Developing a Vendor Risk Management Strategy – Info/CyberSecurity Perspective

Organizations are porous: the modern organization is not defined by brick and mortar walls but is a complex web of business relationships. These relationships span vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, agents, brokers, dealers, intermediaries. It grows even more complex as there are nested relationships in subcontractors and supply chains. Approximately half of a typical organizations “insiders” are no longer employees but are third party relationships.

The issues organizations face in managing vendor and third party risks are growing. These range from growing challenges in anti-bribery and corruption compliance (e.g., UK Bribery Act, US FCPA, OECD Bribery Convention), human rights and slavery (e.g., US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, California’s Transparency in Supply Chains Act), environmental, health and safety, physical security, business continuity and more.

However, one of the growing challenges organizations face is information/cybersecurity across third party relationships, particularly vendor relationships. A significant number of information/cybersecurity breaches are the result of third party vendor relationships. It is not just IT related vendors that put organizations at risk, but could be a wide range of vendor relationships. The Target breach from a few years back was the result of a heating and air conditioning vendor (HVAC) that was broken into that had a connection to the Target network. With the Internet of Things (IoT) upon us, it has become critical for organizations to address information security in and across their third party relationships.

I am doing a series of educational webinars on this specific topic over the next three weeks. These are as follow:

Here is my specific advice on how to go about purchasing solutions for vendor and third party risk management:

Additionally, here are some of my research papers that I have published on this topic:

Increasing Exposure of Third Party Risks 

The Modern Organization is an Interconnected Mess of Relationships

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

The challenge: Can you attest to the governance, risk management, and compliance or third parties across your organization’s business relationships?

Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible. The organization’s risk exposure across third party relationships is growing increasingly interconnected.  An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

The bottom line: When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third party relationships that is supported and automated with information and technology.


Additional resources on Third Party Management

Research Briefings

Upcoming Webinars

Written Research

Compliance and Risk Bear Down on the Organization 

Compliance in Dynamic and Distributed Business

Compliance is not easy. Organizations across industries have global clients, partners, and business operations. The larger the organization the more complex its operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. New employees come, others leave, roles change. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to compliance risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants and staffing) their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal risk (e.g., strategy, processes and internal controls) and external risk (e.g., legal, regulatory, competitive, economic, political and geographic environments). What may seem insignificant in one area can have profound impact on others.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and other obligations? 

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing compliance requirements and fluctuating legal and ethical exposure, yet fail to actively manage and understand the interrelationship of risk and compliance. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing regulatory requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.

The Inevitable Failure of Compliance Silos

Compliance activities managed in silos often lead to the inevitable failure of an organization’s governance, risk management, and compliance (GRC) program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance and risk management processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its control environment.

A non-integrated approach to compliance risk management results in these phenomena, each one feeding off the last:

  • Redundant and inefficient processes. Managing compliance risk in silos hinders big-picture thinking. Little thought goes into how resources can be leveraged for greater effectiveness, efficiency and agility. The organization ends up with a variety of processes, applications and documents to meet individual compliance needs. The result: a major drain of time and resources.
  • Poor visibility across the enterprise. Siloed initiatives result in a reactive approach to compliance. Islands of information are individually assessed and monitored. Departments are burdened by multiple risk and compliance assessments asking the same questions in different formats. Limited visibility across the risk landscape ensues.
  • Overwhelming complexity. The lack of integrated processes introduces complexity, uncertainty, and confusion. Inconsistent processes increase inherent risk, more points of failure, and more compliance gaps leading to unacceptable risk. Mass confusion reigns for the organization, regulators, stakeholders, and business partners.
  • Lack of agility. Reactive risk and compliance strategies managed in information silos handicaps the business. Bewildered by a maze of approaches, processes and disconnected data, the organization is incapable of being agile in a dynamic and distributed business environment.
  • Greater exposure and vulnerability. When compliance is not viewed holistically, the focus is only on what is immediately in front of each department, at the expense of enterprise-wide co-dependencies. This fragmented view creates gaps that cripple compliance management and a business ill-equipped for aligning compliance initiatives to business objectives.

Compliance Risk Management: Does Your Organization Walk its Talk?

Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with regulatory obligations. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance risk management boils down to defining – and maintaining – corporate integrity.

Most companies today at least try to address the legal requirements and compliance obligations bearing down on it. However, the role of compliance is quickly changing. Compliance today is more than checking boxes on regulatory to-do lists, more than finding and fixing problems. Compliance and governance is evolving from scattered silos to a strategic enterprise pillar.

Today’s business entity must ensure compliance risk is understood and managed company-wide. That its obligations are more than written policies, but part of the fabric of operations. That a strong culture ensures transparency, accountability, and responsibility as part of its ethical environment. A strong compliance program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure.

The Bottom Line: Yesterday’s compliance program no longer works. Boards desire a deeper understanding of how the organization is addressing compliance risk, whether its activities are effective, and how they are enhancing shareholder value. Oversight demands are changing the role of the compliance department to an active, independent program that can manage and monitor compliance risk from the top down. The breadth and depth of compliance risk bearing down on companies today requires a robust compliance program operating in the context of integrated enterprise risk management.

Check Out These GRC 20/20 Compliance Management Resources . . .

Policy Management Demands Attention

The Foundational Role of Policies in GRC Strategies

Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes.

GRC, by definition, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.

Hordes of Policies Scattered Across the Organization

Policies matter. However, when you look at the typical organization you would think policies are irrelevant and a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files and dispersed on a number of fileshares, websites, local hard drives, and mobile devices.  The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
  • Reactive and inefficient policy programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
  • Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, and eighth-grade reading level).
  • Rogue policies. Anyone can create a document and call it a policy.  As policies establish a legal duty of care, organizations face misaligned policies, exposure, liability, and other rogue policies that were never authorized.
  • Out of date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where policy is breaking down, and how it can be addressed.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.

Inevitable Failure of Policy Management

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

If policies do not conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

The bottom line: The haphazard department and document centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and define and approach policy management with a strategy and architecture to manage the ecosystem of policies programs throughout the organization with real-time information about policy conformance and how it impacts the organization.

Check out GRD 20/20’s additional policy management resources . . .

Workshop: Policy Management by Design Workshop in Dallas, October 11th

  • This is a complimentary full day interactive workshop to help organizations define a policy management strategy, write a policy on writing policies (meta-policy), define a policy management lifecycle, understand the role of technology in policy management, and build a business case for policy management. This workshop is only open to individuals managing policies in their internal environment and is not open to solution providers or consultants.

Research Briefing: How to Purchase Policy Management Solutions & Platforms

  • This is GRC 20/20’s on-demand Research Briefing that advises organizations on what to consider in evaluating and selecting policy management solutions and technologies. It reviews critical capabilities needed in policy management technology as well as what differentiates a basic, common, and advanced solution in the market. Particular guidance is given into considerations when engaging solution providers and navigating solution provider hyperbole.

Inquiry: Ask GRC 20/20 Your Questions on Policy Management

  • The challenge is: how do you find the right policy management solution for your organization? This is where GRC 20/20 comes in. If you are looking for policy management solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website.

RFP Template & Support: Policy Management RFP Requirements Template

  • GRC 20/20 can be engaged on policy management RFP projects to rapidly enable organizations to develop RFPs based on our policy management RFP criteria library. Simply email [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

Written Research on Policy Management

The Critical Foundation of Third Party Management is Technology

In previous posts we looked at the following:

  1. How to Develop a Third Party Management Strategy
  2. How to Define a Third Party Management Process Lifecycle

Now we turn our attention to the foundation of information and technology that supports and enables a third party management strategy and process . . .

Third party management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  The third party management information architecture supports the process architecture and overall third party management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support third party processes. The third party management information architecture involves the structural design, labeling, use, flow, processing, and reporting of third party management information to support third party management processes.

