Defining Third-Party GRC Management

Dissociated data, systems, processes, and a myopic risk vision leaves the organization with fragments of the truth that fail to see the big picture of third-party performance, risk, and compliance across the enterprise and how it supports its strategy and objectives. The organization needs to have holistic visibility and situational awareness into third-party relationships across the enterprise. The complexity of business, combined with the intricacy and interconnectedness of third-party data, requires that the organization implement a third-party GRC management strategy. 

The primary directive of a mature third-party GRC management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third-party relationships in the context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. In the end, third-party GRC management is more than compliance and more than risk but is also more than procurement. 

The integrity of the organization relies on the integrity of its third-party relationships. As a result, organizations are re-evaluating their internal core values, ethics, and standards of conduct and how this extends and is enforced across third-party relationships. This includes a focus on human rights, privacy, environmental standards, health and safety, conduct with others (e.g., customers, partners), and security in third-party relationships. 

The organization has to maintain operations amid uncertainty and change. This requires a holistic view of a third-party relationships’ objectives and performance in the context of uncertainty and risk within those relationships. The organization has to be a resilient organization with full situational awareness of the interconnected risk environment. Given the reliance on third-party relationships, this requires a holistic view of the governance, risk management, and compliance of each third-party relationship and how it serves and provides value to the organization. 

Third-party GRC is a “capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]” in and across the organization’s third-party relationships.” This is adapted from the official GRC definition in the OCEG GRC Capability Model. Breaking this down, third-party GRC delivers:

  • Third-party governance. It starts with integrated governance of third-party relationships and monitoring relationships across the extended enterprise to ensure they meet the objectives and purpose the relationship was established for, thus returning value to the organization. 
  • Third-party risk management. Understanding the governance objectives of the relationship sets the context to then assess, analyze, and monitor the uncertainty and risk in the relationship. Risk, by official definition, is the effect of uncertainty on objectives. Thus, each relationship has its objectives (or component of the relationship like contract or service level agreement), and uncertainty must be managed against those objectives.
  • Third-party compliance. Compliance aims to see that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values across its third-party relationships. Compliance follows through on risk treatment plans to assure that risk is being managed within limits and that controls are in place and functioning within each relationship to mitigate risk.

GRC 20/20 has identified three approaches organizations take to manage third-party relationships:

  • Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration. Distributed and siloed third-party initiatives never see the big picture and fail to put third-party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how third-party management processes can meet a range of needs. An ad hoc approach to third-party GRC management results in poor visibility into the organization’s relationships. As there is no framework for bringing the big picture together, there is no possibility to be intelligent about third-party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on third-party performance and strategy, leading to greater exposure than any silo understood by itself. 
  • Monarchy – one size fits all. If the anarchy approach does not work, then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of third-party GRC management that does not fully understand the breadth and scope of third-party risks and needs scattered across the entire organization. The needs of one area may shadow the needs of others. From a technology perspective, it may force many parts of the organization into managing third-party relationships with the lowest common denominator and watering down third-party management. Further, there is no one-stop shop for third-party management, as there are various pieces to third-party management that need to work together. 
  • Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative third-party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in third-party GRC management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third-party relationships. It allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third-party management, focusing on coordination and collaboration through a common core architecture that integrates and plays well with other systems. This is true third-party GRC management.

Value of a Third-Party GRC Approach

The lack of a coordinated strategy for third-party GRC management fails to deliver insight and context, rendering it nearly impossible to make a connection between risk management and decision-making, business strategy, objectives, and performance in and across relationships. This results in business processes, partners, employees, and systems that behave like leaves blowing in the wind. 

In contrast, a third-party GRC strategy with common processes, information, and technology gets to the root of the problem. Leading organizations are adopting a common framework, architecture, and shared processes to manage third-party GRC, increase efficiencies, and enable an agile response to the needs of a dynamic and distributed business environment. Mature third-party GRC delivers better business outcomes because of stronger governance, which will:

  • Lower costs, reduce redundancy, and improve efficiencies.
  • Deliver consistent and accurate information.
  • Continuously (e.g., daily) monitor and assess third parties by using external data sources to get updates on risk data on a daily basis. 
  • Improve decision-making and insight into what is happening across business relationships.
  • Enable the organization to defend itself with a robust third-party governance program designed to mitigate risk and ensure integrity of relationships – aligned with the value and commitments of the organization.

