issues, assessing ESG/GRC, reporting, and responding to issues that arise.
  4. REVIEW. From here, we move to the review component, the continuous improvement, and assurance. This involves ongoing monitoring and reporting on ESG to various stakeholder groups. Audit provides a critical role in providing assurance on ESG objectives, risks, and related processes, policies, and controls. And the organization looks for ways to continuously improve ESG in the organization’s context and its broader objectives and operations.

Of course, that is the summary version of the GRC Capability Model used for ESG. There is a lot more detail and breakout of each component as there are well-defined practices, actions, controls, and documentation for areas of Learn, Align, Perform, and Review.

GRC, and in this context ESG, is something organizations do and not something they purchase. You do not go out and buy GRC, and you cannot go out and buy ESG. ESG, as a part of GRC, is performance and objectives done through actions, behaviors, and transactions of the organization. No one technology solution on the planet does everything needed for GRC, and there is certainly none that does everything for ESG. You have heard the term “it takes a village.” In the case of GRC, and ESG as part of GRC, it takes an architecture. There can be a core reporting and monitoring platform, but it requires integration with other business systems and external content/intelligence providers.

If you are defining your organization’s ESG strategy, I encourage you to look at the GRC Capability Model and adapt it to your specific needs. As with any standard/framework, it is adjusted to your particular context. If you are looking for technology that can help manage and report on ESG as you build your ESG architecture (GRC architecture), please feel free to reach out to me for objective guidance and input on the array of solutions available in the market and what best meets your specific needs . . .

Critical Elements of a Third-Party GRC Strategic Plan

A sustainable third-party GRC strategy means looking to the future and mitigating risk instead of putting out fires. Organizations need to be intelligent about what processes, risk intelligence data/services, and technologies they deploy. With increased exposure to regulations and scrutiny of third-party relationships, how does an organization respond? It requires that the following third-party GRC elements are in place:

  • Understand performance and risk. An organization must have an integrated performance and risk-based approach to managing each third-party relationship. This includes periodic assessment (e.g., annual) of relationships. However, the risk-assessment process should also be dynamic — completed each time there is a significant business change or event that could lead to exposure. Assessments should cover the performance of third parties overall and at each sub-level (e.g., contract, service level, facility), exposure in specific markets, relationships, and geographies.
  • Approach third-party GRC in proportion to risk. How an organization implements requirements and controls is based on the proportion of risk it faces. If a certain area of the world or a business partner carries a higher risk, the organization must respond with stronger governance and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
  • Tone at the top. The board of directors and executives must fully support the third-party GRC program. Communication with top-level management must be bidirectional. Management must communicate that they support the third-party GRC program and will not tolerate corruption in any form. At the same time, they must be well-informed about the effectiveness and strategies for third-party GRC initiatives.
  • Know who you do business with. It is critical to establish a monitoring framework that catalogs third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of corruption risk in a relationship, additional preventive and detective controls must be established in response. This includes knowing your contractors and third parties’ beneficial owners and conducting background checks to understand if they are susceptible to corruption and unethical conduct.
  • Keep information current. Third-party performance evaluations, as well as due diligence and risk assessment efforts, must be kept current. These are not point-in-time efforts; they need to be done regularly or when the business becomes aware of conditions that increase risk.
  • Third-party oversight. The organization needs a group that is responsible for the oversight of third-party relationships. This often involves a collaborative effort between legal, compliance, procurement, and other business functions. This cross-functional team should have the authority to report to independent monitoring bodies, such as the board’s audit committee, to disclose issues.
  • Established policies and procedures. Organizations need documented and up-to-date policies and procedures that govern third-party relationships. This starts with a vendor/supplier code of conduct and filters down to other policies that address risks in the relationship and its activities that serve the organization. These requirements and processes must be clearly documented and adhered to.
  • Effective training and communication. Written policies are not enough — individuals need to know what is expected of them. Organizations must implement training to educate employees and business partners. This includes getting acknowledgments from employees and business partners to affirm their understanding and attestation of their commitment to behave according to established policies and procedures.
  • Implement communication and reporting processes. The organization must have channels of communication where employees and third parties can get answers. This could take the form of a helpline that allows an individual to ask questions, a FAQ database, or form processing for approval on activities and requests. The organization must also have a hotline reporting system for individuals, including those within third parties, to report misconduct.
  • Assessment and monitoring. In addition to periodic risk assessment, the organization must also have regular due diligence, assessment, and monitoring activities to ensure that policies, procedures, and controls governing third parties are in place and working. This includes the ongoing and continuous screening of third parties against external data sources, such as daily instead of annual/infrequent basis.
  • Investigations. Even in the best organization, things go wrong. Investigation processes must be in place to quickly identify potential incidents and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities. 
  • Third-party controls. Organizations must keep detailed records that fairly and accurately reflect transactions and interactions of third-party relationships. This includes contract-pricing review, due diligence, and verification of foreign business representatives, accounts payable, financial account reconciliation, and commission payments.
  • Conduct audits and inspections. Every contract with a third-party typically includes the right to audit/inspection language. The organization should establish clear and consistent practices on when and how these are conducted and follow through with them.
  • Manage business change. The organization must monitor for changes that introduce a greater risk of third-party relationships. The organization must document changes that result from observations and investigations and address deficiencies through a careful program of change management. 

