CUSTOMER PORTAL
Michael Rasmussen and his team at GRC2020 recently published a new Solution Perspective on Aravo. What makes this particularly notable is Michael’s extensive knowledge of the GRC space — he is uniquely qualified and positioned to review the full gamut of software solutions that populate the GRC and TPRM landscape. Not only was he one of the first analysts to discuss both markets and the criteria that defines mature programs and the solutions that support them, but his ability to discern good programs and good software from bad is based on decades of experience, exposure, and critical analysis.
The previous Aravo Solution Perspective was published in 2021, and in the ensuing years, the character of the GRC and TPRM markets has changed, both in terms of market drivers — regulations, oversight, societal, cultural, and competitive pressures — and, of course, technology. In particular, the last five years have seen significant developments in technological capabilities directly developed within or integrated into GRC and TPRM solutions. Automation, Artificial Intelligence (AI), advanced workflows and data models, and deeper integration with risk intelligence have driven greater capacity, depth, and breadth in TPRM solutions.
Many TPRM vendors, Aravo included, enable risk professionals to do more and better with increased speed, agility, and accuracy than they could have imagined five years ago. It’s good for the industry and it’s good for all the stakeholders and practitioners dedicated to the discipline that is TPRM.
Michael’s analysis of Aravo’s capabilities is comprehensive, especially as parallelled with the constantly evolving requirements of risk professionals and practitioners in the market. His perspective clearly shows that for a broad diversity of risk management needs and evolving requirements, Aravo has a solution that steps up to and exceeds current and future expectations. Our commitment to delivering the best solution for rapidly escalating customer needs, a broadening regulatory and risk category landscape, and demands for deepening analytics, insights, and intelligence have helped Aravo lead this market. Michael’s analysis helps define how and why Aravo is the solution of choice for risk professionals seeking a solution that will empower them as they extend their scope, scale, and TPRM program maturity.
A dimension that Michael explores in some detail in the Solution Perspective is TPRM program governance. Particularly as TPRM best practices are expanding across networks of third parties and across risk categories — bribery & corruption, fraud, financial risk, operational, cybersecurity, privacy, ESG & sustainability, and reputation & brand integrity — programs can quickly expand across an organization, locations, and teams, stressing core structure and systems management. We see organizations with multiple iterations of TPRM programs separated by distance, function, systems, and leadership across a single entity, with various teams trying to make sense of different data models, risk assessment models, and reporting models. It’s not a small problem.
A little over a month ago, I saw some of these challenges firsthand. Aravo sponsored and attended the annual Third-Party Risk Association (TPRA) event in Myrtle Beach, South Carolina. It’s a great event for TPRM experts and enthusiasts. I attended multiple sessions and was impressed at the openness and participation of the attendees, sharing their challenges and accomplishments. One thing that stuck out to me was from a session where the presenter asked the people in the room to share what teams and roles their TPRM programs reported to and how their programs were governed. The responses were remarkably inconsistent. I’d like to say that the responses aligned to industry — in finance, TPRM programs are managed by the Chief Risk Officer, in pharmaceuticals, they’re managed by the Chief Compliance Officer, or in manufacturing by the procurement team leadership — but that was not the case; there was no notable consistency. Yet, if you don’t have well-defined ownership for a TPRM program, it can be difficult to know how to escalate concerns, who’s accountable, which roles have oversight, and who and how rules and strategies are defined. That’s a call for governance.
To bring it back to Michael’s Solution Perspective, it’s not rocket science to recognize that a third-party risk management program is a part of and an extension of an organization’s GRC approach. There are different criteria, limitations, and methodologies, but at their core, both programs attempt to define risk as the effect of uncertainty on an organization’s objectives and outcomes, and compliance as adherence to rules, standards, regulations, ethics & integrity obligations. Ideally, these criteria apply internally and externally, including with third parties, suppliers, vendors, partners, resellers, etc.. After all, risk and compliance management are foundational to a good TPRM program. Yet, it is governance that holds it all together and creates a defined, measurable, adaptable program out of it. Governance establishes objectives, rules, norms, processes, how decisions are made by whom and why, and how accountability and acceptable business practices are defined, all designed to ensure the organization can meet its strategic goals.
A robust governance program is essential for a company to clearly define its long-term capabilities, strategically allocate resources, and effectively adapt to evolving market conditions. When ownership and accountability are well-established, risk professionals gain the confidence and support they need to achieve more with fewer resources, enabling them to navigate new challenges as they arise. Investing in governance within a TPRM program is a strategic decision – it empowers the organization to proactively and programmatically manage risk, rather than simply reacting to issues as they occur.
Governance is where a GRC or TPRM program should start, but it is too often neglected or ancillary to the R and the C. Michael asserts – and I agree – this is detrimental to program success. And it’s also why you have separated, siloed, and independent teams within the same organization pursuing different goals, strategies, and technologies. While each team may be motivated to do it right and deliver value for their organization, if there’s no central authority, it can breed frustration, create gaps, and leave the organization vulnerable to unseen, unknown risks. When the pace, scale, diversity, and severity of risks are increasing, a good TPRM program definition, objectives, strategies, and leadership – governance – may be what separates the winners from the losers.
Michael has included some well-defined validation for why TPRM professionals should be viewing their discipline as TPRM GRC. “Governance sets the strategic direction and ensures that each third-party relationship is not only compliant with regulations but also aligned with the organization’s broader goals. In essence, governance provides the framework within which risk and compliance are managed, helping to ensure that third-party relationships drive value, not just avoid risk… By setting clear governance guidelines, organizations can build stronger, more resilient third-party relationships.”
“To truly thrive in today’s business landscape, organizations must think in terms of third-party GRC, starting with governance and ensuring that each relationship contributes to their broader strategic objectives. By adopting a third-party GRC approach, organizations can move beyond simply mitigating risk and instead focus on building strong, valuable third-party relationships that support their operational, financial, and ethical goals. In doing so, they can not only reduce risk but also drive long-term success in an increasingly complex and interconnected global business environment.”
I could not have said it better myself.
Aravo is at the forefront of the TPRM industry, delivering robust and trusted solutions for organizations that recognize that the best software solutions align to and optimize the best TPRM approaches. And those best programs are well-defined, well-executed, and include each element of GRC – governance, risk, and compliance – to make them successful. amic environment; empowering you to connect, control, and excel in third-party risk management.
Ready to elevate your third-party risk management program? Download the most recent Aravo Solution Perspective and contact our team today to ask us about best defining and integrating governance in your TPRM program.
Share with Your Friends: