Developing a Vendor Risk Management Strategy – Info/CyberSecurity Perspective

Organizations are porous: the modern organization is not defined by brick and mortar walls but is a complex web of business relationships. These relationships span vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, agents, brokers, dealers, intermediaries. It grows even more complex as there are nested relationships in subcontractors and supply chains. Approximately half of a typical organizations “insiders” are no longer employees but are third party relationships.

The issues organizations face in managing vendor and third party risks are growing. These range from growing challenges in anti-bribery and corruption compliance (e.g., UK Bribery Act, US FCPA, OECD Bribery Convention), human rights and slavery (e.g., US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, California’s Transparency in Supply Chains Act), environmental, health and safety, physical security, business continuity and more.

However, one of the growing challenges organizations face is information/cybersecurity across third party relationships, particularly vendor relationships. A significant number of information/cybersecurity breaches are the result of third party vendor relationships. It is not just IT related vendors that put organizations at risk, but could be a wide range of vendor relationships. The Target breach from a few years back was the result of a heating and air conditioning vendor (HVAC) that was broken into that had a connection to the Target network. With the Internet of Things (IoT) upon us, it has become critical for organizations to address information security in and across their third party relationships.

I am doing a series of educational webinars on this specific topic over the next three weeks. These are as follow:

Here is my specific advice on how to go about purchasing solutions for vendor and third party risk management:

Additionally, here are some of my research papers that I have published on this topic:

Increasing Exposure of Third Party Risks 

The Modern Organization is an Interconnected Mess of Relationships

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

The challenge: Can you attest to the governance, risk management, and compliance or third parties across your organization’s business relationships?

Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible. The organization’s risk exposure across third party relationships is growing increasingly interconnected.  An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

The bottom line: When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third party relationships that is supported and automated with information and technology.


Additional resources on Third Party Management

Research Briefings

Upcoming Webinars

Written Research

The Critical Foundation of Third Party Management is Technology

In previous posts we looked at the following:

  1. How to Develop a Third Party Management Strategy
  2. How to Define a Third Party Management Process Lifecycle

Now we turn our attention to the foundation of information and technology that supports and enables a third party management strategy and process . . .

Third party management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  The third party management information architecture supports the process architecture and overall third party management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support third party processes. The third party management information architecture involves the structural design, labeling, use, flow, processing, and reporting of third party management information to support third party management processes.

Successful third party management information architecture will be able to integrate information across third party management systems, ERP, procurement solutions, and third party databases. This requires a robust and adaptable information architecture that can model the complexity of third party information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages:

  • Master data records. This includes data on the third party such as address, contact information, and bank/financial information.
  • Third party compliance requirements. Listing of compliance/regulatory requirements that are part of third party relationships.
  • Third party risk and control libraries. Risks and controls to be mapped back to third parties.
  • Policies and procedures. The defined policies and procedures that are part of third party relationships.
  • Contracts. The contract and all related documentation for the formation of the relationship.
  • SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for individual relationships as well as aggregate sets of relationships.
  • Third party databases. The information connections to third party databases used for screening and due diligence purposes such as sanction and watch lists, politically exposed person databases, as well as financial performance or legal proceedings.
  • Transactions. The data sets of transactions in the ERP environment that are payments, goods/services received, etc.
  • Forms. The design and layout of information needed for third party forms and approvals.

Third Party Management Technology Architecture

The third party management technology architecture operationalizes the information and process architecture to support the overall third party management strategy. The right technology architecture enables the organization to effectively manage third party performance and risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.

There can and should be be a central core technology platform for third party management that connects the fabric of the third party management processes, information, and other technologies together across the organization. Many organizations see third party management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships.
  • Point solutions. Implementation of a number of point solutions that are deployed and purpose built for very specific risk and regulatory issues. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization and its relationships.
  • ERP and procurement solutions. There is a range of solutions that are strong in the ERP and procurement space that has robust capabilities in contract lifecycle management, transactions, and spend analytics. However, these solutions are often weak in overall third party governance, risk management, and compliance.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have third party (e.g., vendor) risk management modules. However, these solutions often have a predominant focus on risk and compliance and do not always have the complete view of performance management of third parties. These solutions are often missing key requirements such as third party self-registration, third party portals, and established relationships with third party data and screening providers.
  • Third party management platforms. These are solutions that are built specifically for third party management and often have the broadest array of built-in (versus built-out) features to support the breadth of third party management processes. In this context they take a balanced view of third party governance and management that includes performance of third parties as well as risk and compliance needs. These solutions often integrate with ERP and procurement solutions to properly govern third party relationships throughout their lifecycle and can feed risk and compliance information into GRC platforms for enterprise risk and compliance reporting where needed.

