360° Risk Intelligence in the Extended Enterprise

The Modern Organization is an Interconnected Web of Relationships

The structure and reality of business today has changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. Instead, the modern organization is an interconnected web of relationships, interactions, and transactions that extend far beyond traditional business boundaries. Even the smallest organization can have dozens of relationships that they depend on for goods, services, processes, and transactions. In large organizations, this can expand to tens of thousands of third-party relationships with suppliers, vendors, partners, and service providers.

With businesses increasingly relying on a complex network of third-party relationships to thrive, the governance, risk management, and compliance (GRC) of third-party relationships become even more critical. Without effective GRC, organizations will fail to manage uncertainty, avoid disruptions, act with integrity, and achieve business objectives. 

In a dynamic risk environment, resiliency requires agility and the ability to navigate great uncertainty.  Effectively mitigating the exposure of potentially disruptive events requires real-time and comprehensive risk intelligence with insights to both assess the current and future risk landscape and drive sagacious action. 

The Inevitability of Failure: Fragmented Views of Third-Party Risk

Too often, organizations struggle to adequately govern their third-party relationships because of their reliance on outdated practices. Recent technological advances in automation, machine learning, and data science enable organizations to be more effective and do more with fewer resources, but unfortunately, too many organizations have failed to seize the opportunity to evolve beyond expensive and inefficient legacy solutions.    

Failure in third-party GRC comes about when organizations rely on outdated risk practices including: 

  • Silos of third-party oversight. Silos of oversight occur when an organization allows different business functions to conduct third-party oversight without coordination, collaboration, and architecture. The risk posed by a third party for one business function may seem immaterial but is actually significant when factored into multiple risk exposures across all of the business functions relying on the same third party. Without a single pane of visibility into the risk in their third-party relationships, silos leave the organization blind to risk exposures that are material when aggregated. 
  • Limited resources to handle growing risk and regulatory concerns. Organizations are facing a barrage of increasing regulatory requirements and an ever-expanding risk landscape. While risk functions are operating with limited budgets and human teams, they need to do more with less. In reality, truly effective continuous monitoring and mitigation of today’s dynamic and ever-expanding risk landscape is beyond human capabilities alone. 
  • Overreliance on manual processes. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for risks to be missed amidst the extensive volume of data. In addition, when things go wrong, these manual processes neither support agility nor a robust feedback loop to improve processes going forward.
  • Limited view of risk vectors. Organizations often over-rely on third-party financial and cyber risk management and suffer from risk exposure in domains such as compliance, operations, ESG, location and Nth parties. To fully understand the complete risk picture, an organization needs to have full-spectrum risk coverage.
  • Scattered third-party risk solutions. When different parts of the organization use different third-party risk solutions, silos of risk data and intelligence are created that are difficult to assimilate, thus making it difficult to maintain, aggregate and provide comprehensive, accurate, and current third-party analysis. The resulting redundancies and inefficiencies make organizations less agile and impact the effectiveness of third-party risk programs. 
  • Overreliance on periodic assessments. For many organizations, third-party risk analysis occurs primarily during the onboarding process at the onset of the business relationship with only periodic re-assessment of risk over the length of the engagement. This approach fails to keep organizations informed in a timely manner when the risk exposure changes between assessments. Without a continuous source of real-time risk intelligence feeds, the organization lacks the ongoing situational awareness necessary for proactive risk mitigation.  
  • Inadequate incident response. How organizations respond to incidents can often dictate how quickly and adequately they mitigate risk. Most enterprises often respond to an incident today by sending a survey to all their third parties asking them if they have been impacted. This process takes time, often with low response rates and then has the added burden of how to assess and report on the responses. Most importantly, this is at a point in time and so often a wasted effort. Incidents and impact often unfold over time and the best approach is one that is real-time and continuous.
  • Negative news services can overwhelm risk teams. Risk intelligence has the potential to overwhelm organizations. Information feeds from various sources such as legal, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators can drown the risk team as they struggle to monitor a growing array of regulations, legislation, corporate ratings, geopolitical risk, and enforcement actions. Risk intelligence that requires weeding through an exorbitant volume of notifications that includes noise and false positives to identify relevant risks only compounds the problem. One needs an intelligent system that can deliver accurate and actionable insights and remove the noise.

The bottom line: The modern business is dependent on third-party relationships and requires real-time and continuous awareness of its current and future risk landscape. A manual and point-in-time approach to third-party risk intelligence compounds the problem and can lead to elevated risk exposure. It is time for organizations to step back and move from legacy practices, defined by manual processes and periodic assessments, to a third-party risk intelligence architecture that includes integrated full-spectrum real-time feeds of situational awareness that impacts the extended enterprise and operations. 

