Posted on Leave a comment

Understanding Third Party GRC Maturity: Ad Hoc Stage

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

Today we look at Stage 1, the Ad Hoc level of Third Party GRC

Organizations at the Ad Hoc stage of maturity have . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

Posted on 1 Comment

Step 1: Develop a 3rd Party GRC Strategic Plan

I grew up in the Northwest corner of Montana, a beautiful but wild country. From my earliest years I loved the outdoors. In fact, long before any aspirations to build a career in Governance, Risk Management & Compliance (GRC), I wanted to be a backcountry ranger in Glacier National Park. To spend time in the outdoors requires planning and a respect for the outdoors. To go trekking requires a plan of where you are going so you know who and what to bring with you on that journey. This planning is exactly what organizations need in context of 3rd party governance/management.

The greatest challenge upon organizations in the context of GRC is the governance, risk management, and compliance of the range of 3rd party relationships. We have reorganized, outsourced, and distributed business around the world. Today’s modern organization is not a traditional brick and mortar business. Organizations are now defined by a complex, intricate, interconnected, and nested web of relationships and transactions. Traditional employees no longer define who works for an organization as over half of our insiders are now outsourcers, service providers, contractors, consultants, temporary workers, suppliers, vendors, brokers, agents, dealers, intermediaries, customers, partners, and even competitors who collaborate and work with us. Their issues, challenges, and problems are your organization’s issues, challenges, and problems. These relationships bring significant value but also significant risk as well as compliance and integrity concerns.

This is compounded by the growing array of risks and regulations that impact the organization and its extended relationships. Such as:

  • Anti-bribery and corruption (US FCPA, UK Bribery Act, Sapin II, OECD)
  • Business/supplier continuity
  • Data privacy & protection (EU GDPR, California CCPA, information security)
  • Ethics & Values (vendor/supplier code of conduct)
  • Geopolitical risk
  • Human rights (US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, international labor standards)
  • Import/export compliance
  • Quality (ISO 9000)
  • Environmental, Health & Safety (REACH, RoHS)
  • And more . . .

GRC 20/20 defines 3rd Party GRC (or 3rd party management, or what some more narrowly call vendor risk, supplier risk, etc.) as:

“the capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in and across and down throughout an organizations third party relationships: the extended enterprise.”

Adapted from the OCEG GRC Definition

The challenge and danger many organizations face in the journey to manage these relationships is a haphazard approach in which there is no careful and strategic plan. The organization, in its various departments, randomly addresses aspects of 3rd party GRC without thinking about the big picture. The result is a lot of redundancy, gaps, inefficiency, lack of agility and effectiveness, and thing slipping through the cracks. IT security has their approach, procurement is doing their thing, legal/compliance/ethics are doing something else, other groups such as quality, environmental, health and safety all have their approaches. Some are using documents, spreadsheets, and emails to govern third parties, others are using siloed commercial tools, and some are only putting out fires when a problem arises. No one sees the big picture and there is no coordinated effort to govern these relationships strategically to ensure that the value they are delivering outweighs the risk and exposure bring as well.

GRC 20/20 has identified three approaches organizations take to manage 3rd party relationships:

  • Anarchy – ad hoc department silos.  This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed 3rd party initiatives never see the big picture and fail to put 3rd party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how 3rd party GRC processes can be designed to meet a range of needs. An ad hoc approach to 3rd party GRC results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about 3rd party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on 3rd party performance and strategy leading to greater exposure than any silo understood by itself. 
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has issues as well. Organizations run the risk of having one department be in charge of 3rd party GRC that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing 3rd party relationships with the lowest common denominator and watering down 3rd party management. Further, there is no one-stop shop for everything 3rd party GRC as there are a variety of pieces to 3rd party management that need to work together. 
  • Federated – an integrated and collaborative approach.The federated approach is where most organizations will find the greatest balance in collaborative 3rd party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in 3rd party GRC participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in 3rd party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems. 

The modern organization has to have a strategic plan to govern 3rd party relationships to ensure they reliably achieve the objectives they were established for while managing the uncertainty and risk and act with the integrity and values that is expected of them. This requires a cross-department strategic plan, coordination, and collaboration on 3rd Party GRC. Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy.  The strategic plan is the foundation that enables thi3rdrd party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. 

The core elements of the third party strategic plan include:

  • Third party governance team. The first piece of the strategic plan is building the cross-organization 3rd party governance team (e.g., committee, group). This team needs to work with 3rd party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in 3rd party GRC and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
  • Third party GRC charter. With the initial collaboration and interaction of the 3rd party GRC team in place, the next step in the strategic plan is to formalize this with a 3RD party GRC charter. The charter defines the key elements of the 3rd party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of 3rd party GRC, the members of the 3rd party governance team, and define the overall goals, objectives, resources, and expectations of enterprise 3rd party GRC. The key goal of the charter is to establish alignment of 3rd party GRC to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
  • Third party governance policy.The next critical item to establish in the 3rd party GRC strategic plan is the writing and approval of the 3rd party GRC policy (and supporting policies and procedures). This sets the initial 3rd party governance structure in place by defining categories of 3rd parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all 3rd party relationships be maintained with appropriate categorizations, approvals, and identification of risks.

GRC 20/20 has defined this in our key research paper (currently being revised):

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.

Posted on Leave a comment

Efficient and Effective Third-Party GRC Management

Modern Organization: Interconnected Maze of Relationships

Traditional brick and mortar business are a thing of the past. Physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, etc. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties.

In this context, organizations struggle to identify and govern their third party relationships, with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation, while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them, and fail to actively manage and understand the interrelationship of third parties across the organization.

The fragmented governance of third party relationships, through disconnected silos, leads the organization to inevitable failure. Reactive, document-centric, and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance. Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship, as well as the organization’s goals, objectives, and performance.

Failure in third party governance comes about when organizations have:

  • Growing risk and regulatory concerns with inadequate resources – Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating, which increases redundancy and inefficiency.
  • Interconnected third party risks that are not connected – The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor, but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
  • Silos of third party oversight –Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
  • Document and email centric approaches –When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report onsupply chain data. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies –When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency – impacts effectiveness, while encumbering the organization when it needs to be agile.
  • Processes focused on onboarding only –Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
  • Inadequate processes to manage change –Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, etc. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe – in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships are changing – introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance –Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services, but do not include monitoring risks such as compliance and ethical considerations.

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated supply chain data management strategy, the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance – resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches data management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance, and understand its impact on the organization.

The bottom line: A haphazard department, and document centric approach for third party management, compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy, as well as teams to define and govern third party relationships. Third party management is, “A capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across its 3rdparty relationships”. Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about performance, risk, and compliance, and how it impacts the organization.


GRC 20/20 Events & Resources for Third Party Management Include . . .

Upcoming Third Party Management Webinars

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Studies on Organizations Doing Third Party Management

Solution Perspectives on Third Party Management Solutions

Posted on Leave a comment

Managing Risk & Compliance in the Extended Enterprise

Modern Organization: Interconnected Maze of Relationships

No man is an island, entire of itself;
Every man is a piece of the continent, a part of the main.
[1]

Replace the word ‘man’ with ‘organization’ and the seventeenth-century English poet John Donne is describing the post-modern twenty-first century organization. In other words, “No organization is an island unto itself, every organization is a piece of the broader whole.”

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties.

In this context, organizations struggle to identify and govern their third party relationships with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them and fail to actively manage and understand the interrelationship of third parties across the organization.

The challenge:“Can you attest to the governance, risk management, and compliance of the organization’s extended business relationships?”

Typical response: Organizations tend to look at the formation of a third party relationship and fail to foresee issues that cascade and cause damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship.

The fragmented governance of third party relationships through disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance.  Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship and the organization’s goals, objectives, and performance.

Failure in third party governance comes about when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating which increases redundancy and inefficiency.
  • Interconnected third party risks that are not connected. The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
  • Silos of third party oversight.Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
  • Document and email centric approaches.When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report on third party information. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies.When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency, impacts effectiveness, while encumbering the organization when it needs to be agile.
  • Processes focused on onboarding only.Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
  • Inadequate processes to manage change.Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance.Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third party management:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[2]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is true in third party management. What further complicates this is the exponential effect of third party risk on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of third party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy.

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization.

The bottom line: A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Third party management is “a capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrityin and across its 3rdparty relationships.[3]Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.


GRC 20/20 Events & Resources for Third Party Management Include . . .

Third Party Management Workshop

GRC 20/20 will be leading a complimentary interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Studies on Organizations Doing Third Party Management

Solution Perspectives on Third Party Management Solutions


[1]A famous line from English Poet John Donne’s Devotions Upon Emergent Conditions(1624) found in the section Meditation XVII.

[2]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.

[3]GRC 20/20’s adaption of the OCEG definition of GRC found in the OCEG GRC Capability Model applied to third party management.

