Components of an Effective Incident/Case Management Process

Distributed and dynamic business requires the organization to take a strategic approach to issue reporting and case management. Organizations require complete situational and holistic awareness of issues, incidents, investigations, and cases across business operations and processes. This is best approached through structured and accountable processes enabled through an integrated information and technology architecture for issue reporting and case management. The goal is to manage individual issues at the detail level while being able to see the big picture and trends of issues and their impact on overall risk and compliance exposure.

Two essential components for a mature and robust issue reporting and case management program are:

  1. Structured processes for issue reporting and case management.
  2. Integrated information and technology architecture for issue reporting and case management.

Issue reporting and case management processes determine the types of information needed, gathered, used, and reported. It is through the integrated information and technology architecture that processes can be properly managed. The architecture defines how organizational processes, information, and technology is structured to make issue reporting and case management effective, efficient, and agile across the organization.

Issue Reporting & Case Management Process Structure

Issue reporting and case management processes are a subset of overall business and GRC processes. Issue reporting and case management identifies where things are going wrong with a goal of containing, addressing, and correcting exposure, loss, and incidents. The issue reporting and case management process is the structural design of tasks and management of how issues are reported, investigated, and resolved.

Structured processes for issue reporting and case management defines responsibilities, workflow, tasks, how issues are reported, cases managed, and how the processes work together as an integrated whole with other GRC and organizational processes. Issues and cases provide objective information that should in turn feed into risk management models as well as compliance reporting. For a mature GRC program, the organization requires the ability to track all issues across the enterprise (e.g. employee issues, customer issues, poor product quality, and supply chain).

There are five foundational process components that organizations should have in place for issue reporting and case management:

  1. Strategic/operational case planning and administration. This involves the ongoing planning and administration of issues, cases, investigators, workload, and tasks. Core to this is resource and case planning and administration, the ability to measure cycles/seasonality of cases, backlog, resource planning, and costs.
  2. Issue intake & triage. This is the foundational component where issues are reported. It involves being able to report and process issues coming from hotlines, web forms, management reports, and other inputs. The goal is to eliminate noise, consolidate duplicated issue reports, flesh out non-cases, and focus on what is critical and exposes the organization to the greatest risk. It is critical that the organization has the ability to automate and link between issues being reported, cases, parties, processes, places, and other relationships. From here initial planning and assignment of cases is done.
  3. Investigation. This is the heart of the process that takes reported issue(s) and manages the process of investigation through to closure. Investigators need structured templates and processes to keep everything organized, document the investigation, manage tasks, provide notifications and escalation, and keep all information in one place for ease of reporting. The more the organization can automatically define the process to investigate an issue/case, the better. Accountability, centralization of information, keeping everything current and up to date, and having a defensible system of record that can stand up in court is critical to this stage of the process.
  4. Remediation & resolution. History repeats itself because no one was listening the first time. This stage of the issue reporting and case management process ensures that remediation steps are followed to mitigate or eliminate the risk of further issues and incidents. The organization needs to be able to track action items and ensure that things do not slip through cracks to obtain a reduction in repeated and future cases. The organization requires the ability to link issues to policies and procedures to ensure they are updated as resolutions dictate.
  5. Reporting, analytics & metrics. This is the stage of the process that provides detailed reports on both individual and aggregate cases. The organization should be able to track past due tasks, benchmark timelines of cases, identify where loss can be mitigated, and reduce gaps.

WEBINAR: Case Management

Building a Business Case & Articulating Value to the Organization

Organizations often approach issue reporting and case management in manual processes encumbered by documents, spreadsheets, and emails. This taxes and slows down investigation processes, and makes reporting very time consuming and often inaccurate because of scattered information. GRC 20/20 Research has conducted a detailed study of organizations that moved from manual document centric approaches to i-Sight case management. GRC 20/20 found that organizations that utilize purpose built software for case management make their issue reporting and case management processes more efficient, effective, and agile. This results in a quantifiable return on investment.

On October 5th, 2-3pm, join presenter Michael Rasmussen as he outlines how case management software can make issue reporting and case management more efficient and agile.
In this webinar, organizations will learn how to:

  • Avoid the costs of manual document-centric processes in wasted time and resources
  • Identify specifics on how software makes issue reporting and case management more efficient, effective, and agile,
  • Measure and quantify the value in time and dollars saved with case management software
  • Build a business case to justify case management software in your organization

[button link=”https://i-sight.com/resources/case-management-software-building-a-business-case-articulating-value-to-the-organization/?leadsource=GRC2020″]REGISTER[/button]

Challenges in Issue Reporting & Case Management

The Best Laid Plans of Mice and Men . . .

Organizations today are distributed and dynamic. With the globalization of business, organizations find that governance, risk management, and compliance (GRC) has become complex; crossing departments, jurisdictions, geographies, and cultures. The modern organization is a complex web of employees, suppliers, vendors, contractors, consultants, agents, and third parties. At the same time, organizations are constantly changing: business is dynamic. Employees, relationships, regulations, risks, economies, litigation, regulation, and legislation are constantly changing. GRC professionals are challenged to get a big picture point of view of the range of issues being reported across the organization and the management of cases that impact how the organization’s “ability to reliably achieve objectives while addressing uncertainty and acting with integrity.”[1]

Issue reporting and case management has become a moving target which needs a structured approach supported by a strong process, information, and technology architecture. Well run organizations, with GRC processes, still have issues, incidents, cases, and investigations. As the poet Robert Burns states, “The best laid plans of mice and men often go awry.” Whether unintentional issues or acts of the malicious miscreant, organizations need to be prepared and have established processes in place to manage issues as they arise in the organization.