The above blog is an excerpt from GRC 20/20’s latest research paper, Third Party GRC Management by Design:

Vendor Performance & SLA Management: A Quick Guide

Fans of the story, Alice in Wonderland, will remember how the Cheshire Cat answered Alice when she asked him which way to go. He answered, “If you don’t know where you are going, any road will get you there.” What the Cheshire Cat meant was if you lack an objective, then you have no destination in mind; if there is no purpose there is no goal. 

The same can be said for third-party risk management (TPRM). When working with vendors, suppliers and other third parties, it is critical to define and agree on each relationship’s objectives and overarching goal (i.e., the “destination”) from the start. Following TPRM best practices during the due diligence and onboarding phases can help you predict whether a new third party is capable of delivering against their objectives – and hopefully avoid major headaches down the road. 

Once you begin any journey, it’s important to regularly check your bearings to make sure you are on the right course. Unfortunately, many third-party relationships fail to reach their objectives after the initial contract is signed. To stay on track, it’s critical to monitor each vendor’s performance against objectives and service level agreements (SLAs) throughout the relationship. 

5 Steps to Continuously Manage Vendor Performance and SLAs

Here are some practical steps for managing vendor performance and SLAs to ensure productive, secure, and lasting third-party relationships . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE PREVALENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Defining Third-Party GRC Management

Dissociated data, systems, processes, and a myopic risk vision leaves the organization with fragments of the truth that fail to see the big picture of third-party performance, risk, and compliance across the enterprise and how it supports its strategy and objectives. The organization needs to have holistic visibility and situational awareness into third-party relationships across the enterprise. The complexity of business, combined with the intricacy and interconnectedness of third-party data, requires that the organization implement a third-party GRC management strategy. 

The primary directive of a mature third-party GRC management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third-party relationships in the context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. In the end, third-party GRC management is more than compliance and more than risk but is also more than procurement. 

The integrity of the organization relies on the integrity of its third-party relationships. As a result, organizations are re-evaluating their internal core values, ethics, and standards of conduct and how this extends and is enforced across third-party relationships. This includes a focus on human rights, privacy, environmental standards, health and safety, conduct with others (e.g., customers, partners), and security in third-party relationships. 

The organization has to maintain operations amid uncertainty and change. This requires a holistic view of a third-party relationships’ objectives and performance in the context of uncertainty and risk within those relationships. The organization has to be a resilient organization with full situational awareness of the interconnected risk environment. Given the reliance on third-party relationships, this requires a holistic view of the governance, risk management, and compliance of each third-party relationship and how it serves and provides value to the organization. 

Third-party GRC is a “capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]” in and across the organization’s third-party relationships.” This is adapted from the official GRC definition in the OCEG GRC Capability Model. Breaking this down, third-party GRC delivers:

  • Third-party governance. It starts with integrated governance of third-party relationships and monitoring relationships across the extended enterprise to ensure they meet the objectives and purpose the relationship was established for, thus returning value to the organization. 
  • Third-party risk management. Understanding the governance objectives of the relationship sets the context to then assess, analyze, and monitor the uncertainty and risk in the relationship. Risk, by official definition, is the effect of uncertainty on objectives. Thus, each relationship has its objectives (or component of the relationship like contract or service level agreement), and uncertainty must be managed against those objectives.
  • Third-party compliance. Compliance aims to see that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values across its third-party relationships. Compliance follows through on risk treatment plans to assure that risk is being managed within limits and that controls are in place and functioning within each relationship to mitigate risk.

