A haphazard department- and document-centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third-party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third-party governance with an integrated strategy, process, and architecture to manage the ecosystem of third-party relationships with real-time information about third-party performance, risk, and compliance, as well as how it impacts the organization.
GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the third-party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.
There are five stages to the model:
- Ad Hoc
Today we look at Stage 5, the Agile level of third-party GRC.
At the Agile Maturity stage, the organization has completely moved to an integrated approach to third-party GRC across the business that includes an understanding of risk and compliance in context of performance and objectives in third-party relationships. Consistent core third-party GRC processes span the entire organization and its geographies. The organization benefits from consistent, relevant, and harmonized processes for third-party governance with minimal overhead.
The Agile Maturity is where most organizations will find the greatest balance in collaborative third-party governance and oversight. It allows for some department/business function autonomy where needed, but focuses on a common governance model and architecture that the various groups in third-party governance participate in. The Agile stage increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third-`party relationships – as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third-party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.
Characteristics of the Agile Maturity stage are:
- Comprehensive governance structure with periodic meetings with board and regular governance review meetings
- Third party risk appetite and thresholds well defined and understood
- Third party segmentation reviewed annually
- Cohesion across three Lines of Defense in a third-party context
- Issue escalation rarely needed and resolved quickly/effectively.
- Able to identify areas of improvement and measure ROI for relationship reviews and continual improvement
- Industry best practices understood and embraced
- Enterprise view of third-party ecosystem risk, compliance, and performance
- Third-party governance is integrated into roles and responsibilities
- Third-party governance has an integrated view of third-party performance as well as risk and compliance
- Third party governance is seen as a differentiator and impacts brand
- Extensive measurement and monitoring of third-party risk in the context of business strategy and objectives
- Board- and senior management-led engagement; senior management champions the program
Key elements that identify an organization is at the Agile stage are:
- End-to-end visibility. Full visibility of governance risk, compliance, and performance throughout the third-party relationship lifecycle.
- Proactive ability to identify risk, compliance, and performance issues and remediate quickly and effectively. Engagements outside the risk appetite of the organization are not entered into, and the organization is prepared to terminate third parties who do not comply/cannot be remediated.
- Continuous monitoring of third-party risk and performance. If defined risk thresholds are met, appropriate actions are automatically triggered. Established data and predictive analytics mean issues can be identified before they become a problem.
- Issue management rarely needed. When it is required, it is resolved quickly and effectively.
- Organizational resilience. You understand resiliency and recovery capabilities of your critical vendors, including their fourth parties, and have plans and playbooks in place in the event of a ‘crisis event’.
- Cohesion across three lines of defense. Lines of business, compliance, risk, audit, and senior management are all working in a coordinated way.
- Innovation initiatives captured. Third-party relationships can bring even more strategic advantage to the organization through the capture and execution of collaborative innovation initiatives.
- Board- and senior management-led engagement. Senior management champions the program. Periodic meetings with the board and regular governance review meetings ensure senior management is fully engaged and well informed about the effectiveness and third-party GRC strategies.
- Third-party governance is seen as a differentiator and impacts brand. The business recognizes the value of the program, both in terms of market differentiation through corporate integrity and well as the ROI that be realized through efficiencies across the organization.
- Extensive measurement and monitoring of third-party risk in the context of business strategy and objectives. Data derived from the program fuels continuous improvements.
Organizations in the Agile Maturity stage answer many of the following questions affirmatively:
- Is there a single third-party governance strategy for the entire organization that all departments participate in?
- Is third-party governance understood and monitored in the context of third-party performance and aligned with business strategy and planning?
- Can the organization monitor and trend third-party governance and performance?
- Does the organization have mature processes, information, and technology implementations to support third-party governance?
- Is there regular monitoring for improvement in third-party governance?
After reflecting on these points, it is time to next ask: is your organization at the Agile stage of Third Party GRC Maturity?
Aravo, leveraging the GRC 20/20’s Third Party GRC Maturity Model: A New Paradigm in Governing Third Party Relationships research report, has built the Third-Party Risk Management Maturity Calculator that takes this deeper and provides insight on how to improve your organization’s maturity and approach.