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: 360° Risk Intelligence in the Extended Enterprise:
Ensuring Agility, Resiliency & Integrity in Third-Party Performance.

The 3 Lifecycle Stages of Vendor Security Risk Management: Ongoing Monitoring

This is the second of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on the ongoing monitoring process.

Too often organizations conduct security due diligence when onboarding a third party (e.g., vendor, supplier, outsourced, service provider, consultant) and fail to monitor security throughout the lifecycle of the relationship. Ongoing security monitoring throughout a relationship is critical to protect the organizations.

Organizations are dynamic, they are in a constant state of change. Regulations are changing, risk is changing, and internal business processes, employees, and technology is changing. As much as an organization’s business has changed it is important to remember that each and every third party they do business with has changed.

A third party might have been the right third party to contract with two years back, but are they still the right third party? Are they current with security controls and processes? A third party, over the course of time, has evolving oversight, processes, employees, and technology. What might have been a secure relationship a year ago, or several years ago, may not be a secure relationship today. 

This is further complicated that security impacts a wider range of third parties than it has in the past. It used to be that it was predominantly IT vendors that were an information security risk. Today, in the interconnected digital economy, any third party providing service to any part of the business may be connected to the organizations network and have access to information. The Internet of Things further complicates this as the microwave in the break room now poises a security threat when in the past it did not.

Five Necessities of Security Monitoring

Organizations need to have established processes in place to monitor security throughout the lifecycle of a relationship. This includes . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]

Understanding Third Party GRC Maturity: Ad Hoc Stage

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

Today we look at Stage 1, the Ad Hoc level of Third Party GRC

Organizations at the Ad Hoc stage of maturity have . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

Step 1: Develop a 3rd Party GRC Strategic Plan

I grew up in the Northwest corner of Montana, a beautiful but wild country. From my earliest years I loved the outdoors. In fact, long before any aspirations to build a career in Governance, Risk Management & Compliance (GRC), I wanted to be a backcountry ranger in Glacier National Park. To spend time in the outdoors requires planning and a respect for the outdoors. To go trekking requires a plan of where you are going so you know who and what to bring with you on that journey. This planning is exactly what organizations need in context of 3rd party governance/management.

The greatest challenge upon organizations in the context of GRC is the governance, risk management, and compliance of the range of 3rd party relationships. We have reorganized, outsourced, and distributed business around the world. Today’s modern organization is not a traditional brick and mortar business. Organizations are now defined by a complex, intricate, interconnected, and nested web of relationships and transactions. Traditional employees no longer define who works for an organization as over half of our insiders are now outsourcers, service providers, contractors, consultants, temporary workers, suppliers, vendors, brokers, agents, dealers, intermediaries, customers, partners, and even competitors who collaborate and work with us. Their issues, challenges, and problems are your organization’s issues, challenges, and problems. These relationships bring significant value but also significant risk as well as compliance and integrity concerns.

This is compounded by the growing array of risks and regulations that impact the organization and its extended relationships. Such as:

  • Anti-bribery and corruption (US FCPA, UK Bribery Act, Sapin II, OECD)
  • Business/supplier continuity
  • Data privacy & protection (EU GDPR, California CCPA, information security)
  • Ethics & Values (vendor/supplier code of conduct)
  • Geopolitical risk
  • Human rights (US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, international labor standards)
  • Import/export compliance
  • Quality (ISO 9000)
  • Environmental, Health & Safety (REACH, RoHS)
  • And more . . .

GRC 20/20 defines 3rd Party GRC (or 3rd party management, or what some more narrowly call vendor risk, supplier risk, etc.) as:

“the capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in and across and down throughout an organizations third party relationships: the extended enterprise.”

Adapted from the OCEG GRC Definition

The challenge and danger many organizations face in the journey to manage these relationships is a haphazard approach in which there is no careful and strategic plan. The organization, in its various departments, randomly addresses aspects of 3rd party GRC without thinking about the big picture. The result is a lot of redundancy, gaps, inefficiency, lack of agility and effectiveness, and thing slipping through the cracks. IT security has their approach, procurement is doing their thing, legal/compliance/ethics are doing something else, other groups such as quality, environmental, health and safety all have their approaches. Some are using documents, spreadsheets, and emails to govern third parties, others are using siloed commercial tools, and some are only putting out fires when a problem arises. No one sees the big picture and there is no coordinated effort to govern these relationships strategically to ensure that the value they are delivering outweighs the risk and exposure bring as well.