Posted on Leave a comment

Addressing the Challenges of Third Party Management/GRC

The governance, risk management, and compliance (GRC) across third party relationships (e.g., vendors, suppliers, contractors, agents) is a significant challenge for organizations. Organizations today are not defined by brick and mortar walls or traditional employees. The modern organization is a complex web of nested business relationships and transactions. GRC 20/20, in our research, is interacting with organizations around the world that are developing strategies, processes, and implementing information and technology to address GRC of third party relationships. The challenges are many faceted and organizations are finding that they need a federated and consistent approach to third party management that addresses the needs of a range of departments and issues. These span:

  • Anti-bribery and corruption (e.g., US FCPA, UKBA, France’s Sapin II)
  • Human rights and slavery (e.g., UK Modern Slavery Act, Conflict Minerals, California Transparency in Supply Chains Act)
  • Information security and privacy (e.g., GDPR, OCC Vendor Risk Management, PCI DSS)
  • Labor standards (e.g., child labor, forced labor, working hours, wages)
  • Environmental (e.g., traceability, sustainability, CSR)
  • Health and Safety (e.g., disasters, injuries, loss of life)
  • Financial stability
  • Business continuity
  • Operational risk
  • Ethics and Code of Conduct
  • And the list goes on . . .

I am in the United Kingdom this week and have interacted with organizations over here on many of these topics. Big issues impacting third party management include Brexit, GDPR, UK Modern Slavery Act, UK Bribery Act, France’s Sapin II has come up a few times.

GRC 20/20 defines Third Party Management as:

Third party management is the capability to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across the organizations third party relationships/extended enterprise (adapted from the OCEG GRC definition).

Needless to say, the breadth and scope of third party risk and compliance concerns are legion. Last week I taught my Third Party Management by Design workshop in Philadelphia (this workshop is being done next week in New York City as well). There were about 20 companies registered and they identified the following challenges at the beginning of the workshop:

  • Understanding who are our 3rd Parties? Status? Rank? Active contracts?
  • Managing third parties across distributed departments and business units
  • Across Which Business Units
  • Validating that third parties have controls in place
  • Managing compliance across a range of regulatory requirements
  • Developing a culture of third party trust but verify
  • How to manage data breach and incident notification? How do we know when a third party has an issue?
  • Measuring financial impact and potential damage/exposure of third parties
  • Remediation verification of control gaps and inspection issues of third parties
  • How to manage changes in scope of the 3rd party services
  • Managing third parties across mergers and acquisitions
  • Building a business case for time and resources to manage third parties
  • Managing right to audits and inspections effectively and efficiently.
  • How do we provide validation and risk rating
  • Defining who are critical third parties are that can cause us the most exposure
  • Managing 4th parties down through nested supply chain and subcontracting relationships
  • Identifying and fully mapping all 3rd party relationships

These topics and more were discussed and collaborated on by participants in last weeks workshop and the discussion will begin anew with next weeks workshop in New York City.

Too often departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third-party management across the enterprise. Organizations manage third-parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third-party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship. This fragmented approach to third-party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third-party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

When the organization approaches third-party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third-party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third-party management results in poor visibility across the organization, because there is no framework or architecture for managing third-party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third-party relationships that is supported and automated with information and technology.

Third Party Management Workshop

GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Posted on Leave a comment

Governance, Risk Management and Compliance of Third Party Relationships

One of the greatest challenges upon organizations today is governing third party relationships, particularly the risk and compliance aspects of these relationships. Organizations today are dynamic, distributed, and face constant disruption and this is exponentially impacted by the number and variety of third party relationships in an organization.

Consider that over half of many organizations ‘insiders’ are no longer traditional employees. Brick and mortar walls no longer define the organization. An employee no longer defines the organization. The organization itself is mesh of nested business relationships, transactions, connections, and interactions. Organizations consist of vendors, suppliers, outsourcers, service providers, consultants, contractors, temporary workers, brokers, deleters, intermediaries, agents, and more. These often nest themselves in layers of relationships that impact the organization. The issues down the supply chain are the organizations issues and risks.

This is compounded by the ongoing change organizations are facing. Changing business, changing regulations, and changing risks. As much as the core organization is changing, all of these relationships are constantly changing as well. They might have been the right organization to contract with three years a go, but they have changed and may not be today.

There are a growing array of regulations and legal liabilities impacting organizations in context of third parties. Consider . . .

  • Anti-bribery and corruption (e.g., US FCPA, UK Bribery Act, Sapin 2)
  • Human rights/slavery (e.g, US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act)
  • Privacy and information security (e.g., GDPR, PCI DSS, HIPAA, GLBA, PIPEDA)
  • International labor standards (e.g., child labor, forced labor, working hour, working hours)
  • Quality
  • Environmental
  • Health & safety
  • Geo-political risk
  • Business continuity
  • And more . . .

Organizations cannot haphazardly manage third parties, they need a structured and governed process to see that risk and compliance is addressed in these relationships. GRC 20/20 is interacting in our research with organizations around the world developing third party risk management strategies and looking to define processes and solutions to address the growing challenge of third party governance, risk management, and compliance (GRC). This includes working with large global organizations on their social accountability and third party advisory boards, to helping companies develop strategies and select the right technology to manage third party risk, to identifying business value for an integrated and cross functional team on third party risk GRC.

GRC 20/20’s definition of Third Party Management/GRC is adapted from the OCEG GRC definition. It is . . .

Third party management is a capability that enables an organization to: reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT, act with integrity [COMPLIANCE] in and across it’s third party relationships.

GRC 20/20 offers a variety of resources to organizations looking at developing their Third Party Management/GRC strategy. This includes our foundational written piece of research, Third Party Management by Design.

GRC 20/20 will be facilitating two upcoming (and complimentary) workshops on Third Party Management by Design in the next month. Complimentary registration is open to individuals responsible or part of a strategy for managing their organizations array of third party relationships. The format is a workshop and collaboration. While there are lecture portions to the day, the goal is learn through collaboration with peers and interaction on workshop activities. The upcoming workshops are:

  • Third Party Management by Design Workshop, Philadelphia, November 2. Blueprint for an Effective, Efficient & Agile Third Party Management Program. Organizations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organisation is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Organizations are a mixture of contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more. The extended enterprise of third party relationships brings on a… Find out more »
  • Third Party Management by Design Workshop, New York, November 14. Blueprint for an Effective, Efficient & Agile Third Party Management Program. Organizations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organization is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Organizations are a mixture of contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more. The extended enterprise of third party relationships brings on a range of… Find out more »

GRC 20/20 also offers a recorded Research Briefing to guide organizations on how to purchase Third Party Management/GRC solutions:

As part of GRC 20/20’s research, we offer complimentary inquiry to organizations working on strategies and exploring technology solutions. Simply ask GRC 20/20 your questions on third party management strategy, process, as well as information and technology solutions that we monitor in the market as part of our research.

Other GRC 20/20 Third Party Management resources can be found at: http://grc2020.com/product-category/grc-functional-area/third-party-management/

Posted on Leave a comment

GRC Archetypes: Third Party Management

Third party management is the capability to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across the organizations third party relationships/extended enterprise (adapted from the OCEG GRC definition).

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mesh of relationships and interactions that span traditional business boundaries. Over half of an organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

Third party compliance requirements are growing at a staggering rate. Human rights, social accountability/labor standards, privacy, security, ethical sourcing, environmental, health and safety, and quality compliance and risk requirements are growing upon organizations. GRC 20/20 is monitoring the impact of regulations such as the UK Modern Slavery Act, US Foreign Corrupt Practices Act, UK Bribery Act, OECD Anti-Bribery Convention, PCI DSS, EU GDPR, US Conflict Minerals, EU Conflict Minerals, California Transparency in Supply Chains Act, France Sapen 2, and more impact third party management strategies in organizations.

In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

THE QUESTION: How is your organization approaching third party management? Can you map yourself to one of the following GRC archetypes of third party management?

  • Fire Fighter. Your organization approaches third party management in an ad hoc fly by the seat of your pants approach. Third party management is not structured and only addressed when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the issue before you and not thinking strategically about third party management. Third party management is addressed in manual processes with documents, spreadsheets, and emails but only for reactive purposes.
  • Department Islander. In this archetype, your organization has a more structured approach to third party management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in third party management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for third party management, or still be relying on manual processes with documents, spreadsheets, and emails.
  • Compliance/Risk Collaborator. This is the archetype in which your organization has cross-department collaboration for third party management to provide consistent processes and structure for third party management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage third party risks to meet regulatory requirements and not a serious look at the governance, risk management, and compliance of third party relationships. Most often there is a broader third party management platform deployed to manage third party compliance, but some still rely on manual processes supported by documents, spreadsheets, and emails.
  • Corporate Citizen. This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Third party management is more than meeting compliance/regulatory requirements but is about being a good corporate citizen focused on doing the right thing. It goes beyond compliance to an approach that ensures that the organizations values, ethics, code of conduct, and culture is shared and consistent across business relationships. The focus is on integrity of the organization and ensuring that this is consistent across the extended enterprise of relationships.

Too often departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third-party management across the enterprise. Organizations manage third-parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third-party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship. This fragmented approach to third-party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third-party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

When the organization approaches third-party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third-party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third-party management results in poor visibility across the organization, because there is no framework or architecture for managing third-party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third-party relationships that is supported and automated with information and technology.