The typical organization has a variety of departments managing a diverse range of issues, cases, incidents, and investigations.[2] These issues and cases are often managed in silos of documents, spreadsheets, and emails or in home-grown databases and applications. Different departments often have diverse approaches and the organization does not have insight into the range of issues that are happening across operations. Organizations often lack a central repository for case management and the use of home grown solutions has limitations that make the issue management processes inefficient, ineffective, and burdensome to the organization. Issue reporting and case management is often a tactical and fragmented approach with highly diverse approaches taxing the business.

Issue management across the organization is often scattered across departments, such as:

  • Corporate security
  • Customer complaints
  • Environmental
  • Ethics and compliance
  • Fraud and corruption
  • Health and safety
  • Human resources
  • Insurance claims
  • IT security
  • Legal
  • Physical security
  • Privacy
  • Quality
  • Third party suppliers and vendors

The breadth of silos to issue reporting and case management results in a maze of disconnected processes, reporting, and information. These are redundant, document-centric, and manual approaches that do not integrate and are highly inefficient. Different functions spend more time managing the volume of emails, documents, and spreadsheets than they actually do managing the issues themselves. The line of business is overwhelmed with inconsistent approaches to issue reporting and case management.

This fragmented approach to issue reporting and case management resembles battling the multi-headed Hydra in mythology. As the Hydra grows more heads of risk, regulation, and ethical challenges, issue reporting and case management professionals find that scattered approaches leave them exhausted and overwhelmed as they lose the battle. This results in a reactive fire-fighting approach to issue reporting and case management, with silos of data that professionals struggle to find the time to coordinate and link together manually. This piecemeal approach is inefficient, increases risk exposure, and leads to serious matters that fall through the cracks. Redundant and inefficient processes lead to overwhelming complexity that slows down the business in an environment that actually requires agility.

The document-centric, scattered, and manual processes of the past have impaled case management functions with inefficiency. Process management and reporting is primarily comprised of emails, documents, shared files, homegrown databases, spreadsheets, and manual processes. Case management professionals are spending a disproportionate amount of time collecting data and reporting on data instead of time spent adding strategic value to the business through analyzing and trending the data collected. This antiquated approach leaves teams with flat metrics that lack context and don’t help professionals identify or address problematic processes, culture, or behavioral issues. GRC professionals often express to GRC 20/20 Research their frustration with the:

  • Inability to gain a clear view of issue reporting and case management interdependencies
  • High cost of consolidating silos of GRC and issue management information
  • Difficulty maintaining accurate GRC and issue management information
  • Failure to trend across issues, departments, and reporting periods
  • Incapability of providing GRC and issue intelligence to support business decisions and strategic planning
  • Redundant approaches that limit correlation, comparison, and integration of information
  • Lack of agility to respond promptly to changing regulations, laws, and business environment

Dynamic & Distributed Business Compounds the Problem

Organizations are seeing increased scrutiny and focus on compliance activities from:

  • Governments worldwide are increasing their scrutiny of organizations and have become more prescriptive in their regulations and standards.
  • Enforcement agencies have grown more sophisticated in assessing “real” versus “paper” ethics and compliance efforts.
  • Stakeholders, including investors, activist groups, consumers, business partners, and employees are demanding transparency and accountability.

These challenges are making organizations rethink their approach to issue reporting and case management. Organizations are looking for greater agility and effectiveness, while achieving greater efficiency with human and financial resources in identifying and resolving issues. The goal is to:

  • Align stakeholder demands for transparency and accountability.
  • Leverage emerging technologies to improve efficiency, effectiveness, and agility.
  • Enable GRC professionals to better target resources where issues identify the greatest exposure.

This trend points in one clear direction: a new issue management architecture that is dynamic, predictive, and information-based through the deployment of an integrated information, intelligence, and analytics architecture to overcome the inefficiencies of the manual and document-centric approaches of the past. This approach to issue reporting and case management delivers demonstrable proof of risk and compliance management, discovery and containment of issues, and shifting the focus of efforts from being reactive and “checking the box” to being proactive and forward-looking. Organizations need greater efficiency in processing and managing issues with structured information and process, greater effectiveness in ensuring corporate integrity, and increased agility in addressing rapidly changing business, regulatory, legal, and reputational risks.

The bottom line: Issue reporting and case management programs have been very tactical and inefficient in the past in collecting issue reports and managing cases. GRC functions across the organization have lacked an overall approach to manage issues, provide reporting and analytics, and the ability to move issue reporting and case management from the tactical approach to an integrated strategic approach that aligns with governance, risk management, and compliance strategy and processes. A centralized issue reporting and case management system saves time and money and creates an environment where the organization can measure the effectiveness and efficiencies of GRC resources.

Case Management Software

Building a Business Case & Articulating Value to the Organization

Organizations often approach issue reporting and case management in manual processes encumbered by documents, spreadsheets, and emails. This taxes and slows down investigation processes, and makes reporting very time consuming and often inaccurate because of scattered information. GRC 20/20 Research has conducted a detailed study of organizations that moved from manual document centric approaches to i-Sight case management. GRC 20/20 found that organizations that utilize purpose built software for case management make their issue reporting and case management processes more efficient, effective, and agile. This results in a quantifiable return on investment.

On October 5th, 2-3pm, join presenter Michael Rasmussen as he outlines how case management software can make issue reporting and case management more efficient and agile.
In this webinar, organizations will learn how to:

  • Avoid the costs of manual document-centric processes in wasted time and resources
  • Identify specifics on how software makes issue reporting and case management more efficient, effective, and agile,
  • Measure and quantify the value in time and dollars saved with case management software
  • Build a business case to justify case management software in your organization

[button link=”https://i-sight.com/resources/case-management-software-building-a-business-case-articulating-value-to-the-organization/?leadsource=GRC2020″]REGISTER[/button]


[1] This is the official definition of GRC as found in the OCEG GRC Capability Model.
[2] For the purpose of this report, the term issues and cases will be used but should be understood to include incidents and investigations.

GRC in Crisis

The world around us is in a state of alarm. Hurricane after hurricane hits the Gulf of Mexico and Caribbean. Devastating earthquakes have hit Mexico. Geo-poltical tensions are playing themselves out in the United Nations and the news. A massive data security and privacy breach at Equifax. My home state of Montana (yes, I live in Wisconsin but was raised in Montana) has had one of its worst years of forest fires with nearly one million acres burned.

This all has leads organizations to rethink their approach to GRC, in particular the components of business continuity, environmental, health and safety, operational risk management, and even third party management as organizations look at continuity and security of supply chains and vendors. What is disappointing to me is how many organizations fail to take an integrated approach to these areas. It boggles my mind the number of business continuity programs that operate completely separate from an operational risk management program. Logic would only dictate that business continuity should be a critical part of an operational risk management strategy . . . yet organizations approach these as disconnected functions.

The greatest insight and awards of risk and control comes from an integrated information architecture that can see 360° contextual intelligence. That is the only way to connect the dots and see the big picture of interconnectedness and relationships of risk, control, and continuity.

GRC is an integrated capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and act with integrity [compliance] (definition from the OCEG GRC Capability Model). Organizations should carefully think through their overall strategy to Governance, Risk Management, and Compliance across the organization and look for ways to make it more efficient, effective, and agile in a dynamic, distributed, and disrupted environment.

As part of GRC 20/20’s research, we offer organizations looking for GRC solutions complimentary inquiry (email or phone) to navigate the hundreds of solutions in the market that GRC 20/20 has mapped and differentiates in capabilities. This is part of our research as we interact with organizations to help learn how GRC and it’s components. can be efficient, effective, and agile.

GRC areas for inquiries include:

  • Enterprise GRC
  • Audit Management & Analytics
  • Automated & Continuous Control
  • Business Continuity Management
  • Compliance & Ethics Management
  • Environmental Management
  • Health & Safety Management
  • Internal Control Management
  • IT GRC Management
  • Issue Reporting & Management
  • Legal Management
  • Physical Security Management
  • Policy & Training Management
  • Quality Management
  • Risk Management & Analytics
  • Strategy & Performance Management
  • Third Party Management

GRC 20/20 Events Next Week

IT GRC Management by Design Workshop, San Francisco September 25

  • Blueprint for an Effective, Efficient & Agile IT GRC Management Program REGISTER Workshop Abstract: Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the…

2017 GRC Market: The Good, The Bad & The Ugly in GRC Drivers & Trends September 28 @ 10:00 am – 12:00 pm CDT

  • Analysis & Details on GRC Buying Trends & Needs 2017 has been the busiest year to date in the GRC market. GRC 20/20 has seen a record number of inquiries and RFPs across GRC domains in 2017 and forecasts increased activity into 2018. This research briefing provides a breakdown of GRC solution drivers, trends, and forecasting by geography, industry, type of GRC technology, and buyer persona. A detailed analysis of RFP trends and inquiries that GRC 20/20 has worked on…

GRC Archetypes: Compliance & Ethics Management

Compliance and ethics has become a significant challenge for organizations across industries, geographies, and business boundaries. It is inundated with challenges such as anti-bribery and corruption, market conduct, conflict of interests, third party (e.g., vendor/supplier) compliance, code of conduct, and more. Organizations are struggling to deal with the pace of regulatory change. Not only from new regulations, but changing/evolving regulations, enforcement actions, and administrative decisions. Global financial services firms are dealing with approximately 201 regulatory change events every business day (source: Thomson Reuters).

Compliance becomes further complicated by different geographies that have different approaches to compliance. In the USA it is very much a check-box/prescriptive approach. Organizations want a specified list of what they have to do and then want a “get out of jail free” card if they do those things. In Europe the approach is focused on principle or outcome-based compliance. It is not prescriptive. Regulators tell you what you have to achieve as an outcome but not tell you how you have to achieve it. This requires a much stronger risk management approach to compliance to determine how best to comply.

The challenge for compliance and ethics grows exponentially as organizations face greater obligations to manage compliance across its third party relationships of vendors, suppliers, outsourcers, service providers, contractors, consultants, intermediaries, brokers, agents, dealers, and other partners. There compliance and ethical issues are the organizations compliance and ethical issues. The legal and regulatory environment of today is making that clearer than ever.

Though compliance and ethics is much more than regulatory compliance. Compliance and ethics is about the very integrity of the organization. Not just meeting regulatory requirements, but ensuring the organization is in aligned and adhering to the values, ethics, policies, corporate social responsibility commitments, contracts, and other obligations of the organization. I have been stating for the past decade that the true Chief Compliance and Ethics Officer is really the Chief Integrity Officer of the organization.

The truth of compliance is that it is very fragmented. In all of my research, spanning interactions with thousands of organizations, I have not encountered one Chief Ethics & Compliance Officer that is truly responsible for oversight of all of compliance. There are many disconnected factions of compliance in organizations: corporate compliance and ethics, human resources compliance, IT compliance, privacy compliance, quality compliance, third party compliance, environmental compliance, health and safety compliance, . . . .

The problem is this leads to a lot of redundancy. Organizations are finding that they lack agility as there are uncoordinated approaches to compliance and the business is struggling with multiple systems and processes that are very repetitive and confusing. Organizations often have dozen of policy portals, different approaches for compliance assessments and surveys, a mixture of processes for reporting and managing incidents and cases . . . this hinders the organization, things get missed, and the organization ends up in hot water.

An ad hoc approach to compliance management exposes the organization to significant liability. This liability is intensified by the fact that today’s GRC programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of compliance, how it was managed, who was responsible, what was done, who attested to it, what exceptions were granted, and how violations and resolution was monitored and managed. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined compliance and ethics management program is vital to enable an organization to effectively develop and maintain the wide gamut of compliance tasks it needs to govern with integrity.

THE QUESTION: How is your organization approaching compliance and ethics management? Can you map yourself to one of the following GRC archetypes of compliance and ethics management?

  • Fire Fighter. Your organization approaches compliance and ethics management in an ad hoc fly by the seat of your pants approach. Compliance management is not structured and is addressed when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the narrowest understanding of the requirement before you and not thinking strategically about compliance and ethics management. Compliance management is addressed in manual processes with file shares, documents, spreadsheets, and emails. The organization does not have an integrated solution to manage compliance and ethics planning, regulatory change, assessments, policies, issue reporting, third party management, and case management.
  • Department Islander. In this archetype, your organization has a more structured approach to compliance management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in compliance management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for compliance management, or may still be relying on manual processes with documents, spreadsheets, and emails. The result is a variety of compliance processes in different portals and file shares with inconsistent formats and templates.
  • GRC Collaborator. This is the archetype in which your organization has cross-department collaboration for compliance management to provide consistent processes and structure for compliance management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage compliance to meet requirements. Most often there is a broader compliance management platform deployed to manage compliance processes and tasks, but some still rely on manual processes supported by documents, spreadsheets, and emails.
  • Principled Performer.  This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Compliance and ethics management is more than meeting requirements but is about encoding, communicating, and monitoring boundaries of expected conduct to develop a strong and consistent corporate culture aligned with the ethics, values, and obligations of the organization. Compliance obligations are mapped to risks and objectives and actively understood and managed as critical governance processes of the organization. Compliance and ethics management is about the integrity of the organization and embraces corporate social responsibility, ethics, and the values of the organization and not just regulatory requirements.

The haphazard department and document centric approaches for compliance and ethics management of the past compound the problem and do not solve it.  It is time for organizations to step back and define a cross-functional and coordinated team to define and govern compliance and ethics management. Organizations need to wipe the slate clean and approach compliance and ethics management by design with a strategy and architecture to manage the ecosystem of compliance and ethics processes throughout the organization with real-time information about conformance and how it impacts the organization.

GRC 20/20’s Compliance Management Workshop

GRC 20/20 will be leading a free interactive workshop to facilitate discussion and learning between organizations on Policy Management on the following dates and locations:

Strategy Perspective on Compliance Management

Research Briefings on Compliance Management

Solution Perspectives on Policy Management

Case Studies on Policy Management

GRC Archetypes: Policy Management

Policy management is the capability to establish, manage, monitor, and enforce policies to reliably achieve objectives, while addressing uncertainty, and act with integrity across the organization (adapted from the OCEG GRC definition).

Policies are critical to the organization to establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability. An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s GRC programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

THE QUESTION: How is your organization approaching policy management? Can you map yourself to one of the following GRC archetypes of policy management?

  • Fire Fighter. Your organization approaches policy management in an ad hoc fly by the seat of your pants approach. Policy management is not structured and policies are written or reviewed only when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the issue before you and not thinking strategically about policy management. Policy management is addressed in manual processes with file shares, documents, spreadsheets, and emails. The organization does not have a master index of all official policies across departments and there are conflicting versions of the policy in existence (e.g., out of date).
  • Department Islander. In this archetype, your organization has a more structured approach to policy management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in policy management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for policy management, or may still be relying on manual processes with documents, spreadsheets, and emails. The result is a variety of policies in different portals and file shares with inconsistent formats and templates.
  • GRC Collaborator. This is the archetype in which your organization has cross-department collaboration for policy management to provide consistent processes and structure for policy management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage policies to meet requirements. Most often there is a broader policy management platform deployed to manage policies, but some still rely on manual processes supported by documents, spreadsheets, and emails.
  • Principled Performer  This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Policy management is more than meeting requirements but is about encoding and communicating boundaries of expected conduct to develop a strong and consistent corporate culture aligned with the ethics, values, and obligations of the organization. Policies are mapped to risks and objectives and actively understood and managed as critical governance documents of the organization. Policies are consistent in a defined template, language style, and the organization has a current index of all official policies of the organization. Policy management is tightly integrated with training to help communicate and ensure that policies are understood.

The haphazard department and document centric approaches for policy and training management of the past compound the problem and do not solve it.  It is time for organizations to step back and define a cross-functional and coordinated team to define and govern policy and training management. Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.

GRC 20/20’s Policy Management Workshop

GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Policy Management on the following dates and locations:

Strategy Perspective on Policy Management

Research Briefings on Policy Management

Solution Perspectives on Policy Management

Case Studies on Policy Management

GRC Archetypes: Third Party Management

Third party management is the capability to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across the organizations third party relationships/extended enterprise (adapted from the OCEG GRC definition).

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mesh of relationships and interactions that span traditional business boundaries. Over half of an organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

Third party compliance requirements are growing at a staggering rate. Human rights, social accountability/labor standards, privacy, security, ethical sourcing, environmental, health and safety, and quality compliance and risk requirements are growing upon organizations. GRC 20/20 is monitoring the impact of regulations such as the UK Modern Slavery Act, US Foreign Corrupt Practices Act, UK Bribery Act, OECD Anti-Bribery Convention, PCI DSS, EU GDPR, US Conflict Minerals, EU Conflict Minerals, California Transparency in Supply Chains Act, France Sapen 2, and more impact third party management strategies in organizations.

In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

THE QUESTION: How is your organization approaching third party management? Can you map yourself to one of the following GRC archetypes of third party management?

  • Fire Fighter. Your organization approaches third party management in an ad hoc fly by the seat of your pants approach. Third party management is not structured and only addressed when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the issue before you and not thinking strategically about third party management. Third party management is addressed in manual processes with documents, spreadsheets, and emails but only for reactive purposes.
  • Department Islander. In this archetype, your organization has a more structured approach to third party management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in third party management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for third party management, or still be relying on manual processes with documents, spreadsheets, and emails.
  • Compliance/Risk Collaborator. This is the archetype in which your organization has cross-department collaboration for third party management to provide consistent processes and structure for third party management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage third party risks to meet regulatory requirements and not a serious look at the governance, risk management, and compliance of third party relationships. Most often there is a broader third party management platform deployed to manage third party compliance, but some still rely on manual processes supported by documents, spreadsheets, and emails.
  • Corporate Citizen. This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Third party management is more than meeting compliance/regulatory requirements but is about being a good corporate citizen focused on doing the right thing. It goes beyond compliance to an approach that ensures that the organizations values, ethics, code of conduct, and culture is shared and consistent across business relationships. The focus is on integrity of the organization and ensuring that this is consistent across the extended enterprise of relationships.

Too often departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third-party management across the enterprise. Organizations manage third-parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third-party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship. This fragmented approach to third-party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third-party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

When the organization approaches third-party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third-party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third-party management results in poor visibility across the organization, because there is no framework or architecture for managing third-party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third-party relationships that is supported and automated with information and technology.

Third Party Management Workshop

GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Solution Perspectives on Third Party Management

Case Studies on Third Party Management

Diary of a Wimpy GRC Solution

I understand what it is like to be the underdog. In grade school and junior high I was the target to be picked on. The scrawny emotional kid that was an easy target. Things changed. In high school my Viking Danish DNA caught up and I became a more forbidding obstacle to be a target of. Which worked well for my phlegmatic disposition.

In the GRC market, I have a soft spot for the underdogs. There are many great solutions available that never get the attention they deserve. They have great clients that are amazed with the solution, but they have a hard time getting the clients as they are overshadowed by the popularity contest of solutions that get all the attention from analysts, media, and professional service firms.

Why is this? There are many reasons to this, consider the following . . .

  • Analysts. Yes, I am a market research analyst, but I truly hope of a different flavor. To get analyst attention today requires a lot of money and engagement. My competitors often charge $15,000 or more a day for advisory time to solution providers. They charge tens of thousands of dollars to redistribute research reports in which a solution provider is mentioned. When it comes to their evaluation of solutions, they have more intimacy with those that spend tens of thousands of dollars on advisory days and less on solutions that they simply request video demos from and not actually dive deep into.
  • Professional Service Firms. There are some great advisor and consultants in any firm, but then there are those that think more economically and strategically for the firm. Many major consulting/advisory firms partner with solutions that are very complex and require a lot of build out and customization. The reason is revenue. When GRC projects become the scale of ERP projects and take six months to two years (or more) to roll out . . . that is a lot of services revenue. I have seen one email from a major consulting firm that was responding to a solution provider about partnership. It stated that they are more than willing to work on an opportunity should the solution provider bring one to them, but why would they want to partner with this SaaS solution that stated it was so easy to implement and configure. Where was the services revenue?
  • Black and White Honesty. Many solution providers approach RFPs without any creativity and thoughtfulness. They say no to many answers in a black and white perspective without actually thinking how their solution could meet the criteria. On the other hand, major competitors are saying yes to everything in RFPs and it takes years to build out and deliver as it was not true. But the Yes solutions get further in RFPs than the brutally honest No solutions that have capabilities they did not even consider. In fact, I have even found one major GRC solution in the market demoing functionality that did not exist in their product . . . they were demoing someone else’s functionality for risk management.
  • Poorly trained sales. Too often good solutions fail in getting into deals because they have poorly trained sales people that do not understand the market, how to engage buyers, understand organization needs and requirements, or think outside the box. Perhaps they have focused on IT security for their careers and fail in understanding how to talk to a corporate compliance officer on bribery or corruption, or procurement on human slavery and international labor standards in a supply chain. I recently saw one solution provider fail in an RFP because the sales person only understood IT GRC and the demo scripts requested by the buyer were about EH&S. They kept going off script to talk about security instead of demoing the solutions EH&S capabilities that were there.
  • Misaligned marketing. Too often marketing is taxed with limited resources to adequately message the variety of use cases a solution can be used for. Too often I recommend a solution to an organization and then the organization goes out to the solution providers website and finds nothing about their specific need. Following up with them later on I find they went to others I had recommended that did have messaging to their specific needs.
  • Lack of market intelligence. Many solutions simply do not have visibility into the opportunities available in the market. They miss doors of opportunity as they do not know who to call on and interact with. The analysts are not covering them, professional service firms ignore them, and they have no insight into the many opportunities available to them in the market.

