The structure and reality of business today have changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees, including suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacy, such as deep supply chains and sub-contracting relationships. Business today relies and thrives on third-party relationships; this is the extended enterprise.
In this context, organizations struggle to govern their third-party relationships and often manage risk and compliance in relationships in silos that fail to see the big picture of risk exposure and impact on the relationship’s objectives. Risk and compliance challenges do not stop at organizational boundaries. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships or allowing good business relationships to sour because of weak governance. Third-party problems are the organization’s problems and directly impact the brand and reputation, increasing exposure to risk and compliance matters. When questions of delivery, business practice, ethics, privacy, safety, quality, human rights, resiliency, corruption, security, and the environment arise, the organization is held accountable. It must ensure that third-party partners behave appropriately.
Fragmented governance of third-party relationships through disconnected department silos leads the organization to inevitable failure. Siloed information and/or reactive, document-centric, and manual processes fail to actively govern relationships and manage risk and compliance in the context of the third-party relationship and broader organizational objectives and values. Silos leave the organization blind to the intricate relationships of risk and compliance exposures that fail to get aggregated and evaluated in the context of the overall relationship and its goals, objectives, and performance.
Third-party GRC is a “capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]” in and across the organization’s third-party relationships.” This is adapted from the official GRC definition in the OCEG GRC Capability Model. Breaking this down, third-party GRC delivers:
- Third-party governance. It starts with integrated governance of third-party relationships and monitoring relationships across the extended enterprise to ensure they are meeting the objectives and purpose the relationship was established for, thus returning value to the organization.
- Third-party risk management. Understanding the governance objectives of the relationship sets the context to assess then, analyze, and monitor the uncertainty and risk in the relationship. Risk, by official definition, is the effect of uncertainty on objectives. Each relationship has its objectives (or components of the relationship like a contract or service level agreement), and uncertainty needs to be managed against those objectives.
- Third-party compliance. Compliance ensures that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values across its third-party relationships. Compliance follows through on risk treatment plans to ensure that risk is being managed within limits, controls are in place, and functions within each relationship to mitigate risk.
Organizations need a federated approach to third-party governance and risk management. It allows for some department/business function autonomy where needed but focuses on a shared governance model and architecture in which the various groups in third-party GRC management participate. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third-party relationships, as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third-party management, focusing on coordination and collaboration through a common core architecture that integrates and plays well with other systems. This is true third-party GRC management.
Designing a federated, third-party GRC management program starts with defining the third-party GRC strategy. The strategy connects key business functions with a common third-party governance framework and policy. The strategic plan is the foundation that enables third-party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.
The core elements of the third-party strategic plan include:
§ Third-party governance team. The first piece of the strategic plan is building the cross-organization third-party governance team (e.g., committee, group). This team needs to work with third-party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in third-party management and get them collaborating and working together regularly. Various roles often involved on the third-party governance team are procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third-party governance team.
§ Third-party GRC management charter. With the initial collaboration and interaction of the third-party governance team in place, the next step in the strategic plan is to formalize this with a third-party GRC management charter. The charter defines the key elements of the third-party GRC management strategy and gives it executive and board authorization. The charter will
contain the mission and vision statement of third-party GRC management and the members of the third-party governance team and define the overall goals, objectives, resources, and expectations of enterprise third-party GRC management. The fundamental goal of the charter is to establish alignment of third-party management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
§ Third-party GRC management policies and procedures. The next critical item to establish in the third-party GRC strategic plan is the writing and approval of the third-party management policy (and supporting policies and procedures). This sets the initial third-party governance structure in place by defining categories of third parties, associated responsibilities, approvals, assessments, evaluations, audits, and reporting. The policy should require that an inventory of all third-party relationships be maintained with appropriate categorizations, approvals, and identification of risks.