A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.
GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.
There are five stages to the model:
- Ad Hoc
Today we look at Stage 3, the Defined level of Third Party GRC
The Defined stage suggests that the organization has some areas of third-party GRC that are managed well at a department level, but it lacks integration to address third-party risk across departments. Organizations in the Defined stage will have defined processes for third-party GRC in some departments or business functions, but there is no consistency. Third party GRC processes have the beginning of an integrated information architecture supported by technology and ongoing reporting. Accountability and oversight for certain domains such as bribery and corruption risk and compliance, and/or information security are beginning to emerge.
Characteristics of the Defined Maturity stage are:
- Third party GRC program and processes are defined with roles and responsibilities at a department level
- A formalized approach is in place with the framework designed and control practices in place
- Risk appetite not yet well defined or aligned, although inherent risk assessments are maturing.
- Strategic approach to governing third parties is happening at a department level
- The organizations is addressing islands and areas of third party risks
- Some reporting and trending at a department level
Key elements that identify an organization is at the Defined stage are:
- Better efficiency, but room for fine tuning. You are beginning to gain efficiencies at the department level as you move away from document and email centric processes, but compiling reports across the business is likely to take time, and data is likely to be incomplete.
- Semi-automated. You are beginning to automate some business processes, leading to better onboarding times, and other efficiencies in parts of your program.
- Reporting is getting better. Better reporting and monitoring at the individual level, but it is still hard to extract an enterprise-view of risk.
- Governance and oversight is starting to develop. There is some senior management engagement, and particular risk domains such as anti-bribery and corruption and information security, may be benefiting from an enhanced level of oversight.
- Better vision and transparency. Businesses at this stage are beginning to eliminate blind-spots, with a more integrated view of risk and compliance. However, the organization is still blinkered at the enterprise view of risk.
Organizations in the Defined Maturity stage answer many of the following questions affirmatively:
- Does the organization have silos of mature third party GRC processes at a department, geographic area, or business unit level?
- Do individual departments have defined third party information and technology architectures?
- Can the department or geography readily report and trend on third party risk and compliance over time?
- Have departments removed reactive document-centric approaches?
- Is there clear accountability and responsibility for third party risk and compliance at a department level?
After reflecting on these points, it is time to next ask: is your organization at the Defined stage of Third Party GRC Maturity?
Aravo, leveraging the GRC 20/20’s Third Party GRC Maturity Model: A New Paradigm in Governing Third Party Relationships research report, Aravo has built the Third Party Risk Management Maturity Calculator that takes this deeper and provides insight on how to improve your organization’s maturity and approach.
Aravo, leveraging the GRC 20/20’s Third Party GRC Maturity Model: A New Paradigm in Governing Third Party Relationships research report, has built the Third-Party Risk Management Maturity Calculator that takes this deeper and provides insight on how to improve your organization’s maturity and approach.