Join our interactive TPRM by Design Workshop with GRC 20/20 analyst Michael Rasmussen on May 21 in London to transform and mature your TPRM program - REGISTER NOW
The global business landscape today is a complex web of interconnected organizations—the extended enterprise. This interconnectedness delivers unprecedented opportunities for growth, efficiency, and innovation. However, it simultaneously amplifies risk exposure, creating vulnerabilities across third-party relationships.
As geopolitical and economic tensions and uncertainty escalates, it is critical that organizations urgently reassess and enhance their third-party governance, risk management, and compliance (GRC) strategies. This enables the organization to reliably achieve objectives in each relationship and across relationships (governance), address uncertainty in achieving those objectives (risk management), and act with integrity within each relationship (compliance).
Critical to this is geo-political risk management and resilience of the extended enterprise as well as meeting the obligations of the numerous laws and regulations impacting these relationships (a detailed summary overview is at the bottom of this post).
CALL TO ACTION: Organizations cannot manage third-party risk in disconnected silos, departments, and functions going in different directions and not collaborating. Organizations absolutely need an integrated approach to third-party governance, risk management and compliance to ensure they have full visibility into the extended enterprise.
The Multifaceted Challenges of Today’s Extended Enterprise
Each third-party relationship—from suppliers and vendors to agents and distributors—introduces potential uncertainties, issues of resilience, and integrity. With intensifying geopolitical instability, the extended enterprise faces heightened risks from:
Tariffs and Trade Policies. Sudden policy shifts, such as the recent U.S. policies and corresponding global trade wars, have led to increased tariffs, affecting procurement costs, supply chain dynamics, and overall profitability.
Regulatory Volatility. Regulations are evolving at a rapid pace and requires diligent oversight and rapid adaptability. These include an array of bribery-corruption, resilience, privacy, modern slavery laws and more. A thorough, but not comprehensive, list is at the bottom of this post.
Global Conflicts. Conflicts, such as the war in Ukraine, conflicts in the Middle East and disruptions in the Suez Canal, disrupt supply chains, particularly for commodities like energy, grain, and critical raw materials, forcing companies to scramble for alternative sources.
Commodity and FX Fluctuations. Fluctuating prices and foreign exchange volatility significantly impact budgeting, pricing strategies, and financial planning.
Rethinking Third-Party Governance
Traditional transactional approaches to third-party relationships, which primarily emphasized cost and punctuality, are no longer adequate. Robust third-party governance and risk management must:
Align Strategic Objectives. Clearly articulate and align third-party relationship objectives with the organizational objectives and strategy to ensure mutually beneficial outcomes.
Continuous Risk Assessments. Utilize continuous monitoring, due diligence, geo-polticidal and risk intelligence feeds, and analytics tools to proactively identify, assess, and mitigate risks and uncertainty..
Value Alignment and Integrity. Regularly evaluate and monitor third-party practices to ensure ethical alignment and compliance with organizational values as well as laws, regulations, and global standards.
Building Resilience into Third-Party Risk Management
Resilience in third-party risk management means being prepared to navigate disruptions effectively. Strategies include:
Supplier Diversification. Avoid over-reliance on single-source suppliers and continually reevaluate geopolitical risks to ensure that the organizations extended enterprise remains agile.
Real-Time Monitoring and Analytics. Implement advanced analytics solutions to monitor geopolitical developments to enable swift responses to emerging threats.
Scenario and Contingency Planning. Regularly simulate potential disruptions and prepare contingency plans through scenario analysis, table-top exercise, and micro-simulations to successfully navigate potential disruptions.
An Integrated Approach to Third-Party Governance(GRC)
Now is the time to act decisively. Organizations must strategically invest in their third-party GRC capabilities, embedding resilience and integrity deeply into their operational ethos of their extended enterprise. In doing so, they not only mitigate today’s risks but position themselves to confidently thrive amid future uncertainties. The extended enterprise’s resilience and integrity depend on proactive, diligent, and strategic third-party governance. Your business’s future demands nothing less.
Addressing these multifaceted risks demands an integrated strategy, process, information/intelligence, and technology. Organizations need to:
Appoint someone to lead the strategy across departments and functions
Insist that various silos cooperate and participate in an integrated third-party governance and risk strategy
Foster an organizational culture that values transparency, accountability, and ethical business practices across the extended enterprise
Monitor geo-political, regulatory, and other third-party risk intelligence feeds to ensure responsiveness to evolving circumstances both globally and within third-parties
Deploy robust third-party governance and risk management (GRC) software providing comprehensive oversight of third-party engagements and collaboration
Laws & Regulations Impacting the Extended Enterprise
Here is a list of laws and regulations, with various states of enforcement, impacting the extended enterprise. This is list is not comprehensive, but gives a good indicator of the scope of regulatory and legal volatility and complexity that is growing.
Operational Resilience. The following laws predominantly, but not exclusively, focus on financial services. While broadly focused on operational resilience, this cannot be achieved without managing third-party risk. Everyone of them includes strong aspects of third-party risk management:
United Kingdom Operational Resilience Regulations
European Union Digital Operational Resilience Act (DORA)
AustraliaPrudential Standard CPS 230 – Operational Risk Management
Federal Reserve, OCC, and FDIC Joint Guidance on Operational Resilience (guidance, not regulation)
SingaporeMonetary Authority of Singapore (MAS) Guidelines on Operational Resilience
Hong KongMonetary Authority Supervisory Policy Manual OR-2 on Operational Resilience
CanadaOSFI Guideline B-13: Technology and Cyber Risk Management
Broad Environmental, Social, Governance (ESG)/Sustainability. The following are laws that regulate broad ESG and sustainability reporting that tie into supply chains. More specific laws are listed below.
European Union Corporate Sustainability Reporting Directive (CSRD), Taxonomy Regulation & Corporate Sustainability Due Diligence Directive (CSDDD) (being rescoped with the EU Omnibus but still significant)
Germany Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz – LkSG)
France Duty of Vigilance Law (Loi de Vigilance)
Switzerland Responsible Business Initiative
Dutch Bill for Responsible and Sustainable International Business Conduct
Austrian Supply Chain Act (Proposed)
Modern Slavery. The following are laws and regulations that impact human rights in context of modern slavery (forced labor, child labor) and working conditions in the extended enterprise:
European Union Conflict Minerals Regulation
European Union Forced Labour Regulation
United Kingdom Modern Slavery Act
Norway Transparency Act
California Transparency in Supply Chains Act
USA Uyghur Forced Labor Prevention Act (UFLPA)
USA Dodd-Frank Act – Section 1502 (Conflict Minerals Rule)
USA Trade Facilitation and Trade Enforcement Act (TFTEA)
Canada Fighting Against Forced Labour and Child Labour in Supply Chains Act
Australia Modern Slavery Act
Australia New South Wales Modern Slavery Act
Dutch Child Labour Due Diligence Law
Anti-Bribery & Corruption. The following are key anti-bribery and corruption (ABAC/ABC) laws and regulations from around the world that are particularly relevant to third-party risk, as intermediaries (agents, resellers, consultants, distributors, etc.) are often a primary source of bribery and corruption exposure.
USA Foreign Corrupt Practices Act (FCPA)
United Kingdom Bribery Act
France Sapin II Law
Canada Corruption of Foreign Public Officials Act (CFPOA)
China Anti-Unfair Competition Law & Criminal Law Provisions
Australia Criminal Code Act – Division 70
Multilateral Frameworks Influencing National Laws:OECD Anti-Bribery Convention, UN Convention Against Corruption (UNCAC), Transparency International Guidelines
Environmental Regulations. This category could expand much more, here are some that are top of mind currently:
European Union Regulation on Deforestation-free Products
European Union Battery Regulation
European Union Registration, Evaluation, Authorisation, and Restriction of Chemicals (REACH)
California Senate Bill 253 (SB 253): Climate Corporate Data Accountability Act
California Senate Bill 261 (SB 261): Climate-Related Financial Risk Act
Chinese Due Diligence Guidelines for Responsible Mineral Supply Chains
China Restriction of Hazardous Substances (RoHS) Directive
Japan The Act on Promoting Green Procurement
Japan The Clean Wood Act
Singapore Mandatory Climate-Related Disclosures
Global (many countries and states/provinces) Extended Producer Responsibility
Global liability and regulation related to PFAS (Per- and Polyfluoroalkyl Substances – Forever Chemicals)
Privacy & Information Security. The following are the significant privacy related laws and regulations that impact third-party relationships:
California Consumer Privacy Act (CCPA)
California Privacy Rights Act (CPRA)
New York SHIELD Act
Virginia Consumer Data Protection Act
Colorado Privacy Act
Connecticut Data Privacy Act
Utah Consumer Privacy Act
USA HIPAA (Health Insurance Portability and Accountability Act)
USAGLBA (Gramm-Leach-Bliley Act)
USAFTC Safeguards Rule
European Union General Data Protection Regulation (GDPR)
European Union NIS Directive
European Union NIS2 Directive
United Kingdom GDPR (Post-Brexit version of GDPR)
United Kingdom Data Protection Act
Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
Québec Law 25
Australia Privacy Act
Australia Notifiable Data Breaches Scheme
Singapore Personal Data Protection Act (PDPA)
Singapore Cybersecurity Act
Japan Act on the Protection of Personal Information (APPI)
China Personal Information Protection Law (PIPL)
China Cybersecurity Law
China Data Security Law
South Korea Personal Information Protection Act (PIPA)
Brazil General Data Protection Law (LGPD)
India Digital Personal Data Protection Act
OK, I have not even got into things like sanctions, the US Federal Acquisition Regulation, or regulations around Animal Welfare (concern in life sciences in third-party risk), inappropriate promotion, and I can keep going . . .
For example, here is the list of third-party risk categories that is put together in one comprehensive third-party risk program as a major life sciences company that I advised on their RFP:
In a similar example, here is the list of third-party risk categories from another life sciences firm I interacted with that is delivering a comprehensive third-party risk program:
Anti-bribery and corruption
InfoSec
Information Systems Quality
Privacy
Animal welfare
Business continuity (includes concentration, material)
Health, safety, and environment
Compliance (promotional practices, bioethics)
Product quality and safety (clinical trial, human biological sample management, pharmacovigilance)
Strategic sourcing
Intellectual property
ESG
Performance and Contractual
Global Security
Fourth Party risk across all domains
I also have similar structure from financial services, consumer packaged goods, and many other industries.
Ready to Elevate Your TPRM Strategy?
Join Michael Rasmussen for an interactive ‘TPRM by Design‘ workshop in London. Discover proven strategies, exchange ideas with peers, and walk away with actionable methodologies to transform your third-party risk management program.
Partnering with Aravo today can set organizations up for success tomorrow – and beyond! Contact us to see our Intelligence First PlatformTM in action and learn how we can help your team adopt a holistic, strategic TRPM program.
Michael Rasmussen
The GRC Pundit & Analyst
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 30+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.
Michael has contributed to U.S. Congressional reports and committees, and currently serves on the Leadership Council of the OCEG and chairs the OCEG Technology Council, OCEG Policy Management Group, and the OCEG GRC Architect Group.
Michael is quoted extensively in the press and is respected for his commentary on broadcast news channels. He is an Honorary Life Member and Global Ambassador of Risk Management with The Institute of Risk Management for his contributions to risk management and GRC. Treasury & Risk recognized Michael as one of the 100 most influential people in finance with specific accolades noting his work in “Governance and Compliance: Saving the Planet and the Corporation” and as a “Rising Star in Rocky Times: Corporate America’s Outstanding Executives.”
Prior to founding GRC 20/20 Research, Michael was a Vice-President and ’Top Analyst’ at Forrester Research, Inc. Before Forrester, he led the risk/compliance consulting practice at a professional services firm, and prior to that has specific experience managing compliance and risk within commercial organizations.
Michael’s educational experience consists of a Juris Doctorate in law and a Bachelor of Science in Business. Michael has a Master in Church History with a focus on Medieval Church History from Trinity Evangelical Divinity School, and is pursuing a Masters in Pastoral Ministry at Nashotah House. He is a GRCP (GRC Professional), PMP (Policy Management Professional), CCEP (Certified Compliance and Ethic Professional), and a CISSP (Certified Information Systems Security Professional). OCEG has recognized him as an OCEG Fellow for his contributions and advancement of GRC practices around the world.
The GRC Pundit & Analyst
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 30+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile.
CUSTOMER PORTAL