In previous posts we looked at the following:
- How to Develop a Third Party Management Strategy
- How to Define a Third Party Management Process Lifecycle
Now we turn our attention to the foundation of information and technology that supports and enables a third party management strategy and process . . .
Third party management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. The third party management information architecture supports the process architecture and overall third party management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support third party processes. The third party management information architecture involves the structural design, labeling, use, flow, processing, and reporting of third party management information to support third party management processes.
Successful third party management information architecture will be able to integrate information across third party management systems, ERP, procurement solutions, and third party databases. This requires a robust and adaptable information architecture that can model the complexity of third party information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages:
- Master data records. This includes data on the third party such as address, contact information, and bank/financial information.
- Third party compliance requirements. Listing of compliance/regulatory requirements that are part of third party relationships.
- Third party risk and control libraries. Risks and controls to be mapped back to third parties.
- Policies and procedures. The defined policies and procedures that are part of third party relationships.
- Contracts. The contract and all related documentation for the formation of the relationship.
- SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for individual relationships as well as aggregate sets of relationships.
- Third party databases. The information connections to third party databases used for screening and due diligence purposes such as sanction and watch lists, politically exposed person databases, as well as financial performance or legal proceedings.
- Transactions. The data sets of transactions in the ERP environment that are payments, goods/services received, etc.
- Forms. The design and layout of information needed for third party forms and approvals.
Third Party Management Technology Architecture
The third party management technology architecture operationalizes the information and process architecture to support the overall third party management strategy. The right technology architecture enables the organization to effectively manage third party performance and risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.
There can and should be be a central core technology platform for third party management that connects the fabric of the third party management processes, information, and other technologies together across the organization. Many organizations see third party management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:
- Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships.
- Point solutions. Implementation of a number of point solutions that are deployed and purpose built for very specific risk and regulatory issues. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization and its relationships.
- ERP and procurement solutions. There is a range of solutions that are strong in the ERP and procurement space that has robust capabilities in contract lifecycle management, transactions, and spend analytics. However, these solutions are often weak in overall third party governance, risk management, and compliance.
- Enterprise GRC platforms. Many of the leading enterprise GRC platforms have third party (e.g., vendor) risk management modules. However, these solutions often have a predominant focus on risk and compliance and do not always have the complete view of performance management of third parties. These solutions are often missing key requirements such as third party self-registration, third party portals, and established relationships with third party data and screening providers.
- Third party management platforms. These are solutions that are built specifically for third party management and often have the broadest array of built-in (versus built-out) features to support the breadth of third party management processes. In this context they take a balanced view of third party governance and management that includes performance of third parties as well as risk and compliance needs. These solutions often integrate with ERP and procurement solutions to properly govern third party relationships throughout their lifecycle and can feed risk and compliance information into GRC platforms for enterprise risk and compliance reporting where needed.
The right third party technology architecture choice for an organization often involves integration of several components into a core third party management platform solution to facilitate the integration and correlation of third party information, analytics, and reporting. Organizations suffer when they take a myopic view of third party management technology that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time business operates in.
Some of the core capabilities organizations should consider in a third party management platform are:
- Internal integration. Third party management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization – procurement system, spend analytics, ERP, and GRC. So the ability to pull and push data through integration is critical.
- External integration. With increasing due diligence and screening requirements, organizations need to ensure that their solution integrates well with third party databases. This involves the delivery of content from knowledge/content providers through the third party technology solution to rapidly assess changing regulations, risks, industry, and geopolitical events.
- Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis. Standardized formats for measuring business impact, risk, and compliance.
- 360° contextual awareness. The organization should have a complete view of what is happening with third party relationships in context of performance, risk, and compliance. Contextual awareness requires that third party management have a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third party relationships.
Third Party Networks – Streamlining Third Party Management
To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual third party relationships (the tree) as well as the interconnectedness of third party relationships (the forest). Third party relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business third party management risks is exponential. Business is chaos theory realized. The small flutter of third party risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.
The challenge is that third parties are getting inundated with request for information, assessments, and more. The chaos of these many-to-many communications is slowing down relationships in a time where they need to be more nimble and agile. Organizations are looking to subscribe to a network(s) that provide validated third party profile management and data sharing they can trust. If further information is needed they can send that request to their third parties, but rely on what has already been submitted for the core of what they do. This reduces the time, cost, and complexity of managing and gathering third party profile information and streamlines third party management for all involved.
When looking at third party management solutions to support the third party management strategy and architecture, organizations should evaluate and keep in mind what the solutions they are evaluating are doing in context of third party networks.
GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management strategy, process, and information/technology architecture. Check out . . .
Other webinars, that build on How to Define a Third Party Management Process Lifecycle, include: