The governance, risk management, and compliance (GRC) across third party relationships (e.g., vendors, suppliers, contractors, agents) is a significant challenge for organizations. Organizations today are not defined by brick and mortar walls or traditional employees. The modern organization is a complex web of nested business relationships and transactions. GRC 20/20, in our research, is interacting with organizations around the world that are developing strategies, processes, and implementing information and technology to address GRC of third party relationships. The challenges are many faceted and organizations are finding that they need a federated and consistent approach to third party management that addresses the needs of a range of departments and issues. These span:
- Anti-bribery and corruption (e.g., US FCPA, UKBA, France’s Sapin II)
- Human rights and slavery (e.g., UK Modern Slavery Act, Conflict Minerals, California Transparency in Supply Chains Act)
- Information security and privacy (e.g., GDPR, OCC Vendor Risk Management, PCI DSS)
- Labor standards (e.g., child labor, forced labor, working hours, wages)
- Environmental (e.g., traceability, sustainability, CSR)
- Health and Safety (e.g., disasters, injuries, loss of life)
- Financial stability
- Business continuity
- Operational risk
- Ethics and Code of Conduct
- And the list goes on . . .
I am in the United Kingdom this week and have interacted with organizations over here on many of these topics. Big issues impacting third party management include Brexit, GDPR, UK Modern Slavery Act, UK Bribery Act, France’s Sapin II has come up a few times.
GRC 20/20 defines Third Party Management as:
Third party management is the capability to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across the organizations third party relationships/extended enterprise (adapted from the OCEG GRC definition).
Needless to say, the breadth and scope of third party risk and compliance concerns are legion. Last week I taught my Third Party Management by Design workshop in Philadelphia (this workshop is being done next week in New York City as well). There were about 20 companies registered and they identified the following challenges at the beginning of the workshop:
- Understanding who are our 3rd Parties? Status? Rank? Active contracts?
- Managing third parties across distributed departments and business units
- Across Which Business Units
- Validating that third parties have controls in place
- Managing compliance across a range of regulatory requirements
- Developing a culture of third party trust but verify
- How to manage data breach and incident notification? How do we know when a third party has an issue?
- Measuring financial impact and potential damage/exposure of third parties
- Remediation verification of control gaps and inspection issues of third parties
- How to manage changes in scope of the 3rd party services
- Managing third parties across mergers and acquisitions
- Building a business case for time and resources to manage third parties
- Managing right to audits and inspections effectively and efficiently.
- How do we provide validation and risk rating
- Defining who are critical third parties are that can cause us the most exposure
- Managing 4th parties down through nested supply chain and subcontracting relationships
- Identifying and fully mapping all 3rd party relationships
These topics and more were discussed and collaborated on by participants in last weeks workshop and the discussion will begin anew with next weeks workshop in New York City.
Too often departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third-party management across the enterprise. Organizations manage third-parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third-party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship. This fragmented approach to third-party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third-party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.
When the organization approaches third-party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third-party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third-party management results in poor visibility across the organization, because there is no framework or architecture for managing third-party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third-party relationships that is supported and automated with information and technology.
Third Party Management Workshop
GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:
- Third Party Management by Design Workshop, New York
- November 14th