Don’t get me wrong, there are established and mature solutions in the market that do some great things and have happy clients. But there are also many situations in which major GRC solutions take years to build out and implement and cost a ton of money to administer. In fact, one major GRC solution that major analysts love and rank so very highly (I am not naming names in a post like this), has a string for failures. Consider:

  • IT GRC @ Global Manufacturer. I wrote the IT GRC for this RFP. The CISO stated they will not consider this major GRC platform because of the horrible experience at a previous firm he was with.
  • Enterprise GRC @ Utility & Energy Company. The project owner at this firm stated they would not allow this solution into the RFP because of the failure and cost to administer the solution at a previous firm.
  • Enterprise GRC @ Bank. In this RFP I helped with, this solution was already in house for an area of GRC. They told me that they would let the solution provider respond to the RFP as they were an incumbent, but they would not be a consideration because they are very dissatisfied with it.
  • Enterprise GRC @ Outsourcer/Professional Service Firm. In this instance, I helped write and manage the RFP. At the last-minute IT stepped in and said they wanted to be part of this and that it would be this particular solution provider. As they controlled the budget, no one could argue. I warned them that this would not be my choice, that they would be over budget and well past their deadlines. They came back to me two years later and said they wished they would have listened. That they were just now doing the initial rollout and they were way over budget. They now have scrapped the solution and have implemented another they are happy with (which I originally recommended).

My point here is that there are great solutions available in the market. Popularity should not be the measuring stick. While there are exceptions, the popular kids in school were often the jerks and bullies.

Organizations need to do their homework and understand solutions for their features, functionality, ability to deliver, ease of administration, and how agile the solution provider is to engage and adapt to the organization. GRC does not need to be the scale of ERP. There are highly agile, intuitive, easy to use solutions available in the market. All you need to do is ask. GRC 20/20 offers complimentary inquiry to guide organizations on what solutions are available in the market for their specific needs. Every week GRC 20/20 answers between 5 and 15 questions from organizations looking for GRC related solutions in the market.

When you measure the value of a GRC solution in the market, I suggest you frame it around the following three areas:

  1. GRC efficiency. How does this solution make you more efficient in your use of human and financial capital?
  2. GRC effectiveness. How does this solution make you more effective, accurate, and complete in executing GRC processes, activities, and tasks.
  3. GRC agility. How does this solution help you keep up with change – business change, regulatory change, risk change – in your environment. Also, how does it help you quickly identify issues and concerns to contain them before they become big issues.

One more thing, GRC 20/20 has an extensive RFP requirement library across GRC domains. Organizations can engage GRC 20/20 to assist with their RFP development and engagement in the following areas:

  • Enterprise GRC Platforms
  • Enterprise & Operational Risk Management
  • Audit Management
  • Automated/Continuous Controls Management
  • Business Continuity Management
  • Compliance/Ethics Management
  • Environmental, Health & Safety Management
  • Internal Control Management
  • Issue Reporting and Investigations/Incident/Case Management
  • IT GRC Management/IT Security
  • Policy Management
  • Quality Management
  • Third Party (Vendor/Supplier) Management

On the flip side, if you are a GRC Solution Provider in the market, check out GRC 20/20’s next Research Briefing on How to Market and Sell GRC Solutions to go through these challenges discussed in this post and how to overcome them.

Three Lines of Defense: Enabling High Performing Organizations

Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and uncoordinated governance, risk management, and compliance (GRC) approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered departments of GRC responsibilities that do not work together become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, at a time when the business environment requires greater agility.

Successful GRC strategy in complex business environments requires layers of protection to ensure that the organization can “reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance].” (source: www.OCEG.org) Any strategist, whether in games, sports, combat, or business, understands that layers of defense are critical to the protection of assets and achievement of objectives. Consider a castle in the Middle Ages in which there are layers of protection by moats, gates, outer walls, inner walls, with all sorts of offensive traps and triggers along the way. Organizations are modern castles that require layers of defense to protect the organization and allow it to reliably achieve strategic objectives.

The Three Lines of Defense model is the key model that enables organizations to organize and manage layers of GRC controls and responsibilities. The European Commission originally established it in 2006 as a voluntary audit directive within the European Union. Since this time, it has grown in popularity and is now a globally accepted framework for integrated GRC across lines of defense within organizations – from the front lines, to the back office of GRC, to the assurance and oversight roles. GRC 20/20 sees the Three Lines of Defense Model as critical to enable organizations to reliably achieve objectives while addressing uncertainty and act with integrity.

As the name suggests, the Three Lines of Defense model is comprised of three layers of GRC responsibility and accountability in organizations. These are:

  • Business Operations. The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
  • GRC Professionals. The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
  • Assurance Professionals. The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.

The Three Lines of Defense Model is well understood and adopted globally. The major downside of the model is the name itself using the word ‘defense.’ This gives the model a perception of being reactionary and tactical and not strategic. This is unfortunate as the model enables high-performance by aligning accountabilities at different levels of the organization and getting these functions working together in context of each other. High performing organizations require consistency and controls to ensure the organization operates within boundaries of controls. The Three Lines of Defense Model is key to enable reliable achievement of objectives and consistent control of the business.

The key to success in implementing the Three Lines of Defense Model is collaboration. If the layers of accountability across the three lines do not collaborate and work together, GRC functions will remain in silos and be ineffective, inefficient, and lack agility to respond to a complex and dynamic business environment. Internal politics and divisions work against the Three Lines of Defense Model in organizations.

Another challenge for organizations in implementing the Three Lines of Defense Model is not having a consistent GRC process, information, and technology architecture. Not only do different groups across the lines of defense need to be able to work together, they need to be able to share information and have a consistent and single source of truth for GRC activities, accountabilities, and controls.

The Bottom Line: Three Lines of Defense is an integrated GRC framework with the goal of allowing different parts of the organization to work cohesively together to reliably achieve objectives while addressing uncertainty and acting with integrity. It enables what OCEG calls Principled Performance, and ensures that there are clear responsibilities, accountability, and oversight of risk and control at all levels of the organization. Organizations are adopting the Three Lines of Defense Model for GRC as they have come to realize that silos of GRC that do not collaborate and work together lead to inevitable failure. There is a need for visibility across these lines of defense that is scalable, integrated and consistent. The Three Lines of Defense Model enables efficient, effective, and agile business.

GRC 20/20’s latest research piece evaluating solutions on this topic is:

Role of Technology in Risk Management Maturity

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual risk (the tree) as well as the interconnectedness of risk (the forest). Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential relationship and impact in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business risk management risks is exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.

Mature risk management enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling. Successful risk management requires the organization to provide an integrated process, information, and technology architecture to identify, analyze, manage, and monitor risk and capture changes in the organization’s risk profile from internal and external events as they occur. Mature risk-management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board, and made part of the fabric of business, not an unattached layer of oversight. It also involves a bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk.

Organizations striving to increase risk management maturity in their organization become more:

  • Aware. They want to have a finger on the pulse of the business and watch for change in the internal and external environments that introduce risk. Key to this is the ability to turn data into information that can be, and is, analyzed and be able to share information in every relevant direction.
  • Aligned. They need to align performance and risk management in the context to support and inform business objectives. This requires the ability to continuously align objectives and operations of the integrated risk capability to the objectives and operations of the entity and give strategic consideration to information from the risk management capability, enabling appropriate change.
  • Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused to gain greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to what an organization needs to know to make the right decisions.
  • Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Principled Performance enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
  • Resilient. The best laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They desire to have sufficient tolerances to allow for some missteps and have confidence necessary to rapidly adapt and respond to opportunities.
  • Lean. They want to build business muscle and trim fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to lean the organization overall with enhanced capability and related decisions about application of resources.

Risk Management Information & Technology Architecture

Risk management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. The risk management information architecture supports the process architecture and overall risk management strategy. With processes defined and structured the organization can now define the information architecture needed to support risk management processes. The risk management information architecture involves the structural design, labeling, use, flow, processing, and reporting of risk management information to support risk management processes.

Successful risk management information architecture will be able to integrate information across risk management systems and business systems. This requires a robust and adaptable information architecture that can model the complexity of risk information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages with a range of business systems and external data.

The risk management technology architecture operationalizes the information and process architecture to support the overall risk management strategy. The right technology architecture enables the organization to effectively manage risk and facilitate the ability to document, communicate, report, and monitor the range of risk assessments, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for risk management that connects the fabric of the risk management processes, information, and other technologies together across the organization. Many organizations see risk management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring.
  • Point solutions. Implementation of a number of point solutions that are deployed and purpose built for very specific risk and regulatory issues. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization in managing risk holistically.
  • Risk management/GRC platforms. These are solutions built specifically for risk management and often have the broadest array of built-in (versus built-out) features to support the breadth of risk management processes. In this context they take a balanced view of risk management that includes performance as well as risk and compliance needs. These solutions allow an organization to govern risk throughout the lifecycle and enable enterprise risk reporting.

The right risk management technology architecture choice for an organization often involves integration of several components into a core risk management platform solution to facilitate the integration and correlation of risk information, analytics, and reporting. Organizations suffer when they take a myopic view of risk management technology that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time business operates in.