Successful third party management information architecture will be able to integrate information across third party management systems, ERP, procurement solutions, and third party databases. This requires a robust and adaptable information architecture that can model the complexity of third party information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages:

  • Master data records. This includes data on the third party such as address, contact information, and bank/financial information.
  • Third party compliance requirements. Listing of compliance/regulatory requirements that are part of third party relationships.
  • Third party risk and control libraries. Risks and controls to be mapped back to third parties.
  • Policies and procedures. The defined policies and procedures that are part of third party relationships.
  • Contracts. The contract and all related documentation for the formation of the relationship.
  • SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for individual relationships as well as aggregate sets of relationships.
  • Third party databases. The information connections to third party databases used for screening and due diligence purposes such as sanction and watch lists, politically exposed person databases, as well as financial performance or legal proceedings.
  • Transactions. The data sets of transactions in the ERP environment that are payments, goods/services received, etc.
  • Forms. The design and layout of information needed for third party forms and approvals.

Third Party Management Technology Architecture

The third party management technology architecture operationalizes the information and process architecture to support the overall third party management strategy. The right technology architecture enables the organization to effectively manage third party performance and risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.

There can and should be be a central core technology platform for third party management that connects the fabric of the third party management processes, information, and other technologies together across the organization. Many organizations see third party management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships.
  • Point solutions. Implementation of a number of point solutions that are deployed and purpose built for very specific risk and regulatory issues. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization and its relationships.
  • ERP and procurement solutions. There is a range of solutions that are strong in the ERP and procurement space that has robust capabilities in contract lifecycle management, transactions, and spend analytics. However, these solutions are often weak in overall third party governance, risk management, and compliance.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have third party (e.g., vendor) risk management modules. However, these solutions often have a predominant focus on risk and compliance and do not always have the complete view of performance management of third parties. These solutions are often missing key requirements such as third party self-registration, third party portals, and established relationships with third party data and screening providers.
  • Third party management platforms. These are solutions that are built specifically for third party management and often have the broadest array of built-in (versus built-out) features to support the breadth of third party management processes. In this context they take a balanced view of third party governance and management that includes performance of third parties as well as risk and compliance needs. These solutions often integrate with ERP and procurement solutions to properly govern third party relationships throughout their lifecycle and can feed risk and compliance information into GRC platforms for enterprise risk and compliance reporting where needed.

The right third party technology architecture choice for an organization often involves integration of several components into a core third party management platform solution to facilitate the integration and correlation of third party information, analytics, and reporting. Organizations suffer when they take a myopic view of third party management technology that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time business operates in.

Some of the core capabilities organizations should consider in a third party management platform are:

  • Internal integration. Third party management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization – procurement system, spend analytics, ERP, and GRC. So the ability to pull and push data through integration is critical.
  • External integration. With increasing due diligence and screening requirements, organizations need to ensure that their solution integrates well with third party databases. This involves the delivery of content from knowledge/content providers through the third party technology solution to rapidly assess changing regulations, risks, industry, and geopolitical events.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with third party relationships in context of performance, risk, and compliance. Contextual awareness requires that third party management have a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third party relationships.

Third Party Networks – Streamlining Third Party Management

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual third party relationships (the tree) as well as the interconnectedness of third party relationships (the forest). Third party relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business third party management risks is exponential. Business is chaos theory realized. The small flutter of third party risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.

The challenge is that third parties are getting inundated with request for information, assessments, and more.  The chaos of these many-to-many communications is slowing down relationships in a time where they need to be more nimble and agile. Organizations are looking to subscribe to a network(s) that provide validated third party profile management and data sharing they can trust.  If further information is needed they can send that request to their third parties, but rely on what has already been submitted for the core of what they do. This reduces the time, cost, and complexity of managing and gathering third party profile information and streamlines third party management for all involved.

When looking at third party management solutions to support the third party management strategy and architecture, organizations should evaluate and keep in mind what the solutions they are evaluating are doing in context of third party networks.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management strategy, process, and information/technology architecture. Check out . . .

Other webinars, that build on How to Define a Third Party Management Process Lifecycle, include:

How to Define a Third Party Management Process Lifecycle

The third party management strategy and policy is supported and made operational through a third party management architecture. The organization requires complete situational and holistic awareness of third party relationships across operations, processes, transactions, and data to see the big picture of third party performance and risk in context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to third party management architecture. The architecture defines how organizational processes, information, and technology is structured to make third party management effective, efficient, and agile across the organization and its relationships.

There are three areas of the third party management architecture:

  • Third party management process architecture
  • Third party management information architecture
  • Third party management technology architecture

It is critical that these architectural areas be initially defined in this order. It is the business processes that often determine the types of information needed, gathered, used, and reported. It is the information architecture combined with the process architecture that will define the organizations requirements for the technology architecture. Too many organizations put the cart before the horse and select technology for third party management first, which then dictates what their process and information architecture will be. This forces the organization to conform to a technology for third party management instead of finding the technology that best fits their process and information needs.

Third Party Management Process Architecture

Third party management architecture starts with the process architecture. Third party management processes are a part and subset of overall business processes.  Processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships.

The third party management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes third party management processes, each process’s components and interactions, and how third party processes work together as well as with other enterprise processes.

While third party processes can be very detailed and vary by organization and industry, there are four general third party management process areas that organizations should have in place, these are:

  1. Third party identification & onboarding. This is the collection of processes aimed at automating a standard, objective approach for identifying third parties to work with and onboarding them through the collection of third party data and conducting appropriate due-diligence.
  2. Ongoing context monitoring. On an ongoing basis, and separate from monitoring of individual relationships, is the ongoing process to monitor external risk, regulatory, and business environments as well as the internal business environment. The purpose is to identify opportunities as well as risks and regulatory requirements that are evolving that impact the overall third party management program. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.
    • Purpose & identification. This is the process to identify new third parties or existing third parties to contract with for new business purposes. Third party identification will detail the purpose of the relationship and include initial definition of performance, risk, and compliance requirements and concerns in the relationship so the proper relationship can be identified.
    • Qualification & screening. Once a third party has been selected, the next step is the qualification and screening process to validate that the third party can meet the requirements of the relationship and does not introduce unwarranted risk and compliance exposure. The screening process will go through due diligence steps to ensure that the third party is the right fit for the organization. Relationships, particularly high risk ones, are to be evaluated against defined criteria to determine if the relationship should be established or avoided.
    • Contracting & negotiation. Upon passing initial qualification and screening, the next sets of processes are contracting and negotiation processes to come to terms and establish the relationship.
    • Registration & onboarding. When contracting and negotiation processes are complete the organization moves into registration and onboarding. The registration process may have already started in the qualification and screening phase to gather information, but concludes with setting up the third party in the system with master data records, financial and payment information, contact information, insurance, and licensing documentation. Further steps of the onboarding process will be communication of code of conduct and related policies, getting attestations to these, completing associated training requirements, and conducting initial audits and inspections (if more are needed and were not done in the qualification and screening stage).
  3. Third party communications & attestations. These are the set of ongoing processes to manage the communications and interactions with the third party throughout the relationship lifecycle. These are done on a periodic (e.g., annual) basis or when certain risk conditions are triggered.
    • Policy communications & reminders. The regular communication and reminders to third parties about code of conduct and related policies and procedures they need to follow.
    • Training. The regular training of third parties on matters of conduct, policies, and procedures.
    • Attestation. The regular attestation by third parties to their behavior and conformance to policies and contractual requirements.
    • Self-assessments. The regular surveys and assessments sent to third parties for them to evaluate themselves and send back to the organization.
    • Reporting. The regular reporting on third parties on aspects of the relationship and in that context of performance, risk, and compliance.
  4. Third party monitoring & assessment. This stage includes the array of processes to continuously monitor the third party relationship over their lifecycle in the organization. These activities are the ones typically done within the organization to monitor and assess the third party relationship on an ongoing basis.
    • Issue reporting & resolution. Even the most successful business relationships encounter issues. This is the process for capturing issues and their details that arise in third party relationships. Issue reporting processes may be internal and done by employees and management, by the third parties themselves, or through external sources such as customer complaints.
    • Performance monitoring. Performance monitoring processes are in place to monitor the health of the relationship, satisfaction of service level agreements, and value the relationship is providing.
    • Risk monitoring. Risk monitoring processes identify and evaluate potential risks relevant to each third party relationship throughout their lifecycle in the organization.
    • Compliance monitoring & ongoing due diligence. The processes in place to monitor relationships for ongoing conformance to compliance requirements. This includes ongoing due diligence and screening processes.
    • Audit & inspections. The processes in place to exercise right to audit clauses and do onsite inspections of third party premises and facilities.
  5. Forms & approvals. The set of internal processes to collect and report information and route things for approval in context of third party relationships.
    • New vendor/supplier request.
    • Gifts, hospitality & entertainment.
    • Political & charitable contributions.
    • Facilitated payments.
  6. Metrics & reporting.  Processes to gather metrics and report on third party relationships at the relationship level or in aggregate.
  7. Third party re-evaluation. The processes in place to evaluate, maintain, renew, and off-board relationships.
    • Relationship renewal. Managing the process of renewing contracts and relationships under existing, revised, or new terms.
    • Off-boarding & retirement. The off-boarding/retire relationships that are no longer needed.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management Strategic Plan. Check out . . .

Other webinars, that build on How to Define a Third Party Management Process Lifecycle, include:

How to Develop a Third Party Management Strategy

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization.

The bottom line: A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to wipe the slate clean and approach third party management by design with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.

Third Party Management by Design

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third party management:

The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent. (Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.)

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts.  Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem.  This is true in third party management. What further complicates this is the exponential effect of third party risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of third party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy.

Different Approaches Organizations Take in Managing Third Parties

The primary directive of a mature third party management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

GRC 20/20 has identified three approaches organizations take to manage third party relationships:

  • Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed third party initiatives never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how third party management processes can be designed to meet a range of needs. An ad hoc approach to third party management results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about third party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on third party performance and strategy leading to greater exposure than any silo understood by itself.
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of third party management that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing third party relationships with the lowest common denominator and watering down third party management. Further, there is no one-stop shop for everything third party management as there are a variety of pieces to third party management that need to work together.
  • Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative third party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in third party management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

In the end, third party management is more than compliance and more than risk, but is also more than procurement. Using the definition for GRC  – governance, risk management and compliance – third party management is a “capability to reliably achieve objectives [governance], while addressing uncertainty [risk], and act with integrity [compliance]” across the organization’s third party relationships.

Third Party Management Strategic Plan

Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy.  The strategic plan is the foundation that enables third party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

The core elements of the third party strategic plan include:

  • Third party management governance team. The first piece of the strategic plan is building the cross-organization third party governance team (e.g., committee, group). This team needs to work with third party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in third party management and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
  • Third party management charter. With the initial collaboration and interaction of the third party management team in place, the next step in the strategic plan is to formalize this with a third party management charter. The charter defines the key elements of the third party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of third party management, the members of the third party governance team, and define the overall goals, objectives, resources, and expectations of enterprise third party management. The key goal of the charter is to establish alignment of third party management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
  • Third party management policy. The next critical item to establish in the third party management strategic plan is the writing and approval of the third party management policy (and supporting policies and procedures). This sets the initial third party governance structure in place by defining categories of third parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all third party relationships be maintained with appropriate categorizations, approvals, and identification of risks.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management Strategic Plan. Check out . . .

Related upcoming webinars, that build on How to Develop a Third Party Management Strategy, include:

Providing 360° Contextual Awareness of Risk

Monitoring and Managing Risk Effectively

A Challenge for Boards, Executives, and Risk Management Professionals

Organizations take risks all the time but fail to monitor and manage risk effectively. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands. Gone are the years of simplicity in business operations.  Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business.

Organizations Need to Understand the Interrelationship of Risk and Its Impact

Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. For some organizations, risk management is only an expanded view of routine financial controls, is nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk. Despite this misperception, organizations remain keenly interested in how to improve risk management.

Risk is pervasive throughout organizations; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at project and department levels, and build as organizations develop operational and enterprise risk management strategies.

Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as risk intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and business strategy, objectives, and performance.

It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/ regulatory, third party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.

Selecting the Correct Risk Technology Is Crucial to Success

In addressing this, many organizations look to risk management/GRC platforms to provide the range of capabilities they are looking for. This is done particularly when they have enterprise or operational risk management strategies to provide an integrated view of risk across the organization. Indeed, for many industries risk management is so fundamental to the success of their business model that it is indoctrinated throughout their core policies and operating procedures.

Organizations have adopted a wide range of technologies for risk management. Some are broad enterprise or operational risk platforms. Some solutions can be very narrow and limiting in which different departments lose capabilities they need, while other solutions can be very broad and adaptable. There are a variety of very focused risk solutions that excel at specific areas of risk management. These include:

  • Solutions focused on specific risks. These are solutions designed to manage and assess risk deeply on a very specific risk area. Such as, commodity risk, foreign exchange risk, privacy risk, model risk, and dozens of other risk areas.
  • Solutions focused on department/function risk management needs. These are solutions that are aimed at managing risks within a common department/functional area providing a common platform that specializes in risk within that area. Such as, information security, health & safety, corporate compliance, audit, finance, treasury, and more.
  • Solutions aimed at project risk management. These are solutions that help the organization manage risk in projects.
  • Solutions aimed at finance/treasury risk management. These are solutions aimed at managing an array of financial and treasury risks such as capital, market, liquidity, and credit risks.
  • Solutions aimed at operational risk management. These are solutions aimed at managing operational risks across departments to provide an integrated view of risk across business operations.
  • Solutions aimed at enterprise risk management. These are solutions that take an integrated view of strategic, finance/treasury, and operational risks (legal and compliance risk being part of operational risk). However, many solutions that advertise themselves as enterprise risk management really are only doing operational or department risk management.
  • Tools for risk management. Then there are a range of solutions that assist in risk management, but do not fit in one of the other areas. They are tools to do surveys/questionnaires/assessments. Or they assist in modeling risk such as Monte Carlo tools or Bayesian modeling.

Providing 360° Contextual Awareness of Risk

Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on an information architecture that can show the relationship between objectives, risks, controls, loss, and events.

In light of this, organizations must evaluate:

  • Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
  • How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
  • Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
  • Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
  • Does the organization monitor key risk indicators across critical projects and processes?
  • Is the organization optimally measuring and modeling risk?

Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:

  • The external perspective: Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
  • The internal perspective: Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.

The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting. This is done through a common information and technology architecture to support overall risk management activities from the project level up through an enterprise view. Whether for a project or department risk management need, or to manage enterprise and operational risk across the organization, risk management solutions are in demand. Organizations need to clearly understand the breadth and depth of their risk management technology requirements and select the solution that is agile and flexible to meet the range of the organizations risk management needs today and into tomorrow.

Watch on demand GRC 20/20’s guidance on the Risk Management technology market and what makes a basic, common, and advanced risk management solution or platform . . .

Enabling an Integrated Compliance Lifecycle

Inevitability of Failure

Ineffective Processes to Manage Regulatory Change and Compliance

Regulatory change is overwhelming organizations across industries. Organizations are past the point of treading water as they actively drown in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year, making change the single greatest challenge for organizations in the context of compliance. Each vortex of change is hard to monitor and manage individually, let alone to gain an understanding of how they impact each other.

Keeping current with regulatory change and keeping the organization’s policies and procedures up to date and linked to compliance requirements is not easy. Regulators across industries and jurisdictions are requiring that compliance is not just operationally effective, but is well documented. However, organizations often do not have adequate processes or resources in place to monitor regulatory change and maintain compliance. Organizations struggle to be proactive and intelligent about regulatory developments, failing to prioritize and revise impacted policies as needed. Instead, most organizations end up firefighting trying to keep the flames of regulatory change controlled.

Organizations that GRC 20/20 has interviewed in the context of regulatory change management reference the following challenges to processes and resources:

  • Frequency of change and number of information sources overwhelms. The frequency of updates is challenging from the regulators themselves but then comes the flood of updates from aggregators, experts, law firms, and more. Organizations often subscribe to and utilize multiple sources of regulatory content  that require time-intensive analysis in order to properly understand the potential impact on the business and determine the actions required to comply.
  • Insufficient headcount and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all of the applicable changes related to laws and regulation is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
  • Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions were taken as a result, or if the task was transferred to someone else. This environment produces a lack of visibility into the status of compliance obligations—there is uncertainty regarding ownership of initial review and an inability to sufficiently track what actions were taken as a result, let alone obtain reliable information on which items are “closed.” Compliance documentation is scattered in documents, spreadsheets, and emails in different versions.
  • Lack of an audit trail. The manual and document-centric approach to regulatory change lacks defensible audit trails, which regulators require. This leads to gaps in accountability and a lack of integrity in compliance records regarding who reviewed which change and what action was taken as a result. The lack of an audit trail can be conducive to deception: individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble.
  • Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks an overall information architecture and thus is inadequate to effectively report on the number of changes, ownership of the review process, the status of business impact analysis, and courses of action. An inability to make sense of data collected in manual processes and thousands of documents exposes the organization to significant risks.
  • Wasted resources and spending. Silos of ad hoc regulatory change monitoring lead to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage regulatory change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective, and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources, and creates excessive and unnecessary burdens across the organization.
  • Misaligned business and regulatory agility. Regulatory change management without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent in organizations and coming from all directions. When information is trapped in scattered documents and emails, the organization lacks a full perspective of regulatory change and business intelligence. As a result, the organization struggles with inefficiency and cannot adequately prioritize the most important and relevant issues in order to make informed decisions.
  • No accountability and structure. Ultimately, there is insufficient accountability for regulatory change management, and the process fails to be agile, effective, and efficient in its use of resources. The regulatory change process must install strict accountability for subject matter expert review and analysis, compliance obligation task ownership and the ongoing monitoring of outstanding tasks to ensure that compliance deadlines are met.

The bottom line: Processes for managing regulatory change often constitute a myriad of subject matter experts that monitor regulatory change on an ad-hoc basis and rely on email to communicate compliance tasks to stakeholders.  Manual processes and a lack of accountability result in an inability to adequately monitor regulatory changes and predict the readiness of the organization to meet new requirements. Compliance professionals spend significant time and resources researching the mandates they must follow and struggle to keep up with new requirements and identify how changing regulations impact existing policies. A haphazard, siloed and document-centric approach to managing regulatory change results in missed requirements, wasted time, and accelerated costs. It is time for organizations to step back and implement a structured process and technology for compliance management.

Enabling 360° Insight & Control of Third Party Relationships

The Extended Enterprise Demands Attention

Organizations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organisation is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Two decades ago the term insider was synonymous with employee, now over half of the insiders in many organisations are not employees; they are contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more.

The extended enterprise of third party relationships brings on a range of risks that the organisation has to be concerned about. Managing third party risk has risen to be a significant regulatory, contractual, and board level governance mandate. Organisations need to be fully aware of the risks in third party relationships and manage this risk throughout the lifecycle of the relationship, from on-boarding to off-boarding of a third party.

Third party risks that are of primary concern to organisations include:

  • Bribery, Corruption, & Fraud
  • Conflict Minerals
  • Corporate Social Responsibility
  • Environmental, Health & Safety
  • Information Security
  • International Labour Standards (e.g., child labour, forced labour)
  • Physical Security
  • Privacy
  • Slavery & Human Rights

These risks poise significant reputational, financial, and operational concerns. They also poise a growing burden of regulatory concern and oversight (e.g., UK Modern Slavery Act, UK Anti-Bribery Act).

As organisations confront the growing exposure in third party risks they soon realise that the scattered redundant ad hoc approaches of the past are not sustainable. Third party risk can no longer be managed by different departments doing similar things in different ways, often with a mountain of emails, documents, and spreadsheets that are out of date and cost a significant amount of employee time to keep on top of. Managing third party risk requires a structured and integrated process that is supported by an information and technology architecture that can address the range of third party risks consistently without things slipping through the cracks.

An effective third party risk management process enables . . .

The rest of this post can be found as a guest blog on the SureCloud Blog . . .

[button link=”https://www.surecloud.com/blog/enabling-360-degree-insight-control-third-party-relationships”]READ MORE[/button]