GRC 20/20 has identified three approaches organizations take to manage third-party relationships:

  • Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration. Distributed and siloed third-party initiatives never see the big picture and fail to put third-party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how third-party management processes can meet a range of needs. An ad hoc approach to third-party GRC management results in poor visibility into the organization’s relationships. As there is no framework for bringing the big picture together, there is no possibility to be intelligent about third-party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on third-party performance and strategy, leading to greater exposure than any silo understood by itself. 
  • Monarchy – one size fits all. If the anarchy approach does not work, then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of third-party GRC management that does not fully understand the breadth and scope of third-party risks and needs scattered across the entire organization. The needs of one area may shadow the needs of others. From a technology perspective, it may force many parts of the organization into managing third-party relationships with the lowest common denominator and watering down third-party management. Further, there is no one-stop shop for third-party management, as there are various pieces to third-party management that need to work together. 
  • Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative third-party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in third-party GRC management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third-party relationships. It allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third-party management, focusing on coordination and collaboration through a common core architecture that integrates and plays well with other systems. This is true third-party GRC management.

Value of a Third-Party GRC Approach

The lack of a coordinated strategy for third-party GRC management fails to deliver insight and context, rendering it nearly impossible to make a connection between risk management and decision-making, business strategy, objectives, and performance in and across relationships. This results in business processes, partners, employees, and systems that behave like leaves blowing in the wind. 

In contrast, a third-party GRC strategy with common processes, information, and technology gets to the root of the problem. Leading organizations are adopting a common framework, architecture, and shared processes to manage third-party GRC, increase efficiencies, and enable an agile response to the needs of a dynamic and distributed business environment. Mature third-party GRC delivers better business outcomes because of stronger governance, which will:

  • Lower costs, reduce redundancy, and improve efficiencies.
  • Deliver consistent and accurate information.
  • Continuously (e.g., daily) monitor and assess third parties by using external data sources to get updates on risk data on a daily basis. 
  • Improve decision-making and insight into what is happening across business relationships.
  • Enable the organization to defend itself with a robust third-party governance program designed to mitigate risk and ensure integrity of relationships – aligned with the value and commitments of the organization.

The above blog is an excerpt from GRC 20/20’s latest research paper, Third Party GRC Management by Design:

The Extended Enterprise Demands Attention

The Modern Organization is an Interconnected Web of Relationships

No man is an island, entire of itself;
Every man is a piece of the continent, a part of the main.

John Donne

Replace the word ‘man’ with ‘organization’, and the seventeenth-century English poet John Donne is describing the modern organization. In other words, “No organization is an island unto itself; every organization is a piece of the broader whole.” 

The structure and reality of business today have changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacies, such as deep supply chains and sub-contracting relationships. Roaming the hallways of an organization means crossing paths with contractors, consultants, temporary workers, and more. Business today relies and thrives on third-party relationships; this is the extended enterprise. 

In this context, organizations struggle to govern their third-party relationships and often manage risk and compliance in relationships in silos that fail to see the big picture of risk exposure and its impact on the relationship’s objectives. Risk and compliance challenges do not stop at organizational boundaries, though. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships or allowing good business relationships to sour because of weak governance. Third-party problems are the organization’s problems and directly impact the brand and reputation, increasing exposure to risk and compliance matters. When questions of delivery, business practice, ethics, privacy, safety, quality, human rights, resiliency, corruption, security, and the environment arise, the organization is held accountable. It must ensure that third-party partners behave appropriately. 

The business’s ability to reliably achieve corporate objectives directly depends on the governance of third-party relationships and whether the organization has established the right relationships and can reliably achieve objectives in the relationship. In addition, the organization’s ability to manage uncertainty, risk, and resiliency in its relationships requires that the relationship’s objectives, values, and risks be managed together. 

Corporate integrity and the ability of the organization to comply with regulations, commitments, and values are measured by its relationships as well. The saying, “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization. 

Inevitable Failure of Silos of Third-Party Governance

Fragmented governance of third-party relationships through disconnected department silos leads the organization to inevitable failure. Siloed information and/or reactive, document-centric, and manual processes fail to actively govern relationships and manage risk and compliance in the context of the third-party relationship and broader organizational objectives and values. Silos leave the organization blind to the intricate relationships of risk and compliance exposures that fail to get aggregated and evaluated in the context of the overall relationship and its goals, objectives, and performance. 

