A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.
GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.
Today we look at Stage 4, the Integrated level of Third Party GRC
In the Integrated stage, the organization has a cross department strategy for managing third-party governance across risk and compliance. Third-party GRC is aligned across several departments to provide consistent frameworks and processes. The organization addresses third party GRC through shared processes and information that achieve greater agility, efficiency and effectiveness. However, not all processes and information are completely integrated, and there is not an integrated view of third party performance.
Characteristics of the Integrated Maturity stage are:
Strategic approach to third party governance across departments, from a risk and compliance perspective
Governance model agreed at board level
Standardized third party risk management approach implemented and adopted, with documented processes
Third parties are segmented according to agreed and understood criteria
Robust performance measures are in place
Appropriate skill-set and resources, with roles and responsibilities allocated
Third parties engaged and involved
Silos have begun to be eliminated
Common process, technology and information architecture across the business
Trending and reporting across the business
Key elements that identify an organization is at the Integrated stage are:
Good vision and transparency. The organization benefits from an integrated view of risk and compliance, across departmental, regional and enterprise levels. There is a beginning to consider the implications of performance in third party assessments.
Good efficiency. Silos have been broken down across the organization. It is likely that the organization has seen onboarding times drop dramatically, adoption rates for third party assessments increase, and all three lines of defense operating in a single system.
Reporting is robust. Reports are comprehensive and delivered to management about multiple categories of risk associated with third parties and their engagements. The organization is beginning to collect data about the performance of the program which can contribute to continuous improvement and ROI/value conversations.
Fully auditable. The program has a system with full audit capabilities, so the organization can understand every action that has been taken in the program and whom it has been done by, when.
Organizations in the Integrated Maturity stage answer many of the following questions affirmatively:
Does the organization have a third-party GRC strategy that goes across departments?
Does the organization have shared processes for third-party GRC?
Does the organization have a shared information and technology architecture for third-party GRC?
Can the organization report and trend on third parties across departments?
Can the organization aggregate and understand third-party risk across the business?
After reflecting on these points, it is time to next ask: is your organization at the Integrated stage of Third Party GRC Maturity?
Aravo, leveraging the GRC 20/20’s Third Party GRC Maturity Model: A New Paradigm in Governing Third Party Relationships research report, Aravo has built the Third Party Risk Management Maturity Calculator that takes this deeper and provides insight on how to improve your organization’s maturity and approach.
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 30+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.
Michael has contributed to U.S. Congressional reports and committees, and currently serves on the Leadership Council of the OCEG and chairs the OCEG Technology Council, OCEG Policy Management Group, and the OCEG GRC Architect Group.
Michael is quoted extensively in the press and is respected for his commentary on broadcast news channels. He is an Honorary Life Member and Global Ambassador of Risk Management with The Institute of Risk Management for his contributions to risk management and GRC. Treasury & Risk recognized Michael as one of the 100 most influential people in finance with specific accolades noting his work in “Governance and Compliance: Saving the Planet and the Corporation” and as a “Rising Star in Rocky Times: Corporate America’s Outstanding Executives.”
Prior to founding GRC 20/20 Research, Michael was a Vice-President and ’Top Analyst’ at Forrester Research, Inc. Before Forrester, he led the risk/compliance consulting practice at a professional services firm, and prior to that has specific experience managing compliance and risk within commercial organizations.
Michael’s educational experience consists of a Juris Doctorate in law and a Bachelor of Science in Business. Michael has a Master in Church History with a focus on Medieval Church History from Trinity Evangelical Divinity School, and is pursuing a Masters in Pastoral Ministry at Nashotah House. He is a GRCP (GRC Professional), PMP (Policy Management Professional), CCEP (Certified Compliance and Ethic Professional), and a CISSP (Certified Information Systems Security Professional). OCEG has recognized him as an OCEG Fellow for his contributions and advancement of GRC practices around the world.
The GRC Pundit & Analyst
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 30+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile.
