Aravo hosted a Third Party GRC Management by Design Workshop led by Michael Rasmussen of GRC 20/20 in London this week. While there was a strong showing by financial services firms, the group was diverse in terms of industry and program maturity. At the end of the session, Michael asked them to share their biggest learning. The most common response by far was relief in realizing everyone was still on the path to program maturity and faced many of the same issues.
The complexity of managing third-party risk
First, there is the sheer complexity of managing third-party risk across an organization. In addition to the many kinds of risks posed by third parties, new ones continue to arise, such as new regulations and possible pandemics. Even the existing regulations are subject to change, whether it’s a modification of the regulation itself or the expectations of the agencies that enforce them. And all of this has to be managed in collaboration with large numbers of internal stakeholders and third parties.
As an example, one organization pointed to regulations and guidance around outsourcing in less than six months. The EBA (European Banking Authority) Outsourcing Guidelines went into effect in September of last year. Just before the holidays, PRA (Prudential Regulation Authority) issued Consultation Paper 30/19, which has some subtle differences from the EBA Guidelines. And just this month EIOPA (European Insurance and Occupational Pensions Authority) published its own guidelines on outsourcing to cloud service providers. Not only does the organization have to adapt its program accordingly, they must also collaborate with internal and external stakeholders to manage the impact of those changes as well as any others that may also be happening.
Developing a culture that supports third-party risk management
Despite this complexity, participants agreed that it’s important to keep the process simple for internal and external users. Culture and board engagement were noted as two of the most important factors in the success of a program. Without buy-in from those who interact with the processes and systems used to manage third-party risk, there is the risk of non-compliance. And that buy-in should ideally start at the top with engagement from the board. This not only fosters a culture of compliance, but it also ensures that the third-party risk program gets the appropriate attention, priority, and resources.
One organization attending was an excellent example of the role that the board can play in maturing a third-party risk management. They reported that in the 12 months since the board recognized third-party risk as a top five risk facing the organization, their team had doubled and funds had become available to implement a more comprehensive technology for managing third party risk. As a result, their program is maturing rapidly.
More tools, more problems
Third-party risk management tools should reduce the complexity for practitioners, internal stakeholders, and third parties, but may of the attendees reported that the opposite is true. Many found that having tools could sometimes create more problems. Lack of integration and process standardization created data silos that required manual work-arounds to centralize data needed to make decisions. Others said they felt that the abundance of tools prevented them from using some of them to their full capacity because they just didn’t have the time and resources to really maximize each one.
For example, one attendee was using components of various existing solutions that touched third party risk, which meant that there was no single, integrated system for managing the end-to-end third-party life cycle. They’d also subscribed to a third-party data intelligence provider, which one of the existing solutions promised they could integrate. Unfortunately, that project was not successful, so the reports from that provider have to be downloaded and managed outside of any of the systems, creating yet another silo. The organization is planning to reduce the number of tools and create a more streamlined process, which they believe will help them move to the Integrated Stage of third-party risk management program maturity.
While acknowledging that they are all on a similar journey, attendees recognized that everyone has to move at a pace that’s realistic for them as they move closer to an Agile third-party risk management program. Every organization’s ability to adapt to change, resources, and risk appetite is different. If you’re not sure how to benchmark your program maturity, check out Aravo’s Maturity Calculator, which can help you identify your stage in Michael Rasmussen’s Third-Party GRC Maturity Model. It will also generate a custom report outlining next steps for getting closer to your program goals.