The above blog is an excerpt from GRC 20/20’s latest research paper, Third Party GRC Management by Design:

The Extended Enterprise Demands Attention

The Modern Organization is an Interconnected Web of Relationships

No man is an island, entire of itself;
Every man is a piece of the continent, a part of the main.

John Donne

Replace the word ‘man’ with ‘organization’, and the seventeenth-century English poet John Donne is describing the modern organization. In other words, “No organization is an island unto itself; every organization is a piece of the broader whole.” 

The structure and reality of business today have changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacies, such as deep supply chains and sub-contracting relationships. Roaming the hallways of an organization means crossing paths with contractors, consultants, temporary workers, and more. Business today relies and thrives on third-party relationships; this is the extended enterprise. 

In this context, organizations struggle to govern their third-party relationships and often manage risk and compliance in relationships in silos that fail to see the big picture of risk exposure and its impact on the relationship’s objectives. Risk and compliance challenges do not stop at organizational boundaries, though. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships or allowing good business relationships to sour because of weak governance. Third-party problems are the organization’s problems and directly impact the brand and reputation, increasing exposure to risk and compliance matters. When questions of delivery, business practice, ethics, privacy, safety, quality, human rights, resiliency, corruption, security, and the environment arise, the organization is held accountable. It must ensure that third-party partners behave appropriately. 

The business’s ability to reliably achieve corporate objectives directly depends on the governance of third-party relationships and whether the organization has established the right relationships and can reliably achieve objectives in the relationship. In addition, the organization’s ability to manage uncertainty, risk, and resiliency in its relationships requires that the relationship’s objectives, values, and risks be managed together. 

Corporate integrity and the ability of the organization to comply with regulations, commitments, and values are measured by its relationships as well. The saying, “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization. 

Inevitable Failure of Silos of Third-Party Governance

Fragmented governance of third-party relationships through disconnected department silos leads the organization to inevitable failure. Siloed information and/or reactive, document-centric, and manual processes fail to actively govern relationships and manage risk and compliance in the context of the third-party relationship and broader organizational objectives and values. Silos leave the organization blind to the intricate relationships of risk and compliance exposures that fail to get aggregated and evaluated in the context of the overall relationship and its goals, objectives, and performance. 

Failure in third-party governance comes about when organizations have: 

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geopolitical risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third-party relationships; different parts of the organization end up finger-pointing, thinking others are doing this. Or the opposite happens: different parts of the organization react to the same development without collaborating, which increases redundancy and inefficiency.
  • Interconnected third-party risks that are not connected. The organization’s risk exposure across third-party relationships is becoming increasingly interconnected. A risk in one area may seem minor, but when factored into other risk exposures in the same relationship can become significant. The organization lacks complete visibility or understanding of the scope of risk in third parties that are material to the organization.
  • Silos of third-party oversight. This is when the organization allows different parts of the organization to go about third-party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third-party oversight. This leads to the unfortunate situation of the organization having no end-to-end visibility of third-party relationships.
  • Document and email-centric approaches. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for things to get overlooked and bury silos of third-party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship, and it becomes difficult to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report on siloed third-party information. When things go wrong, document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.  
  • Scattered and non-integrated legacy third-party risk technologies. When different parts of the organization use legacy internal third-party risk solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization is often limited in capabilities and depth in the governance of third-party relationships. This leads to a significant amount of redundancy, inefficiency, which impacts effectiveness while also encumbering the organization when it needs to be agile. 
  • Processes focused on onboarding only. Risk and compliance issues are often only analyzed during the onboarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third-party relationship. 
  • Inadequate processes to manage change. Governing third-party relationships are cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geopolitical, economic, and operational risks across the globe in the context of its third-party relationships. Just as much as the organization itself is changing, each organization’s third-party relationships are changing, introducing further risk exposure. 
  • Third-party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to analyze and monitor risk and compliance exposures fully. Often, metrics are focused on third-party delivery of products and services but do not include evaluating risks such as compliance, security, resiliency, and ethical considerations. 
  • Managing third-party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third-party management strategy, the organization and its various departments never see the big picture and fail to put third-party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third-party needs—an ad hoc approach to third-party management results in poor visibility across the organization. There is no framework or architecture for managing risk and compliance as an integrated part of the business. When the organization approaches third-party management in scattered silos that do not collaborate, there is no possibility of being intelligent about third-party performance, risk management, and compliance while understanding its impact on the organization.