GRC 20/20 has identified three approaches organizations take to manage 3rd party relationships:

  • Anarchy – ad hoc department silos.  This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed 3rd party initiatives never see the big picture and fail to put 3rd party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how 3rd party GRC processes can be designed to meet a range of needs. An ad hoc approach to 3rd party GRC results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about 3rd party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on 3rd party performance and strategy leading to greater exposure than any silo understood by itself. 
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has issues as well. Organizations run the risk of having one department be in charge of 3rd party GRC that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing 3rd party relationships with the lowest common denominator and watering down 3rd party management. Further, there is no one-stop shop for everything 3rd party GRC as there are a variety of pieces to 3rd party management that need to work together. 
  • Federated – an integrated and collaborative approach.The federated approach is where most organizations will find the greatest balance in collaborative 3rd party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in 3rd party GRC participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in 3rd party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems. 

The modern organization has to have a strategic plan to govern 3rd party relationships to ensure they reliably achieve the objectives they were established for while managing the uncertainty and risk and act with the integrity and values that is expected of them. This requires a cross-department strategic plan, coordination, and collaboration on 3rd Party GRC. Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy.  The strategic plan is the foundation that enables thi3rdrd party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. 

The core elements of the third party strategic plan include:

  • Third party governance team. The first piece of the strategic plan is building the cross-organization 3rd party governance team (e.g., committee, group). This team needs to work with 3rd party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in 3rd party GRC and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
  • Third party GRC charter. With the initial collaboration and interaction of the 3rd party GRC team in place, the next step in the strategic plan is to formalize this with a 3RD party GRC charter. The charter defines the key elements of the 3rd party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of 3rd party GRC, the members of the 3rd party governance team, and define the overall goals, objectives, resources, and expectations of enterprise 3rd party GRC. The key goal of the charter is to establish alignment of 3rd party GRC to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
  • Third party governance policy.The next critical item to establish in the 3rd party GRC strategic plan is the writing and approval of the 3rd party GRC policy (and supporting policies and procedures). This sets the initial 3rd party governance structure in place by defining categories of 3rd parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all 3rd party relationships be maintained with appropriate categorizations, approvals, and identification of risks.

GRC 20/20 has defined this in our key research paper (currently being revised):

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.

Efficient and Effective Third-Party GRC Management

Modern Organization: Interconnected Maze of Relationships

Traditional brick and mortar business are a thing of the past. Physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, etc. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties.

In this context, organizations struggle to identify and govern their third party relationships, with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation, while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them, and fail to actively manage and understand the interrelationship of third parties across the organization.

The fragmented governance of third party relationships, through disconnected silos, leads the organization to inevitable failure. Reactive, document-centric, and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance. Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship, as well as the organization’s goals, objectives, and performance.

Failure in third party governance comes about when organizations have:

  • Growing risk and regulatory concerns with inadequate resources – Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating, which increases redundancy and inefficiency.
  • Interconnected third party risks that are not connected – The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor, but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
  • Silos of third party oversight –Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
  • Document and email centric approaches –When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report onsupply chain data. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies –When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency – impacts effectiveness, while encumbering the organization when it needs to be agile.
  • Processes focused on onboarding only –Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
  • Inadequate processes to manage change –Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, etc. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe – in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships are changing – introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance –Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services, but do not include monitoring risks such as compliance and ethical considerations.

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated supply chain data management strategy, the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance – resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches data management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance, and understand its impact on the organization.

The bottom line: A haphazard department, and document centric approach for third party management, compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy, as well as teams to define and govern third party relationships. Third party management is, “A capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across its 3rdparty relationships”. Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about performance, risk, and compliance, and how it impacts the organization.


GRC 20/20 Events & Resources for Third Party Management Include . . .

Upcoming Third Party Management Webinars

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Studies on Organizations Doing Third Party Management

Solution Perspectives on Third Party Management Solutions

Managing Risk & Compliance in the Extended Enterprise

Modern Organization: Interconnected Maze of Relationships

No man is an island, entire of itself;
Every man is a piece of the continent, a part of the main.
[1]

Replace the word ‘man’ with ‘organization’ and the seventeenth-century English poet John Donne is describing the post-modern twenty-first century organization. In other words, “No organization is an island unto itself, every organization is a piece of the broader whole.”

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties.

