Guest Post By Michael Rasmussen, GRC Analyst & Pundit at GRC 20/20 Research, LLC
The naturalist John Muir stated, “When one tugs at a single thing in nature, he finds it attached to the rest of the world.” This not only applies to nature but also to the reality of the Extended Enterprise in today’s complex and interconnected world. What seems to be one third-party risk cascades and interconnects with a variety of other third-party risks and relationships.
Recently I was talking to a global automobile manufacturer on their third-party risk program. Their challenge was that they need a fully integrated view of third-party risk. Over half of their operations are no longer defined by brick and mortar walls and employees, but is an array of suppliers, vendors, outsourcers, service providers, contractors, consultants, and more. These third parties work on and are part of internal processes and transactions that employees traditionally filled. When it came to governing and managing risk in these relationships, they felt exposed as they did not have a holistic view of third-party risk. Different departments –– IT security, procurement, legal, compliance, and others – each had their individual view of risk, but no one had the complete or aggregate view of risk in any relationship.
Organizations today need a holistic 360° view into third-party risk to be able to see the aggregate view of risk in any one relationship as well as across relationships. The challenge is they often select the wrong technology architecture to support an integrated view of risk.
At the Cross-roads
One pathway sometimes taken is to try and fit third-party risk into an existing ERP or eProcurement system. These systems can be strong in the governance aspect of relationship, but often are limited in their capabilities for risk and compliance. At first pass it may seem reasonable as this is where third parties and other suppliers are onboarded and the operational mechanics of purchasing, invoice, spend, contract, and RFX are managed. The challenge is that many of these systems are, by design, inherently transactional and focused on the on-boarding stage of a relationship and not the lifecycle. Organizations today are being challenged to understand their third-party relationships in much greater detail due to a combination of regulatory compliance scrutiny and corporate-driven initiatives. Typically, the data models that support these transactional systems are not designed to capture the range of data points required for third-party risk management. They may struggle to respond to the dynamics of changing regulatory environments or abrupt changes in the risk status of individual third parties or groups of third parties. This can mean the inevitable updates required to manage change come at a high cost.
Another technology road an organization may choose to take is to assume that their ‘Enterprise GRC’ platform that has a module for third-party risk is the right one. There are some great platforms, but many also have limitations. Those third-party risk modules may have been built with a specific risk domain in mind and do not have a full view of third-party risk. They may have a very flat view of risk that manages risk at the relationship level, but cannot manage it at the contract, service, or facility level. Another consideration is to seriously ask if the organization wants to deploy a third-party risk solution that also manages the array of enterprise and operational risks, or even compliance issues and incidents. There could be good reason to segregate the hundreds, to thousands, to even tens of thousands, of users on the third-party risk system from the organization’s enterprise and operational risk system. Not all of these systems are agile either; some come at a high cost of ownership to implement and maintain.
The third road organizations may try to navigate for third-party risk is to purchase a variety of risk-domain specific applications. IT security selects their third-party risk solution for security and privacy, procurement has theirs, corporate compliance and ethics has another one, legal has one, privacy, ESG/CSR . . . the reality comes back to the global automobile manufacturer where everyone has their myopic view of third-party risk with no ability to see the aggregate risk exposure in a relationship. This hinders a third-party risk program from maturing.
Finally, at these cross-roads are Third Party GRC platforms. These are the solutions that were built not only to manage risk in relationships, but also to ensure that those relationships achieve their objectives and act with integrity. Solutions built for a broad perspective of third-party risk to provide that 360° contextual awareness of risk across domains and can integrate with other systems such as the ERP environment, procurement systems, and even enterprise GRC platforms. Solutions that can be deployed for a single third-party risk challenge and expand to grow and mature to a broad enterprise perspective of third-party risk. The best of these will come with deep domain experience and an ability to support organizations at any stage of their maturity – from those just getting off spreadsheets, to the most complex of global third-party GRC programs.
As John Muir stated, when you tug on that one thread you find it attached to everything else. Third-party risk cannot be managed in disconnected systems, or systems that do not allow for a complete view of third-party risk. Organizations need to see all the risk a single relationship brings in one place and be able to manage that risk at a macro and a micro-level. From the relationship level down into the details.
My advice . . . when you’re at the cross-roads, understand where each road may lead and what it may entail. Do your due-diligence. Ask the right questions. It’s expensive and time consuming to take the wrong pathway and end back at the cross-roads. Be careful in selecting the solution that can grow and expand into the solution that can deliver on agility and maturity of third party GRC. This is where the organization has the capability to “reliably achieve objectives, while addressing uncertainty, and act with integrity” in and across its third-party relationships.