This is More Than Third-Party Risk Management

Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes third-party relationships and the business’s ability to manage them. 

The world of business is distributed, dynamic, and disrupted. It is distributed across a web of relationships. It is dynamic as business and relationships change day-by-day – processes change, employees change, relationships change, regulations change, risks change, and objectives change. The ecosystem of business relationships is complex, interconnected. It requires a holistic, contextual awareness of third-party GRC (governance, risk management, and compliance) rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem. This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s third-party relationships. Organizations need to see the intricate intersection of objectives, risks, and boundaries in each relationship. 

Third-party risk management is not enough. Organizations are shifting their focus towards third-party GRC management. It starts with the governance of relationships. The relationship’s objectives and sub-relationships (e.g., contracts, service levels, facilities, etc.) need to be clearly defined and governed. It is only after a clear understanding of the objectives (and the governance of those objectives) that risk/uncertainty and compliance/integrity can be managed in the context of the relationship to deliver those objectives. Organizations need to develop a more assertive approach to governance of relationships to ensure greater risk, resiliency, and integrity in and across relationships to deliver value to the organization. 

This challenge is even greater when third-party risk management is buried in the depths of departments and operating from silos, not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy of relationships. 

The bottom line: The modern business depends on and is defined by the governance, risk management, and compliance of third-party relationships to ensure the organization can reliably achieve objectives, manage uncertainty, and act with integrity in each of its third-party relationships. A haphazard department and document centric approach for third-party risk management compounds the problem and does not solve it. It is time for organizations to step back and move from third-party risk management to third-party GRC management with a cross-functional and coordinated strategy and team to define and govern third-party relationships. Organizations need to address third-party GRC with an integrated strategy, process, and architecture to manage the ecosystem of third-party relationships with real-time information about third-party performance, risk, and compliance and how it impacts the organization.  

The above blog is an excerpt from GRC 20/20’s latest research paper, Third Party GRC Management by Design:

Relationship Trouble: The Pandemic’s Web of Interconnected Risks

Below is Michael Rasmussen’s article found in the Summer 2021 issue of Enterprise Risk, published by the Institute of Risk Management (The IRM).

Before last year, risk managers knew they were living in an interconnected world. The pandemic showed them what disruption to that web of connections really meant. It is time to learn the lessons.

Martin Luther King Jr stated: “Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.” This statement is true in our individual relationships, and it is true in an organisation’s relationships in the extended enterprise.

That is because the structure and reality of business today has changed. It is not the same as it was a few decades back. Bricks-and-mortar walls do not define today’s business, nor is it defined by traditional employees. The modern organisation is supported by an interrelated structure of business relationships. It is an interconnected and interdependent web of suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, partners and others. Business today relies and thrives on third-party relationships; this is the extended enterprise.

Governance

The business’s ability to reliably achieve corporate objectives directly depends on the governance of third-party relationships and whether the organisation can reliably achieve objectives in each relationship. The organisation’s ability to manage uncertainty, risk and resiliency requires that risk be managed in third-party relationships. The integrity and ability of the organisation to comply with regulations, commitments and values are measured by the integrity of its relationships as well.

The saying “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organisation. The modern business depends on, and is defined by, the governance, risk management and compliance of third-party relationships (third-party GRC) to ensure the organisation can reliably achieve objectives, manage uncertainty and act with integrity.

Third-party GRC is in a state of growing maturity and evolution. The year 2020 has brought many third-party management lessons through the trials and tribulations worldwide, and as a result, 2021 is aiming for greater resiliency and integrity in risk management, resiliency and integrity in the extended enterprise.

What we learnt in 2020

We cannot understand the 2021 trends in third-party GRC without understanding what transpired in 2020. The last year has taught organisations many lessons in third-party management which provides the foundation for the 2021 trends . . .

[THE REST OF THIS ARTICLE CAN BE DOWNLOADED IN ITS PUBLISHED FORM AT NO CHARGE]

Integrating a Top-Down Board View of GRC With a Bottom-Up Operational View of GRC

In my previous post, The Board’s Role in Leading and Enabling GRC, I emphasized the board’s critical role in delivering on the G in GRC, governance. This post discusses how to bring together a top-down board view of GRC and a bottom-up operational view of GRC.