In this context, organizations struggle to identify and govern their third party relationships with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them and fail to actively manage and understand the interrelationship of third parties across the organization.

The challenge:“Can you attest to the governance, risk management, and compliance of the organization’s extended business relationships?”

Typical response: Organizations tend to look at the formation of a third party relationship and fail to foresee issues that cascade and cause damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship.

The fragmented governance of third party relationships through disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance.  Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship and the organization’s goals, objectives, and performance.

Failure in third party governance comes about when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating which increases redundancy and inefficiency.
  • Interconnected third party risks that are not connected. The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
  • Silos of third party oversight.Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
  • Document and email centric approaches.When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report on third party information. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies.When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency, impacts effectiveness, while encumbering the organization when it needs to be agile.
  • Processes focused on onboarding only.Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
  • Inadequate processes to manage change.Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance.Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third party management:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[2]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is true in third party management. What further complicates this is the exponential effect of third party risk on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of third party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy.

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization.

The bottom line: A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Third party management is “a capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrityin and across its 3rdparty relationships.[3]Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.


GRC 20/20 Events & Resources for Third Party Management Include . . .

Third Party Management Workshop

GRC 20/20 will be leading a complimentary interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Studies on Organizations Doing Third Party Management

Solution Perspectives on Third Party Management Solutions


[1]A famous line from English Poet John Donne’s Devotions Upon Emergent Conditions(1624) found in the section Meditation XVII.

[2]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.

[3]GRC 20/20’s adaption of the OCEG definition of GRC found in the OCEG GRC Capability Model applied to third party management.

Addressing the Challenges of Third Party Management/GRC

The governance, risk management, and compliance (GRC) across third party relationships (e.g., vendors, suppliers, contractors, agents) is a significant challenge for organizations. Organizations today are not defined by brick and mortar walls or traditional employees. The modern organization is a complex web of nested business relationships and transactions. GRC 20/20, in our research, is interacting with organizations around the world that are developing strategies, processes, and implementing information and technology to address GRC of third party relationships. The challenges are many faceted and organizations are finding that they need a federated and consistent approach to third party management that addresses the needs of a range of departments and issues. These span:

  • Anti-bribery and corruption (e.g., US FCPA, UKBA, France’s Sapin II)
  • Human rights and slavery (e.g., UK Modern Slavery Act, Conflict Minerals, California Transparency in Supply Chains Act)
  • Information security and privacy (e.g., GDPR, OCC Vendor Risk Management, PCI DSS)
  • Labor standards (e.g., child labor, forced labor, working hours, wages)
  • Environmental (e.g., traceability, sustainability, CSR)
  • Health and Safety (e.g., disasters, injuries, loss of life)
  • Financial stability
  • Business continuity
  • Operational risk
  • Ethics and Code of Conduct
  • And the list goes on . . .

I am in the United Kingdom this week and have interacted with organizations over here on many of these topics. Big issues impacting third party management include Brexit, GDPR, UK Modern Slavery Act, UK Bribery Act, France’s Sapin II has come up a few times.

GRC 20/20 defines Third Party Management as:

Third party management is the capability to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across the organizations third party relationships/extended enterprise (adapted from the OCEG GRC definition).

Needless to say, the breadth and scope of third party risk and compliance concerns are legion. Last week I taught my Third Party Management by Design workshop in Philadelphia (this workshop is being done next week in New York City as well). There were about 20 companies registered and they identified the following challenges at the beginning of the workshop:

  • Understanding who are our 3rd Parties? Status? Rank? Active contracts?
  • Managing third parties across distributed departments and business units
  • Across Which Business Units
  • Validating that third parties have controls in place
  • Managing compliance across a range of regulatory requirements
  • Developing a culture of third party trust but verify
  • How to manage data breach and incident notification? How do we know when a third party has an issue?
  • Measuring financial impact and potential damage/exposure of third parties
  • Remediation verification of control gaps and inspection issues of third parties
  • How to manage changes in scope of the 3rd party services
  • Managing third parties across mergers and acquisitions
  • Building a business case for time and resources to manage third parties
  • Managing right to audits and inspections effectively and efficiently.
  • How do we provide validation and risk rating
  • Defining who are critical third parties are that can cause us the most exposure
  • Managing 4th parties down through nested supply chain and subcontracting relationships
  • Identifying and fully mapping all 3rd party relationships

These topics and more were discussed and collaborated on by participants in last weeks workshop and the discussion will begin anew with next weeks workshop in New York City.

Too often departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third-party management across the enterprise. Organizations manage third-parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third-party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship. This fragmented approach to third-party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third-party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

When the organization approaches third-party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third-party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third-party management results in poor visibility across the organization, because there is no framework or architecture for managing third-party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third-party relationships that is supported and automated with information and technology.

Third Party Management Workshop

GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Governance, Risk Management and Compliance of Third Party Relationships

One of the greatest challenges upon organizations today is governing third party relationships, particularly the risk and compliance aspects of these relationships. Organizations today are dynamic, distributed, and face constant disruption and this is exponentially impacted by the number and variety of third party relationships in an organization.

Consider that over half of many organizations ‘insiders’ are no longer traditional employees. Brick and mortar walls no longer define the organization. An employee no longer defines the organization. The organization itself is mesh of nested business relationships, transactions, connections, and interactions. Organizations consist of vendors, suppliers, outsourcers, service providers, consultants, contractors, temporary workers, brokers, deleters, intermediaries, agents, and more. These often nest themselves in layers of relationships that impact the organization. The issues down the supply chain are the organizations issues and risks.

This is compounded by the ongoing change organizations are facing. Changing business, changing regulations, and changing risks. As much as the core organization is changing, all of these relationships are constantly changing as well. They might have been the right organization to contract with three years a go, but they have changed and may not be today.

There are a growing array of regulations and legal liabilities impacting organizations in context of third parties. Consider . . .

  • Anti-bribery and corruption (e.g., US FCPA, UK Bribery Act, Sapin 2)
  • Human rights/slavery (e.g, US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act)
  • Privacy and information security (e.g., GDPR, PCI DSS, HIPAA, GLBA, PIPEDA)
  • International labor standards (e.g., child labor, forced labor, working hour, working hours)
  • Quality
  • Environmental
  • Health & safety
  • Geo-political risk
  • Business continuity
  • And more . . .

Organizations cannot haphazardly manage third parties, they need a structured and governed process to see that risk and compliance is addressed in these relationships. GRC 20/20 is interacting in our research with organizations around the world developing third party risk management strategies and looking to define processes and solutions to address the growing challenge of third party governance, risk management, and compliance (GRC). This includes working with large global organizations on their social accountability and third party advisory boards, to helping companies develop strategies and select the right technology to manage third party risk, to identifying business value for an integrated and cross functional team on third party risk GRC.

GRC 20/20’s definition of Third Party Management/GRC is adapted from the OCEG GRC definition. It is . . .

Third party management is a capability that enables an organization to: reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT, act with integrity [COMPLIANCE] in and across it’s third party relationships.

GRC 20/20 offers a variety of resources to organizations looking at developing their Third Party Management/GRC strategy. This includes our foundational written piece of research, Third Party Management by Design.

GRC 20/20 will be facilitating two upcoming (and complimentary) workshops on Third Party Management by Design in the next month. Complimentary registration is open to individuals responsible or part of a strategy for managing their organizations array of third party relationships. The format is a workshop and collaboration. While there are lecture portions to the day, the goal is learn through collaboration with peers and interaction on workshop activities. The upcoming workshops are:

  • Third Party Management by Design Workshop, Philadelphia, November 2. Blueprint for an Effective, Efficient & Agile Third Party Management Program. Organizations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organisation is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Organizations are a mixture of contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more. The extended enterprise of third party relationships brings on a… Find out more »
  • Third Party Management by Design Workshop, New York, November 14. Blueprint for an Effective, Efficient & Agile Third Party Management Program. Organizations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organization is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Organizations are a mixture of contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more. The extended enterprise of third party relationships brings on a range of… Find out more »

GRC 20/20 also offers a recorded Research Briefing to guide organizations on how to purchase Third Party Management/GRC solutions:

As part of GRC 20/20’s research, we offer complimentary inquiry to organizations working on strategies and exploring technology solutions. Simply ask GRC 20/20 your questions on third party management strategy, process, as well as information and technology solutions that we monitor in the market as part of our research.

Other GRC 20/20 Third Party Management resources can be found at: http://grc2020.com/product-category/grc-functional-area/third-party-management/

GRC Archetypes: Third Party Management

Third party management is the capability to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across the organizations third party relationships/extended enterprise (adapted from the OCEG GRC definition).

