The 3rd Party GRC market is the fastest growing segment of the GRC market. The pressures are many: social accounability/international labor standards, quality, environmental, health and safety, privacy, informaiton security, credentialing, code of conduct, geo-political and operational risk. An organization's vendors, suppliers, outsourcers, agents, service providers, contractors, consultants, temporary workers . . . it is hard to understand where the organization starts and stops. The extended enterprise of today is a complex, distributed, diverse, and dynamic organizations that requires risk and complaince oversight.
One of the most significant challenges bearing down on many organizations is conflict minernal compliance.
Organizations approaching conflict mineral compliance can take several paths leading to varying degrees of program maturity. Mature conflict mineral compliance is an integrated part of a broader governance, risk management, and compliance strategy. It requires a top-down view of conflict mineral risk that is understood in context of enterprise risks. It also means bottom-up participation where business functions identify and monitor risk and suppliers that expose the organization. GRC 20/20 has developed the third Party GRC Maturity Model to articulate maturity in conflict mineral compliance processes in context of broader third party governance, risk management, and compliance.
- Ad hoc and document centric approach. Organizaitons at this level of maturity do not understand risk and exposure to conflict mineral issues. The organization addresses conflict mineral compliance in a reactive mode and does not invest in technology for compliance and utlizes documents and emails by the thousands to get the job done. This leads to a mountain of information requiring significant time to reconcile and report while introducing errors and omissions. It never produces a defensible audit trail or chain of evidence of how assessments and documents were completed and reported upon. This leaves the organization into exposure as their compliance program is riddled with flaws waiting for the auditor or regulator to pounce upon. There is limited ownership or monitoring of conflict mineral compliance, and certainly no integration of compliance information and processes.
- Fragmented approach focused only on conflict minerals. Here the organization is fragemented. Conflit mineral compliance is a defined program but operates independently of other programs monitoring risk and compliance across third party relationships. The organization most likely has seen the value of technology and utlizes it to address conflict mineral compliance. In the broader scope of things conflict minerals is a siloed initiative operating indepentely of others such as social accountabiltiy, quality, environmental, health and safety, and anti-bribery and corruption across the supply chain. The requirements are being met and the reports made but the organization is inefficient, ineffective, and certainly not agile as it has redundancy in approaches to third party oversight as information and processes are highly redundant and lack integration.
- Integrated approach to conflict minerals as part of social accountability. The integrated stage of conflict mineral maturity is when it is understood in the context of social accountability. The goal of conflict minerals is to address human rights violations. This stage of maturity sees conflict mineral compliance moving beyond a compliance initiative to being an integrated part of the values and ethics of the organization and is lived out actively through the code of conduct throughout the organization and its third party relationships. The organization has an integrated approach to not only address conflict mineral compliance but also child labor, forced labor, working hours, wage/hour, health & safety across its supply chain. The organization has developed consistent and integrated processes to manage assessments, audits, communicate policies, deliver training, report, and remediate. Technology enables this and ensures that items are done and that the integirty of the organization is protected.
- Aligned third party governance, risk management, and compliance program. In the aligned stage the organization has a cross-department strategy for managing third party GRC. Here the organization is thinking holistically across governance, risk management, and compliance issues impacting third party relationships. As the integrated stage sees conflict minerals in the context of social accountability, both are now managed consistently across other third party GRC areas such as anti-bribery & corruption, quality, environmental, health & safety, security, and privacy in third party relationships. The organizaiton has an integrated third party GRC platform to manage the range of these topics while delivering consistency in policy communication, training, assessment, audit, and remediation in third party relationships. Suppliers and other third parties are relieved as there is a consistent approach and the burden of responding to multiple items in different formats goes away. The organization benefits from removing the cost of redundant processes, forms, assessments, and approach but also gains the value of an integrated view of the integrity and health of thrid party relationships in the context of performance.
- Optimized as part of an enterprise GRC architecture. At the optimized stage, the third party risk program – and with that conflict minerals – is part of the fabric of a broader enterprise GRC architecture. As the Aligned stage brought the value of understanding third party risk and compliance in context across third party risk and compliance domains, the organization at the Optimized stage sees and understands third party risk in context of enterprise risk. This allows for a holistic approach to a 360º conextual awareness. The organization understands its risk and compliance posture in the context of business objectives, values, risk boundaries, and strategy. The intricacies of third party risk and how they impact other risks such as financial, reputational, strategic, and operational are understood and managed accordingly.