Description
Third Party GRC Maturity Model
A New Paradigm in Governing Third Party Relationships
Executive Summary
A haphazard department- and document-centric approach for third party governance, risk management, and compliance {GRC) compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party GRC with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.
The primary directive of a mature third party GRC management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. In the end, third party management is more than compliance and more than risk, but is also more than procurement. Using the definition for GRC2 – governance, risk management and compliance – third party GRC is a “capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]” in the organization’s third party relationships.
Table of Contents
- Third Party GRC in an Interconnected Business
- Inevitable Failure of Silos of Third Party Governance
- Third Party GRC Maturity Model
- A New Paradigm in Governing Third Party Relationships
- Five Stages of Third Party GRC Maturity
- 1: Ad hoc
- 2: Fragmented
- 3: Defined
- 4: Integrated
- 5: Agile
- Getting to the Head of the Class
- Advancing Your Organization’s Third Party Governance Maturity
- Considerations for Moving From Ad Hoc and Fragmented to Defined
- Considerations for Moving From Defined to Integrated
- Considerations for Moving From Integrated to Agile
- Critical Elements to Measure & Improve Third Party GRC Maturity
- Third Party Governance & Oversight
- People & Engagement
- Process & Execution
- Information & Technology
- Fundamental Steps to Establishing Your Third Party GRC Strategy
- The Role of Third Party GRC Information & Technology Architecture
- Advancing Your Organization’s Third Party Governance Maturity
- GRC 20/20’s Final Perspective
- About GRC 20/20 Research, LLC
- Research Methodology
Author
Michael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 26+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.
©GRC 20/20 Research, LLC. All Rights Reserved.
No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines established in client contract. The information contained in this publication is believed to be accurate and has been obtained from sources believed to be reliable but cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability whatever for actions taken based on information that may subsequently prove to be incorrect or errors in analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research should not be construed or used as such.[/vc_column_text][/vc_column][/vc_row]