I find civil engineering amazing, particularly with tunnels. Consider the Tunnel of Eupalinos. This is a tunnel over one kilometer in length that goes through Mount Kastro in Samos, Greece. It was built in the 6th century BCE to be an aqueduct. Amazingly, it was dug simultaneously from both sides of the mountain to have the two separate tunneling digs meet in the middle. That is an incredible feat of engineering 2,700 years ago!

If the ancient Greeks can build a tunnel coming together to meet in the middle, then organizations should be able to deliver an integrated GRC strategy that delivers a top-down view of GRC from the board to meet up with a bottom-up view of GRC in operations . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE DILIGENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The Second Wave of the Policy Management Pandemic

COVID-19 is not the only pandemic; it has sprung a chain of pandemics and increased risk exposure in areas. One such pandemic plaguing organizations in response to COVID-19 is the abysmal state of policy management in many organizations. The pandemic of poor policy management related to COVID-19 is now entering its second wave impacting organizations,

The first wave of the policy management pandemic coincided with the beginning of lockdowns back in March 2020 in response to COVID-19. As organizations addressed the COVID-19 virus, they found out they had serious issues with policy management at a critical time. Policies were changing (e.g., work from home policies, home office expense policies). Staff was being laid off, so those who remained had more responsibilities and had to be aware of more policies that impact processes they were not responsible for before. There were increased risks that required reminding employees of policies (e.g., fraud, bribery, corruption, information security, privacy). It was then that organizations found that they had policies scattered on different systems, templates, and with varying writing styles. One organization told me they found out they had over 20 different policy portals. At a time of crisis, it was essential to maintain a strong culture of control and engage employees on policies . . . organizations needed one singular policy portal. As a result, there was a boom in enterprise policy management projects.

Now we are facing a second wave of a policy management pandemic tied to COVID-19 that is driving even more organizations to formalize enterprise policy management processes and provide a singular portal for employees to access policies. This is the pandemic of rogue policies.

The issue is addressing the significant legal liability and exposure that rogue policies bring to the organization and their negative impact on culture, consistency, and integrity; as organizations come out of a crisis, they are thoughtfully addressing back to work policies, policies on the use of personal protective equipment, and even vaccine policies. However, various levels of management think they are a little smarter than the rest of the organization. Some might believe the virus is a hoax and scrapping the corporate policies that have been developed for their teams. Others might think the organization is too relaxed and writing policies that require vaccines of their staff and could be crossing lines of employment labor law issues in some jurisdictions.

In an era where everyone has access to a word processor, the organization must control policies. They do this by providing a singular portal into all policies where official policies are found in a company-defined and branded template, indexed and numbered, and written in a consistent writing style. All official policies should be available on a singular policy portal. To combat rogue policies requires that employees know how to decipher what is an officially approved policy and report anything they are communicated as a policy that is not.

Like 14 months back, I see many organizations define and structure their enterprise policy management programs to address rogue policies and again renew effort to provide a singular portal into all company policies across Human Resources, finance/accounting, legal, corporate compliance security, and more. Where are you at with your enterprise policy management strategy?

Looking for training and certification on enterprise policy management?
Check out www.PolicyManagementPro.com . . .

Modern Slavery Risk Assessments in the Extended Enterprise: A Quick Guide

In my first post, A Quick Guide to ESG and Risk Management in the Extended Enterprise, I outlined what ESG (environmental, social and governance) is and how it impacts third-party risk management. Next, we looked deeper into a specific aspect of Governance in ESG: anti-bribery and corruption (ABAC). This post discusses a social aspect: how modern slavery can impact your extended enterprise.

What Is Modern Slavery and How Does It Apply to Modern Supply Chains?

Modern slavery exists when people are subjugated by companies and controlled by threats of harm or debts they cannot repay. Human trafficking is a related term used to describe when people are moved between countries (e.g., the slave trade). Slavery is found in the supply chains of corporations producing materials and products, as well as in the forced compulsion of children to make products in factories. In fact, 40 million people are estimated to be enslaved around the world today, resulting in $150 billion in ill-gained profits every year.

The good news is the world has been taking action. Governments in several countries have passed legislation requiring organizations to report on modern slavery in their supply chains. A few examples of legislation include . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE PREVALENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The Board’s Role in Leading and Enabling GRC

Gone are the years of simplicity in business operations. Exponential growth and changes in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.

GRC (governance, risk management, and compliance) by definition starts with the G for governance. Because of the board’s role in corporate governance, one would think that GRC is a board-driven strategy and initiative. However, the opposite is most often the case. It is the R for risk management and C for compliance that drive most GRC initiatives – and fail to engage senior executives and the board who ultimately have fiduciary obligations for all aspects of GRC.

Understanding GRC in Context

Let’s unpack GRC to provide context to what it truly is. GRC as detailed in the OCEG GRC Capability Model drives Principled Performance. It is a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].1 The flow starts with governance which provides context for risk management and compliance:

  • Governance – reliably achieve objectives. This is the governance function of . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE DILIGENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

There is a new CIO in town . . . the Chief Ethics and Compliance Officer (CECO)

There is a new CIO in town . . . the Chief Ethics and Compliance Officer (CECO). This is not to replace the Chief Information Officer, but the CECO is an executive focused on the organization’s integrity being the Chief Integrity Officer.

Back in 1992, I remember being in the backcountry of Montana hiking with some friends. I was carrying with me my longbow (yes, I love all things medieval, and the English longbow has long been an interest to me). We were on top of this rock overlooking a small mountain lake. Across the lake, there was an old tree that had fallen into the water. I looked over at my friends and stated I would shoot an arrow across the lake and hit that log in the water. They laughed at me; it was a long shot, not one of those point the arrow at the target shots, but one of those shoot the arrow up into the air with an arch to get the distance needed to hit the target shots. I pulled my bow back and let the arrow fly. It flew gracefully in an arch and landed to embed itself in the log in the water across the lake.

Back in 2004, I made another shot. I stated that the CECO is mislabeled, that the role of compliance and ethics is beyond checkboxes and compliance but is the bastion of the organization’s integrity. I stated back then that the CECO should be renamed the CIO, the Chief Integrity Officer. The shot was fired high, and it arched over the years to land solidly in 2021.

The role of the CECO is changing, and it is for good. This role continues to move out of legal to become its own executive function focused on compliance and ethics. As it grows and establishes itself, it is focused more and more on the organization’s integrity, particularly as it is this role that is leading ESG – environmental, social, and governance – strategies for the organization.

Integrity is a mirror revealing the truth about an individual or a corporation. It involves walking the talk — not just talking it.

On a personal level, integrity is measured by what an individual does and does not do when no one is looking. Do they hold to their values, beliefs, and ethics? Or do they compromise and do the opposite of what they believe is right?

Integrity is the same at the corporate level. Does the organization’s reality reflect what is stated in corporate reports, filings, ESG statements, regulatory compliance, and stakeholder communications? Does the organization walk its talk or just talk a talk?

Integrity is violated when corporate policies and procedures are thrown out the window in the quest for personal or corporate gain. From an organization’s perspective, personal and corporate integrity are two sides of the same coin. In order for a corporation to have integrity, it must have an ethical environment with employees and business partners willing to follow and enforce corporate culture, policies, and procedures. From an individual’s perspective, an employee or partner wants to make sure they are working with a corporation aimed at doing the right thing and is in sync with their values and beliefs.

Consider the words of Aristotle . . .

We are what we repeatedly do. Excellence then is not an act but a habit.

Aristotle

Integrity itself is not something that is written on paper, but something that is lived and breathed in the organization. Integrity is a mirror reflecting what the organization truly is. Or does it communicate and portray to the world something that really does not exist?

The role of the CECO is becoming firmly rooted in establishing, maintaining, and monitoring the integrity of the organization. What it commits to in values, ethics, code of conduct, policies, regulatory obligations, contractual commitments . . . is it a reality that the organization lives and operates by. It is the role of the CECO to monitor and ensure corporate/organization integrity. In the 2021 era of ESG, this role of being the Chief Integrity Officer is more critical than ever and is fundamentally evolving and changing the role of the CECO.

I have mentioned in previous posts that it is a good thing that the CECO comes out of legal to be an operationally functional department that has a direct line of communication to the board of directors and senior executives. In my idealistic view of the world, it is also critical that this role also not get buried in risk management. Integrity is critical to today’s modern organization. This role and function provide a balance to the forces of risk management that keep the organization on the track of integrity.

Here are some of the resources I have published on compliance and ethics management that can assist readers in developing an organization of integrity and the role of a Chief Integrity Officer . . .

A Quick Guide to Anti-Bribery & Corruption (ABAC) Risk in the Extended Enterprise

In my previous post, A Quick Guide to ESG and Risk Management in the Extended Enterprise, I outlined what environmental, social and governance (ESG) is and how it impacts third-party risk management. This post expands on a specific aspect of governance in ESG: anti-bribery and corruption (ABAC).

ABAC Risk and Compliance 

Organizations today face a tremendous amount of anti-bribery and corruption risk – especially as they conduct business globally. Anti-bribery and corruption laws govern business transactions and prohibit exchanges of value that illegally influence the actions of either party in a transaction. There is a range of laws meant to enforce ABAC measures – from the U.S. Foreign Corrupt Practices Act (FCPA, passed in 1977), to more recent legislation such as the U.K. Bribery Act (2010) and France’s Sapin II (2016). In fact, 46 different countries have bribery and corruption laws. These laws address bribery in business transactions, often focusing on the actions of foreign government officials.

Enforcement of ABAC laws is expanding . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE PREVALENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

ESG is about to ROCK the Third-Party Risk World

The extended enterprise defines business today. An organization is not defined by brick and mortar walls and traditional employees. The organization is a web of third-party relationships of suppliers, vendors, outsourcers, service providers, distributors, contractors, consultants, brokers, dealers, agents, and more. The actions and behavior of these third parties impact and shape the reputation and brand of the organization. Their risk issues are the organization’s risk issues.

Third-party risk programs are about to change significantly. In the past, there was a dominant focus on information security and privacy risk in these relationships. They also were fragmented where different departments monitored and managed their silos of risk without seeing the big picture of risk across a third-party relationship. This is changing. There is a growing array of regulations that will restructure how organizations define and manage risk in the extended enterprise.

Particularly, there are pending directives and legislation that have an expansive scope that is expected to be passed this summer. This is the EU Directive on Mandatory Human Rights, Environmental, and Good Governance Due Diligence alongside Germany’s corresponding Corporate Due Diligence Act. These are SIGNIFICANT pieces of legislation that are expected to become law in the next few months.

The scale and impact of these laws will be global. Think EU GDRP (global data protection regulation) in scope. Organizations around the world have had to respond to GDPR because they have EU citizen data. These two pieces of legislation have a potentially global impact with significant teeth.

Consider that the governing EU directive, which is to become country law in each EU member country, is projected to impact any organization with operations in Europe (but does not have to be headquartered in Europe) with more than 250 employees and/or more than €50 million in annual revenue. So if an organization has any presence in Europe regardless of where it is headquartered, it will have to address the requirements coming from this directive. Germany’s legislation is the first EU country legislation to support this directive and is expected to become law in the same timeframe that the EU directive gets finalized.

These laws are more than reporting requirements; they will have teeth. They are NOT like the United Kingdom Modern Slavery Act and California’s Transparency in Supply Chains Act. These new laws are expected to have significant enforcement penalties and sanctions and large administrative fines (similar to anti-trust and GDPR fines). They require thorough and continuous due diligence of third-party relationships in the context of environmental practices, social and human rights, and governance to address corruption.

Here are a few excerpts from the published notes on the draft directive:

  • For the purposes of this Directive, due diligence should be understood as the obligation of an undertaking to take all proportionate and commensurate measures and make efforts within their means to prevent adverse impacts on human rights, the environment, or good governance from occurring in their value chains, and to address such impacts when they occur.
  • In practice, due diligence consists in a process put in place by an undertaking in order to identify, assess, prevent, mitigate, cease, monitor, communicate, account for, address, and remedy the potential and/or actual adverse impacts on human rights, including social, trade union and labour rights, on the environment, including contribution to climate change, and on good governance, it its own operations and its business relationships in the value chain.
  • Due diligence should not be a ‘box-ticking’ exercise but should consist of an ongoing process and assessment of risks and impacts, which are dynamic and may change on account of new business relationships or contextual developments.

This is going to fundamentally change and restructure third-party risk management programs. I have advocated that organizations need to move beyond scattered silos of third-party risk oversight to create an integrated third-party GRC (governance, risk management, and compliance) program. This unifies a single approach to govern risk in third-party relationships and delivers a 360° contextual awareness of risk in relationships. It also is more than risk management; it is also about the governance of these relationships to ensure they reliably achieve objectives, address uncertainty, and act with integrity in each relationship in the extended enterprise.

The writing is on the wall, as the EU GDPR changed the world’s understanding and approach to privacy; this new EU directive and Germany’s law will change how organizations manage and monitor risk in the extended enterprise. Organizations should start defining an integrated strategy for third-party GRC to address these forthcoming requirements in a unified and consistent approach.