Some of the core capabilities organizations should consider in a risk management platform are:

  • Internal integration. Risk management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization. So the ability to pull and push data through integration is critical.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis. Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with risk in context of performance, risk, and compliance. Contextual awareness requires that risk management have a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of risk and performance.
  • Support for multiple risk frameworks. The risk management technology architecture should allow the organization to harmonize risk management across the organization. The business can use different risk management frameworks in different parts of the organization and still integrate risk data and reporting with an enterprise perspective.
  • Define and map objectives and controls to risk. Controls are used to mitigate and monitor risk. Every control in the environment maps to the risks addressed, using an integrated risk and control framework. Risk technology should allow for complete integration and reporting on objectives and controls in the context of their relationship to risk across the enterprise.
  • Establish and communicate risk policy. Risk technology should allow the organization to develop, approve, and communicate policies to address risk. This establishes expectations and a culture around risk, including risk capacity, tolerance, appetite, accountability, and controls.
  • Manage loss and incidents. Loss represents the materialization of risk and must be documented and fed into risk models. Risk technology enables the management of incidents and records loss as an integrated component of a risk management process.
  • Allocate risk accountability. Risk management requires that someone is responsible for risk. Risk without an owner is like a leaf blowing in the wind. Risk technology tracks accountability and ownership through its risk taxonomy, and enforces accountability through task management, workflow, and escalation. Through reporting and metrics, owners see risk from different perspectives and understand the risks they are responsible for.
  • Advanced risk reporting and trending. Risk technology manages and monitors risk at the enterprise level and within individual departments. This permits detailed reporting, dashboards, trending, and analytics that scale to the needs of the department or enterprise. Organizations can establish and monitor risk metrics through KRIs and map them to objectives and processes. Reporting is customizable and scalable to context and level of detail appropriate to the audience — whether process owner, manager, executive, or board member.
  • Risk analytics and modeling. Mature risk technology should support a breadth of risk analytics and modeling to meet the diverse needs of groups across the business. The solution can track and model spending to treat risk in the context of exposure.
  • Understand the interrelationship of risk. Risk technology provides for identification and categorization of risk into hierarchical structures to effectively manage and assign accountability. However, individual risks can also relate to risk outside of a hierarchical model. The risk information architecture allows for hierarchical categorization of risk, as well as mapping and relationship of risk that does not always fit into neat hierarchies.

This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Risk Management by Design: A Blueprint for Federated Enterprise Risk Management

  • Role of Risk Content & Intelligence in a Risk Management Strategy. Attend GRC 20/20’s next Research Briefing to learn about the range of risk intelligence and content offerings available in the market that can enable a GRC strategy and integrate with GRC technology solutions. GRC 20/20 has mapped over 125 providers of GRC intelligence and content with more than 350 content offerings across these providers.
  • Have a question about Risk Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Risk Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Risk Management by Design Workshop in your organization.
  • Looking for Risk Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.

GRC 20/20’s Risk Management Research includes . . .

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Do You Know Your Third-Party Risks?

Increasing Exposure to Third-Party Risks

The Modern Organization is an Interconnected Mesh of Relationships

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mesh of relationships and interactions that span traditional business boundaries. Over half of an organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third-party business relationships. Third-party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third-party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third-parties behave appropriately.

There are particular challenges of managing bribery and corruption, social accountability, international labor standards, human rights, information security, privacy, quality, environmental, health and safety,  and more across the organizations. Growing regulatory pressures from things like US FCPA, UK Bribery Act, UK Modern Slavery Act, US Conflict Minerals, EU Conflict Minerals, California Transparency in Supply Chains Act, PCI DSS, OCC Requirements, HIPAA, and much more all put pressure on third party risk management.

Inevitable Failure of Silos of Third Party Governance

Governing third-party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third-party management across the enterprise. Organizations manage third-parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third-party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third-party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third-party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third-party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third-party risks that are not visible. The organization’s risk exposure across third-party relationships is growing increasingly interconnected. An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third-party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third-party oversight and the organization breeds an anarchy approach to third-party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third-party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third-party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third-party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third-party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third-parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third-parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third-party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third-party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization must monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third-party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third-party performance evaluations that neglect risk and compliance. Metrics and measurements of third-parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third-party but do not include monitoring of risks, particularly compliance and ethical considerations.

When the organization approaches third-party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third-party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third-party management results in poor visibility across the organization, because there is no framework or architecture for managing third-party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third-party relationships that is supported and automated with information and technology.

Organizations need to have an approach with a supporting information and technology architecture that enables:

  • Identification and management of the range of third parties across the organization
  • Evaluation and monitoring of third-party risks across the organization
  • Prioritization of control and mitigation efforts in context of third-party risk exposure
  • Management of the lifecycle of third party relationship process from on-boarding to off-boarding
  • Conducting initial and ongoing due diligence efforts of third parties based on risk exposure
  • Monitoring and track individual third party relationships as well as groups of relationships (e.g., type of relationship, type of risk, geography)
  • Providing a system of record and audit trail to provide evidence when under legal or regulatory scrutiny

What are your thoughts and concerns on third party management? Please post your comments below. If you have a question on third party management best practices or solutions in the market, please submit an inquiry.


Third Party Management Research from GRC 20/20 . . .

GRC 20/20 will be releasing a detailed written Market Landscape: Third Party Management Solutions later in April that includes market definition, segmentation, sizing, forecasting, solutions in the space, drivers, trends and more.

Research Briefings on Third Party Management

Strategy Perspectives on Third Party Management

Solution Perspectives on Third Party Management

Case Studies on Third Party Management