Failure in third-party governance comes about when organizations have: 

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geopolitical risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third-party relationships; different parts of the organization end up finger-pointing, thinking others are doing this. Or the opposite happens: different parts of the organization react to the same development without collaborating, which increases redundancy and inefficiency.
  • Interconnected third-party risks that are not connected. The organization’s risk exposure across third-party relationships is becoming increasingly interconnected. A risk in one area may seem minor, but when factored into other risk exposures in the same relationship can become significant. The organization lacks complete visibility or understanding of the scope of risk in third parties that are material to the organization.
  • Silos of third-party oversight. This is when the organization allows different parts of the organization to go about third-party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third-party oversight. This leads to the unfortunate situation of the organization having no end-to-end visibility of third-party relationships.
  • Document and email-centric approaches. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for things to get overlooked and bury silos of third-party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship, and it becomes difficult to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report on siloed third-party information. When things go wrong, document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.  
  • Scattered and non-integrated legacy third-party risk technologies. When different parts of the organization use legacy internal third-party risk solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization is often limited in capabilities and depth in the governance of third-party relationships. This leads to a significant amount of redundancy, inefficiency, which impacts effectiveness while also encumbering the organization when it needs to be agile. 
  • Processes focused on onboarding only. Risk and compliance issues are often only analyzed during the onboarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third-party relationship. 
  • Inadequate processes to manage change. Governing third-party relationships are cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geopolitical, economic, and operational risks across the globe in the context of its third-party relationships. Just as much as the organization itself is changing, each organization’s third-party relationships are changing, introducing further risk exposure. 
  • Third-party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to analyze and monitor risk and compliance exposures fully. Often, metrics are focused on third-party delivery of products and services but do not include evaluating risks such as compliance, security, resiliency, and ethical considerations. 
  • Managing third-party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third-party management strategy, the organization and its various departments never see the big picture and fail to put third-party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third-party needs—an ad hoc approach to third-party management results in poor visibility across the organization. There is no framework or architecture for managing risk and compliance as an integrated part of the business. When the organization approaches third-party management in scattered silos that do not collaborate, there is no possibility of being intelligent about third-party performance, risk management, and compliance while understanding its impact on the organization.

This is More Than Third-Party Risk Management

Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes third-party relationships and the business’s ability to manage them. 

The world of business is distributed, dynamic, and disrupted. It is distributed across a web of relationships. It is dynamic as business and relationships change day-by-day – processes change, employees change, relationships change, regulations change, risks change, and objectives change. The ecosystem of business relationships is complex, interconnected. It requires a holistic, contextual awareness of third-party GRC (governance, risk management, and compliance) rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem. This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s third-party relationships. Organizations need to see the intricate intersection of objectives, risks, and boundaries in each relationship. 

Third-party risk management is not enough. Organizations are shifting their focus towards third-party GRC management. It starts with the governance of relationships. The relationship’s objectives and sub-relationships (e.g., contracts, service levels, facilities, etc.) need to be clearly defined and governed. It is only after a clear understanding of the objectives (and the governance of those objectives) that risk/uncertainty and compliance/integrity can be managed in the context of the relationship to deliver those objectives. Organizations need to develop a more assertive approach to governance of relationships to ensure greater risk, resiliency, and integrity in and across relationships to deliver value to the organization. 

This challenge is even greater when third-party risk management is buried in the depths of departments and operating from silos, not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy of relationships. 

The bottom line: The modern business depends on and is defined by the governance, risk management, and compliance of third-party relationships to ensure the organization can reliably achieve objectives, manage uncertainty, and act with integrity in each of its third-party relationships. A haphazard department and document centric approach for third-party risk management compounds the problem and does not solve it. It is time for organizations to step back and move from third-party risk management to third-party GRC management with a cross-functional and coordinated strategy and team to define and govern third-party relationships. Organizations need to address third-party GRC with an integrated strategy, process, and architecture to manage the ecosystem of third-party relationships with real-time information about third-party performance, risk, and compliance and how it impacts the organization.  

The above blog is an excerpt from GRC 20/20’s latest research paper, Third Party GRC Management by Design: