This blog is an extract from the white paper Managing Risk & Compliance Across 3rd Party Relationships, written by Michael Rasmussen of GRC 20/20 Research. The paper, in its entirety, can be found by clicking here.
DoubleCheck is a GRC solution that GRC 20/20 has researched, evaluated, and reviewed with organizations that are using it in distributed and dynamic business environments across industries and of varying size. DoubleCheck has recently updated their Vendor Management solution to 3.0 which provides increased capabilities to manage third parties on an ongoing and continuous basis. GRC 20/20 has seen signficant progress in user interface design with a focus on intuitiveness and ease of use in the 3.0 release.
The Value of DoubleCheck Vendor Management
Successful governance, risk management and compliance (GRC) delivers the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment with agility. GRC solutions should achieve better performing processes that utilize more reliable information. This enables a better performing, and a less costly, more flexible business environment. Clients engage DoubleCheck with the goals of understanding and managing risk, ensuring compliance with obligations, improving human and financial efficiencies, enhancing transparency, and managing GRC in the context of business change.
GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be:
- Effective. At the end of the day GRC is about effectiveness — to ensure that the organization manages risk and compliance and is properly understood, monitored and managed at all levels of the organization. Effectiveness delivers a holistic understanding and prioritization of risk and compliance aligned with the business and kept under control. GRC effectiveness is validated through greater assurance of the design and operational effectiveness of controls to mitigate risk, achieve performance, protect integrity of the organization, and meet regulatory requirements.
- DoubleCheck Vendor Management is effective. Organizations that GRC 20/20 interviewed utilizing DoubleCheck for Vendor Management stated that they had increased ability to manage all parts of the vendor/ third party lifecycle on a regular ongoing basis to identify and respond to risk and compliance concerns as they arose in the changing nature of business and the relationship.
- Efficient. GRC solutions provide efficiency and savings in human and financial capital resources. Technology solutions that support business and GRC processes reduce operational costs by automating processes, particularly those that take a lot of time consolidating and reconciling information in order to manage and mitigate risk and meet compliance requirements. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations. GRC should reduce operational costs by providing access to the right information at the right time, and reduce the time spent searching for answers.
- DoubleCheck Vendor Management is efficient. Organizations that GRC 20/20 interviewed utilizing DoubleCheck for Vendor Management reported that they were able to conduct more assessments of more relationships over a time period than they could with their previous approach. Overall they were able to streamline processes, and reduce employee time on individual assessments. They saw significant savings in the time spent aggregating and reporting on risk across their third party relationships.
- Agile. GRC solutions deliver business agility when organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) as well as the external environment (e.g. economic risk, new laws, and regulations) and communicate changes to employees. GRC’s agility is also measured in responsiveness to events and issues; organizations can identify and react quickly to incidents so that action can be taken.
- DoubleCheck Vendor Management is agile. Organizations that GRC 20/20 interviewed utilizing DoubleCheck for Vendor Management reported that the flexibility of the solution allowed them to adapt and expand it as they needed to keep current with their changing business, as well as risk and regulatory environments. A financial services firm specifically stated they have seen value in being able to manage risk and compliance in vendor relationships as regulatory scrutiny in this area has increased with enhanced requirements.
Capabilities of DoubleCheck
DoubleCheck Vendor Management enables an organization to be proactive in managing dynamic and extended business relationships across a range of third parties. It assures stakeholders and the board that their third party business relationships do not bring unnecessary exposure to organization operations and strategy. GRC 20/20 has evaluated the DoubleCheck Vendor Management solution and finds that it delivers a capable offering across the core needs of third party management.
The DoubleCheck Vendor Management solution delivers the following capabilities to make GRC programs effective as well as efficient and agile:
- Ease-of-use. A critical quality of a third party management solution is ease-of-use. A system that is difficult to use is an impediment to effectiveness, and inhibits the acceptance and use across an organizations extended business relationship network. DoubleCheck Vendor Management is designed to adapt to the way risk is logically managed, enabling the solution to function and allow staff to concentrate on their tasks rather than working around the limitations of tools.
- Process lifecycle. Going beyond a pure risk and compliance view of third party relationships, DoubleCheck delivers a solution that helps with the onboarding, the ongoing lifecycle and monitoring of the relationship, and the final offboarding of the relationship.
- Role and use case focus. The DoubleCheck solution goes beyond complex dashboards that just simply pump metrics in all direction. The 3.0 version has show specific focus on the development of portals with integration and reporting of information in context of specific roles and use cases.
- Onboarding. With DoubleCheck Vendor Management, organizations gain a solution that can be used to define the relationship, store and manage contracts, establish service levels, and conduct initial due diligence. The onboarding process allows for the efficient establishment of a relationship and the ability to move it to an ongoing continuous monitoring function.
- System of record. DoubleCheck Vendor Management is the system of record for the state of risk and compliance across the range of third party relationships. Everyone with a role in risk management — the risk management team, procurement, internal audit, and the compliance department — can securely access the system, enter information, notes, and analysis into their respective systems of record within the application.
- Issue management. Managing incident response efforts and day-to-day issues across third party relationships requires effective coordination and collaboration between the organization and its GRC roles, and the third party. DoubleCheck Vendor Management provides the ability to report, document, track, and manage incidents from identification to resolution. The system keeps a complete record of issues that can feed back into risk models and analysis of business relationships.
- Dashboards and reporting. DoubleCheck’s dashboarding capability means that key risk indicators of third party relationships can be pushed directly to responsible parties, enabling them to make informed decisions. Through
speedometers, graphs and tables, the solution transforms critical risk metrics into actionable information in easy-to-understand visuals. Drill-down capabilities allow leaders to obtain further details and to interact with generated results.
- Relationship documentation. DoubleCheck Vendor Management allows for an organization to store relationship related information such as contracts, insurance documents, and certifications. These can be referred back to and mapped to other parts of the solution to keep context of risk and compliance throughout.
- Policy communication and attestation. The DoubleCheck solution allows an organization to manage the communication and attestation of policies, procedures, and code-of-conduct to each third party relationship where
appropriate representative(s) must read, acknowledge, and attest to adherence.
- Risk and compliance assessments. The solution allows for the management, delivery, and analysis of assessments that each business partner has to answer on a periodic basis or as a specific need arises.
- Due diligence. The DoubleCheck Vendor Management solution is easily configured to manage workflow and tasks to ensure that the monitoring of business relationships against risk criteria and watch-lists (e.g., verification for companies and individuals, such as OFAC checking) is completed and that the organization is doing business with lawful entities.
- Workflow automation and task management. DoubleCheck has a solid workflow automation engine to streamline repetitive tasks and ensure tasks are assigned and monitored based on pre-defined milestones and deadlines.
- Audit management. The DoubleCheck Vendor Management modules integrates with other DoubleCheck solutions such as Audit Management to provide an interface for consultants and auditors to validate risk and controls and exercise right-to-audit clauses. This involves independent audits to validate controls, risk, and compliance to laws and contractual requirements.
Considerations for DoubleCheck Vendor Management
Every solution has its strengths and weaknesses, and may not be the ideal fit for all organizations in all situations. While GRC 20/20 has identified many positive attributes of DoubleCheck Vendor Management — readers should not see this as a complete and unquestionable endorsement of DoubleCheck Vendor Management.
DoubleCheck’s Vendor Management offering delivers the core functionality that meets the requirements of the majority of third party risk and compliance needs within organizations. The solution has expanded significantly to take on broader third party management capabilities. The solution is ideally fit for managing the risk and compliance aspects of third party relationships in the context of third party lifecycle management. The solution has contract management capabilities, but does not offer advanced capabilities in this particular area in redlining and contract development.
Overall, clients have shown a high degree of satisfaction with DoubleCheck. Client references for DoubleCheck have been very strong and many showing a long history of client satisfaction. Clients are particularly happy with the level of personal interaction and support they receive from DoubleCheck.
GRC 20/20’s Final Perspective . . .
Managing third party relationships requires a systematic process to monitor important aspects of business relationships and apply remedial action as soon as risks escalate past an organization’s risk tolerances. Risk and compliance issues and corresponding processes are constantly coming to bear on these relationships. Organizations can’t afford to use a fragmented approach to managing risk, compliance, and performance of business relationships.
A new paradigm for managing third party relationships is needed. A targeted strategy that addresses risk, compliance, and performance is needed to address the root problems and deliver cost savings and efficiency. The more extended and distributed the business, the more challenging risk and compliance is to manage. A common architecture and process can make this efficient and manageable. Inefficiencies, redundancy, errors, and potential risks are identified, averted, or contained. This reduces risk exposure, enhances business agility, and aligns risk to third party performance and enables better-performing, less costly, and more flexible business relationships.