A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.
GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.
There are five stages to the model:
1. Ad Hoc
Today we look at Stage 1, the Ad Hoc level of Third Party GRC
Organizations at the Ad Hoc stage of maturity have siloed approaches to third-party governance, risk and compliance at the department level. Businesses at this stage do not understand risk and exposure in third party relationships; few if any resources are allocated to third party governance. The organization addresses third party GRC in a reactive mode — doing assessments when forced to. There is no ownership or monitoring of risk and compliance, and certainly no integration of risk and compliance information and processes in context of third party performance.
Characteristics of the Ad Hoc Maturity stage are:
- Siloed and ad hoc practices
- No third party segmentation
- Lack of skills and resourcing,
- No defined roles and responsibilities
- No governance structure of third party risk management matrix in place
- No defined third party management program or risk framework
- No documented policies or procedures.
- Ad hoc and reactive assessments
- Document-centric approaches
- Ad hoc reactive approach that addresses issues as they arise
- Little to no technology in place
- No visibility, trending or analytics
- No board or senior management sponsorship
Key elements that identify an organization is at the Ad Hoc stage are:
- Blind-spots. Businesses at this stage are subject to many blind-spots. Understanding of risk and exposure in third-party relationships is vital.
- Reactive. The organization addresses third-party risk and compliance in a reactive, firefighting mode e.g. completing assessments when forced to.
- Lack of ownership or accountability. No one has been appointed to take control of third-party risk.
- Lack of process. There is no defined or consistent processes or methodologies for managing third parties or the risks that they expose the organization to.
- Under resourced. Few resources, are allocated to third-party governance.
- Manual. With little technology support in place and a reliance on spreadsheets and email, processes fail to be consistent.
Organizations in the Ad Hoc stage are very much in reactive mode and are likely to answer many of the following in the affirmative:
- Does third-party governance, risk, and compliance lack clear owners and accountability within departments?
- Are assessments and controls put in place after the fact, when the organization realizes it is exposed or someone is insisting on them?
- Is third-party risk and compliance largely undocumented, or trapped in silos of spreadsheets and documents?
- Does the organization lack any process, information and technology architecture to support third-party governance?
- Does the department or business function have no ability to report and trend third-party risk and compliance over time?
After reflecting on these points, it is time to next ask: is your organization at the Ad Hoc stage of Third Party GRC Maturity?
Aravo, leveraging the GRC 20/20’s Third Party GRC Maturity Model: A New Paradigm in Governing Third Party Relationships research report, has built the Third-Party Risk Management Maturity Calculator that takes this deeper and provides insight on how to improve your organization’s maturity and approach.