Third Party Management Workshop

GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Solution Perspectives on Third Party Management

Case Studies on Third Party Management

Posted on Leave a comment

Third Party Risk: Gaining Certainty in Global Relationships

One of the greatest governance, risk management and compliance challenges before organizations is managing the web of third party business relationships.

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third party business relationships. These risks span areas such as:

  • Anti-bribery & corruption
  • Anti-money laundering
  • Code of conduct
  • Conflict minerals
  • Corporate social responsibility
  • Environmental management
  • Health & safety management
  • Human trafficking
  • Import/export compliance
  • Information security
  • Know your customer
  • Labor standards
  • Privacy and data protection
  • Quality management
  • Regulatory requirements
  • Responsible sourcing
  • Sustainability

GRC 20/20 is answering inquiry questions every week from organizations struggling with third party management challenges. We are seeing a range of hot issues such as the UK Modern Slavery Act, US Conflict Minerals, EU Conflict Minerals, EU REACH, OCC Requirements in Banking, PCI DSS, California Transparency in Supply Chains Act, HIPAA, GDPR, and more. Though third party management goes beyond regulations to also achieve corporate social responsibility and alignment of business partner values to the organization’s code of conduct. I have sat on the social accountability advisory board of a major brand guiding them on process and technology areas of child labor, forced labor, working hours, health and safety, and more for tens of thousands of facilities across their supply chain. This challenge and issue is significant for organizations and the burdens are only growing.

Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

  • The challenge: Can you attest to the governance, risk management, and compliance or third parties across your organization’s business relationships?
  • Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible. The organization’s risk exposure across third party relationships is growing increasingly interconnected. An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

The bottom line: When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third party relationships that is supported and automated with information and technology.

What are your thoughts and concerns on third party management? Please post your comments below. If you have a question on third party management best practices or solutions in the market, please submit an inquiry.


GRC 20/20 is presenting on a webinar on this specific topic later this week . . .

Third Party Risk: Gaining Certainty Amid a Web of Global Relationships

April 6 @ 10:00 am11:00 am CDT

[button link=”http://grc2020.com/event/third-party-risk-gaining-certainty-amid-a-web-of-global-relationships/”]REGISTER[/button]


Third Party Management Research from GRC 20/20 . . .

GRC 20/20 will be releasing a detailed written Market Landscape: Third Party Management Solutions later in April that includes market definition, segmentation, sizing, forecasting, solutions in the space, drivers, trends and more.

Research Briefings on Third Party Management

Strategy Perspectives on Third Party Management

Solution Perspectives on Third Party Management

Case Studies on Third Party Management

Posted on Leave a comment

Developing a Vendor Risk Management Strategy – Info/CyberSecurity Perspective

Organizations are porous: the modern organization is not defined by brick and mortar walls but is a complex web of business relationships. These relationships span vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, agents, brokers, dealers, intermediaries. It grows even more complex as there are nested relationships in subcontractors and supply chains. Approximately half of a typical organizations “insiders” are no longer employees but are third party relationships.

The issues organizations face in managing vendor and third party risks are growing. These range from growing challenges in anti-bribery and corruption compliance (e.g., UK Bribery Act, US FCPA, OECD Bribery Convention), human rights and slavery (e.g., US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, California’s Transparency in Supply Chains Act), environmental, health and safety, physical security, business continuity and more.

However, one of the growing challenges organizations face is information/cybersecurity across third party relationships, particularly vendor relationships. A significant number of information/cybersecurity breaches are the result of third party vendor relationships. It is not just IT related vendors that put organizations at risk, but could be a wide range of vendor relationships. The Target breach from a few years back was the result of a heating and air conditioning vendor (HVAC) that was broken into that had a connection to the Target network. With the Internet of Things (IoT) upon us, it has become critical for organizations to address information security in and across their third party relationships.

I am doing a series of educational webinars on this specific topic over the next three weeks. These are as follow:

Here is my specific advice on how to go about purchasing solutions for vendor and third party risk management:

Additionally, here are some of my research papers that I have published on this topic:

Posted on Leave a comment

Increasing Exposure of Third Party Risks 

The Modern Organization is an Interconnected Mess of Relationships

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

The challenge: Can you attest to the governance, risk management, and compliance or third parties across your organization’s business relationships?

Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible. The organization’s risk exposure across third party relationships is growing increasingly interconnected.  An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

The bottom line: When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third party relationships that is supported and automated with information and technology.


Additional resources on Third Party Management

Research Briefings

Upcoming Webinars

Written Research