The right third party technology architecture choice for an organization often involves integration of several components into a core third party management platform solution to facilitate the integration and correlation of third party information, analytics, and reporting. Organizations suffer when they take a myopic view of third party management technology that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time business operates in.

Some of the core capabilities organizations should consider in a third party management platform are:

  • Internal integration. Third party management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization – procurement system, spend analytics, ERP, and GRC. So the ability to pull and push data through integration is critical.
  • External integration. With increasing due diligence and screening requirements, organizations need to ensure that their solution integrates well with third party databases. This involves the delivery of content from knowledge/content providers through the third party technology solution to rapidly assess changing regulations, risks, industry, and geopolitical events.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with third party relationships in context of performance, risk, and compliance. Contextual awareness requires that third party management have a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third party relationships.

Third Party Networks – Streamlining Third Party Management

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual third party relationships (the tree) as well as the interconnectedness of third party relationships (the forest). Third party relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business third party management risks is exponential. Business is chaos theory realized. The small flutter of third party risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.

The challenge is that third parties are getting inundated with request for information, assessments, and more.  The chaos of these many-to-many communications is slowing down relationships in a time where they need to be more nimble and agile. Organizations are looking to subscribe to a network(s) that provide validated third party profile management and data sharing they can trust.  If further information is needed they can send that request to their third parties, but rely on what has already been submitted for the core of what they do. This reduces the time, cost, and complexity of managing and gathering third party profile information and streamlines third party management for all involved.

When looking at third party management solutions to support the third party management strategy and architecture, organizations should evaluate and keep in mind what the solutions they are evaluating are doing in context of third party networks.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management strategy, process, and information/technology architecture. Check out . . .

Other webinars, that build on How to Define a Third Party Management Process Lifecycle, include:

How to Define a Third Party Management Process Lifecycle

The third party management strategy and policy is supported and made operational through a third party management architecture. The organization requires complete situational and holistic awareness of third party relationships across operations, processes, transactions, and data to see the big picture of third party performance and risk in context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to third party management architecture. The architecture defines how organizational processes, information, and technology is structured to make third party management effective, efficient, and agile across the organization and its relationships.

There are three areas of the third party management architecture:

  • Third party management process architecture
  • Third party management information architecture
  • Third party management technology architecture

It is critical that these architectural areas be initially defined in this order. It is the business processes that often determine the types of information needed, gathered, used, and reported. It is the information architecture combined with the process architecture that will define the organizations requirements for the technology architecture. Too many organizations put the cart before the horse and select technology for third party management first, which then dictates what their process and information architecture will be. This forces the organization to conform to a technology for third party management instead of finding the technology that best fits their process and information needs.

Third Party Management Process Architecture

Third party management architecture starts with the process architecture. Third party management processes are a part and subset of overall business processes.  Processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships.

The third party management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes third party management processes, each process’s components and interactions, and how third party processes work together as well as with other enterprise processes.

While third party processes can be very detailed and vary by organization and industry, there are four general third party management process areas that organizations should have in place, these are:

  1. Third party identification & onboarding. This is the collection of processes aimed at automating a standard, objective approach for identifying third parties to work with and onboarding them through the collection of third party data and conducting appropriate due-diligence.
  2. Ongoing context monitoring. On an ongoing basis, and separate from monitoring of individual relationships, is the ongoing process to monitor external risk, regulatory, and business environments as well as the internal business environment. The purpose is to identify opportunities as well as risks and regulatory requirements that are evolving that impact the overall third party management program. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.
    • Purpose & identification. This is the process to identify new third parties or existing third parties to contract with for new business purposes. Third party identification will detail the purpose of the relationship and include initial definition of performance, risk, and compliance requirements and concerns in the relationship so the proper relationship can be identified.
    • Qualification & screening. Once a third party has been selected, the next step is the qualification and screening process to validate that the third party can meet the requirements of the relationship and does not introduce unwarranted risk and compliance exposure. The screening process will go through due diligence steps to ensure that the third party is the right fit for the organization. Relationships, particularly high risk ones, are to be evaluated against defined criteria to determine if the relationship should be established or avoided.
    • Contracting & negotiation. Upon passing initial qualification and screening, the next sets of processes are contracting and negotiation processes to come to terms and establish the relationship.
    • Registration & onboarding. When contracting and negotiation processes are complete the organization moves into registration and onboarding. The registration process may have already started in the qualification and screening phase to gather information, but concludes with setting up the third party in the system with master data records, financial and payment information, contact information, insurance, and licensing documentation. Further steps of the onboarding process will be communication of code of conduct and related policies, getting attestations to these, completing associated training requirements, and conducting initial audits and inspections (if more are needed and were not done in the qualification and screening stage).
  3. Third party communications & attestations. These are the set of ongoing processes to manage the communications and interactions with the third party throughout the relationship lifecycle. These are done on a periodic (e.g., annual) basis or when certain risk conditions are triggered.
    • Policy communications & reminders. The regular communication and reminders to third parties about code of conduct and related policies and procedures they need to follow.
    • Training. The regular training of third parties on matters of conduct, policies, and procedures.
    • Attestation. The regular attestation by third parties to their behavior and conformance to policies and contractual requirements.
    • Self-assessments. The regular surveys and assessments sent to third parties for them to evaluate themselves and send back to the organization.
    • Reporting. The regular reporting on third parties on aspects of the relationship and in that context of performance, risk, and compliance.
  4. Third party monitoring & assessment. This stage includes the array of processes to continuously monitor the third party relationship over their lifecycle in the organization. These activities are the ones typically done within the organization to monitor and assess the third party relationship on an ongoing basis.
    • Issue reporting & resolution. Even the most successful business relationships encounter issues. This is the process for capturing issues and their details that arise in third party relationships. Issue reporting processes may be internal and done by employees and management, by the third parties themselves, or through external sources such as customer complaints.
    • Performance monitoring. Performance monitoring processes are in place to monitor the health of the relationship, satisfaction of service level agreements, and value the relationship is providing.
    • Risk monitoring. Risk monitoring processes identify and evaluate potential risks relevant to each third party relationship throughout their lifecycle in the organization.
    • Compliance monitoring & ongoing due diligence. The processes in place to monitor relationships for ongoing conformance to compliance requirements. This includes ongoing due diligence and screening processes.
    • Audit & inspections. The processes in place to exercise right to audit clauses and do onsite inspections of third party premises and facilities.
  5. Forms & approvals. The set of internal processes to collect and report information and route things for approval in context of third party relationships.
    • New vendor/supplier request.
    • Gifts, hospitality & entertainment.
    • Political & charitable contributions.
    • Facilitated payments.
  6. Metrics & reporting.  Processes to gather metrics and report on third party relationships at the relationship level or in aggregate.
  7. Third party re-evaluation. The processes in place to evaluate, maintain, renew, and off-board relationships.
    • Relationship renewal. Managing the process of renewing contracts and relationships under existing, revised, or new terms.
    • Off-boarding & retirement. The off-boarding/retire relationships that are no longer needed.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management Strategic Plan. Check out . . .

Other webinars, that build on How to Define a Third Party Management Process Lifecycle, include:

How to Develop a Third Party Management Strategy

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization.

The bottom line: A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to wipe the slate clean and approach third party management by design with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.

Third Party Management by Design

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third party management:

The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent. (Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.)

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts.  Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem.  This is true in third party management. What further complicates this is the exponential effect of third party risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of third party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy.

Different Approaches Organizations Take in Managing Third Parties

The primary directive of a mature third party management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

GRC 20/20 has identified three approaches organizations take to manage third party relationships:

  • Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed third party initiatives never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how third party management processes can be designed to meet a range of needs. An ad hoc approach to third party management results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about third party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on third party performance and strategy leading to greater exposure than any silo understood by itself.
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of third party management that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing third party relationships with the lowest common denominator and watering down third party management. Further, there is no one-stop shop for everything third party management as there are a variety of pieces to third party management that need to work together.
  • Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative third party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in third party management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

In the end, third party management is more than compliance and more than risk, but is also more than procurement. Using the definition for GRC  – governance, risk management and compliance – third party management is a “capability to reliably achieve objectives [governance], while addressing uncertainty [risk], and act with integrity [compliance]” across the organization’s third party relationships.

Third Party Management Strategic Plan

Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy.  The strategic plan is the foundation that enables third party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

The core elements of the third party strategic plan include:

  • Third party management governance team. The first piece of the strategic plan is building the cross-organization third party governance team (e.g., committee, group). This team needs to work with third party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in third party management and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
  • Third party management charter. With the initial collaboration and interaction of the third party management team in place, the next step in the strategic plan is to formalize this with a third party management charter. The charter defines the key elements of the third party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of third party management, the members of the third party governance team, and define the overall goals, objectives, resources, and expectations of enterprise third party management. The key goal of the charter is to establish alignment of third party management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
  • Third party management policy. The next critical item to establish in the third party management strategic plan is the writing and approval of the third party management policy (and supporting policies and procedures). This sets the initial third party governance structure in place by defining categories of third parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all third party relationships be maintained with appropriate categorizations, approvals, and identification of risks.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management Strategic Plan. Check out . . .

Related upcoming webinars, that build on How to Develop a Third Party Management Strategy, include:

Enabling 360° Insight & Control of Third Party Relationships

The Extended Enterprise Demands Attention

Organizations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organisation is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Two decades ago the term insider was synonymous with employee, now over half of the insiders in many organisations are not employees; they are contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more.

The extended enterprise of third party relationships brings on a range of risks that the organisation has to be concerned about. Managing third party risk has risen to be a significant regulatory, contractual, and board level governance mandate. Organisations need to be fully aware of the risks in third party relationships and manage this risk throughout the lifecycle of the relationship, from on-boarding to off-boarding of a third party.

Third party risks that are of primary concern to organisations include:

  • Bribery, Corruption, & Fraud
  • Conflict Minerals
  • Corporate Social Responsibility
  • Environmental, Health & Safety
  • Information Security
  • International Labour Standards (e.g., child labour, forced labour)
  • Physical Security
  • Privacy
  • Slavery & Human Rights

These risks poise significant reputational, financial, and operational concerns. They also poise a growing burden of regulatory concern and oversight (e.g., UK Modern Slavery Act, UK Anti-Bribery Act).

As organisations confront the growing exposure in third party risks they soon realise that the scattered redundant ad hoc approaches of the past are not sustainable. Third party risk can no longer be managed by different departments doing similar things in different ways, often with a mountain of emails, documents, and spreadsheets that are out of date and cost a significant amount of employee time to keep on top of. Managing third party risk requires a structured and integrated process that is supported by an information and technology architecture that can address the range of third party risks consistently without things slipping through the cracks.

An effective third party risk management process enables . . .

The rest of this post can be found as a guest blog on the SureCloud Blog . . .

[button link=”https://www.surecloud.com/blog/enabling-360-degree-insight-control-third-party-relationships”]READ MORE[/button]

A Strategic Approach to Third Party Management, Part 2: Designing an Integrated Architecture to Support Your Strategy

This is the second in a two-part series by Michael Rasmussen on how to take a strategic approach to effectively manage and mitigate third-party risk.

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual third party relationships (the tree) as well as the interconnectedness of third party relationships (the forest). Third party relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive and cascading impact. In a linear system, effect is proportional with cause. In the non-linear world of business, third party risk is exponential. If we fail to see the interconnections of third party risk on the organization, the result is often massive to unpredictable.

The challenge is that different organizational areas are doing similar things in different ways in context of their third parties. Various departments with different responsibilities for pieces of third party oversight will communicate and interact with third parties in different ways. The chaos of these many-to-many communications is slowing down relationships in a time where they need to be more nimble and agile.

The organization needs a common process, information, and technology architecture to support third party management across organization departments that includes a vested interest in third party relationships. Third party management is enabled at an enterprise level through implemen­tation of an integrated third party man­agement architecture. This offers the adapt­ability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third party management platform enables the orga­nization to effectively manage risk across extended business relationships and fa­cilitates the ability to document, commu­nicate, report, and monitor the range of assessments, documents, tasks, responsi­bilities, and action plans.

Third Party Management Process Architecture

Third party management processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships. While third party processes can vary by organization and industry, the common components are . . .

Continued on the ELM Solutions Blog (The GRC Pundit is a guest blogger) . . .

[button link=”http://www.wkelmsolutions.com/blog/michael-rasmussen/strategic-approach-third-party-management-part-2-designing-integrated” color=”default”]READ MORE[/button]

A Strategic Approach to Third Party Management, Part 1: Defining Your Strategy

This is the first in a two-part series by Michael Rasmussen on how to take a strategic approach to effectively manage and mitigate third-party risk.

The Modern Organization: An Interconnected Mess of Relationships

Traditional brick and mortar business is a thing of the past – physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. To take some liberties with the seventeenth-century English poet John Donne, “No [organization] is an island unto itself, every [organization] is a piece of the broader whole.”1

Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees.

In this context, organizations struggle to identify and govern their third party business relationships with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations’ problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

The Inevitability of Failure

The fragmented governance of third party relationships through disconnected silos leads the organization to . . .

Continued on the ELM Solutions Blog (The GRC Pundit is a guest blogger) . . .

[button link=”http://www.wkelmsolutions.com/blog/michael-rasmussen/strategic-approach-third-party-management-part-1-defining-your-strategy” color=”default”]READ MORE[/button]