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mesh of relationships and interactions that span traditional business boundaries. Over half of an organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

Third party compliance requirements are growing at a staggering rate. Human rights, social accountability/labor standards, privacy, security, ethical sourcing, environmental, health and safety, and quality compliance and risk requirements are growing upon organizations. GRC 20/20 is monitoring the impact of regulations such as the UK Modern Slavery Act, US Foreign Corrupt Practices Act, UK Bribery Act, OECD Anti-Bribery Convention, PCI DSS, EU GDPR, US Conflict Minerals, EU Conflict Minerals, California Transparency in Supply Chains Act, France Sapen 2, and more impact third party management strategies in organizations.

In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

THE QUESTION: How is your organization approaching third party management? Can you map yourself to one of the following GRC archetypes of third party management?

  • Fire Fighter. Your organization approaches third party management in an ad hoc fly by the seat of your pants approach. Third party management is not structured and only addressed when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the issue before you and not thinking strategically about third party management. Third party management is addressed in manual processes with documents, spreadsheets, and emails but only for reactive purposes.
  • Department Islander. In this archetype, your organization has a more structured approach to third party management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in third party management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for third party management, or still be relying on manual processes with documents, spreadsheets, and emails.
  • Compliance/Risk Collaborator. This is the archetype in which your organization has cross-department collaboration for third party management to provide consistent processes and structure for third party management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage third party risks to meet regulatory requirements and not a serious look at the governance, risk management, and compliance of third party relationships. Most often there is a broader third party management platform deployed to manage third party compliance, but some still rely on manual processes supported by documents, spreadsheets, and emails.
  • Corporate Citizen. This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Third party management is more than meeting compliance/regulatory requirements but is about being a good corporate citizen focused on doing the right thing. It goes beyond compliance to an approach that ensures that the organizations values, ethics, code of conduct, and culture is shared and consistent across business relationships. The focus is on integrity of the organization and ensuring that this is consistent across the extended enterprise of relationships.

Too often departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third-party management across the enterprise. Organizations manage third-parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third-party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship. This fragmented approach to third-party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third-party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

When the organization approaches third-party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third-party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third-party management results in poor visibility across the organization, because there is no framework or architecture for managing third-party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third-party relationships that is supported and automated with information and technology.

Third Party Management Workshop

GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Solution Perspectives on Third Party Management

Case Studies on Third Party Management

Third Party Risk: Gaining Certainty in Global Relationships

One of the greatest governance, risk management and compliance challenges before organizations is managing the web of third party business relationships.

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third party business relationships. These risks span areas such as:

  • Anti-bribery & corruption
  • Anti-money laundering
  • Code of conduct
  • Conflict minerals
  • Corporate social responsibility
  • Environmental management
  • Health & safety management
  • Human trafficking
  • Import/export compliance
  • Information security
  • Know your customer
  • Labor standards
  • Privacy and data protection
  • Quality management
  • Regulatory requirements
  • Responsible sourcing
  • Sustainability

GRC 20/20 is answering inquiry questions every week from organizations struggling with third party management challenges. We are seeing a range of hot issues such as the UK Modern Slavery Act, US Conflict Minerals, EU Conflict Minerals, EU REACH, OCC Requirements in Banking, PCI DSS, California Transparency in Supply Chains Act, HIPAA, GDPR, and more. Though third party management goes beyond regulations to also achieve corporate social responsibility and alignment of business partner values to the organization’s code of conduct. I have sat on the social accountability advisory board of a major brand guiding them on process and technology areas of child labor, forced labor, working hours, health and safety, and more for tens of thousands of facilities across their supply chain. This challenge and issue is significant for organizations and the burdens are only growing.

Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

  • The challenge: Can you attest to the governance, risk management, and compliance or third parties across your organization’s business relationships?
  • Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible. The organization’s risk exposure across third party relationships is growing increasingly interconnected. An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

The bottom line: When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third party relationships that is supported and automated with information and technology.

What are your thoughts and concerns on third party management? Please post your comments below. If you have a question on third party management best practices or solutions in the market, please submit an inquiry.


GRC 20/20 is presenting on a webinar on this specific topic later this week . . .

Third Party Risk: Gaining Certainty Amid a Web of Global Relationships

April 6 @ 10:00 am11:00 am CDT

[button link=”http://grc2020.com/event/third-party-risk-gaining-certainty-amid-a-web-of-global-relationships/”]REGISTER[/button]


Third Party Management Research from GRC 20/20 . . .

GRC 20/20 will be releasing a detailed written Market Landscape: Third Party Management Solutions later in April that includes market definition, segmentation, sizing, forecasting, solutions in the space, drivers, trends and more.

Research Briefings on Third Party Management

Strategy Perspectives on Third Party Management

Solution Perspectives on Third Party Management

Case Studies on Third Party Management