This blog is an extract from the white paper Managing Risk & Compliance Across 3rd Party Relationships, written by Michael Rasmussen of GRC 20/20 Research. The paper, in its entirety, can be found by clicking here
No company is an island. Organizations are a complex and diverse network of business relationships in which risk and compliance challenges do not stop at traditional organizational boundaries. Organizations struggle to identify, manage, and govern business relationships. The challenge is: “Can you attest that risk and compliance are managed across extended business relationships?” An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak oversight. This is true across industries, but some, like financial services, are seeing greater regulatory oversight of third party/vendor risks (e.g., US OCC).
Across industries organizations are facing global regulatory pressure in 3rd party oversight and due diligence in the context of anti-bribery and corruption (e.g., US FCPA, UK Bribery Act, OECD Principles) and conflict minerals (e.g., Dodd Frank Act, Europe’s Conflict Mineral Regulation). Major brands have focused efforts on social accountability in the context of international labor standards (e.g., child labor, forced labor, working hours, health and safety). There is significant pressure in 3rd party management in the context of PCI DSS and protection of credit card data. The Target breach is a case in point in which an air-conditioning vendor was the doorway into the largest credit card breach of a POS system to date.
Third party relationships are critical to business today but introduce a significant exposure to risk. Organizations fail when they look at the formation of a business relationship and do not foresee that issues cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship. They make two common mistakes:
- Risk is only considered during the on-boarding process. Risks in extended business relationships are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies. This approach fails to recognize that additional risk is incurred over the life of the business relationship.
- Partner performance evaluations neglect risk. Metrics and measurements often fail to fully analyze and monitor risk. Often, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.
Risk and compliance issues and corresponding processes constantly bear down on these relationships. Business processes and corresponding technologies that operate autonomously introduce further risk, as there is no view into the range of risk issues that a single business relationship brings to the organization.
Organizations need an integrated approach to third-party risk and compliance management that brings together people, process, and technology to deliver not only efficiency and effectiveness but also agility. Ignoring an integrated view of extended business relationships can result in business relationships that behave like leaves blowing in the wind, with no one monitoring the ever-changing risks in a dynamic business environment.
The building blocks of an effective, efficient, and agile third-party risk management program are:
- Define Your Program. The first step is to define the third-party management program. While an individual needs to lead the program, it also necessitates that different parts of the organization work with this role. Defining your program includes understanding board oversight and reporting for third-party risk and compliance, and a cross functional team to ensure that the operational, reputational, and compliance risks in business relationships are appropriately addressed. This team needs to work with the relationship owners to ensure a collaborative and efficient oversight process is in place.
- Establish Framework. The third-party management framework is used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships. The framework starts with developing a list of third-party relationships cross-referenced to risks and regulations affecting those relationships. A framework is an organized set of controls used to measure compliance against multiple risks, regulations, standards, and best practices.
- Onboarding. Evaluation of risk and compliance needs to be integrated with the process of procurement and vendor/supplier/partner relations. A business relationship is to be evaluated against defined criteria to determine if the relationship should be established or avoided. When there is a high degree of inherent risk, but the relationship still is necessary, manage the risk within tolerance level by establishing compensating controls and monitoring requirements.
- Ongoing Monitoring. A variety of environmental and geo-political factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geopolitical risks. The potential risks relevant to each business partner should be taken into consideration to monitor the health and success of business relationships on an individual and aggregate level. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.
- Resolve Issues. Even the most successful business relationships encounter issues. These may arise from quality, health and safety, regulatory, environmental, business continuity, economic, fraud, or legal and regulatory mishaps. The fallout from incidents is exacerbated when everyone scrambles because nobody developed defined action and resolution plans ahead of time. Management of risk across extended business relationships should account for issues and plan for containment, mitigation, and resolution.
The challenge is that many organizations try to manage all of this with spreadsheets, documents and email. These approaches are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of ex¬tended business relationships.
Bottom Line: Third-party risk management is enabled at an enterprise level through implementation of an integrated third-party risk management platform. This offers the adaptability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third-party risk management platform enables the organization to effectively manage risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.
Third-party risk management is enabled at an enterprise level through implementation of an integrated third-party risk management platform.
Effectively managing and monitoring risk across third party relationships requires a centralized platform to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans. The ideal platform engages extended business partners and employees as well as internal staff. Ideally, these systems provide capabilities that help the organization:
- Ensure ownership and accountability are clearly established and understood
- Manage the on-boarding and the ongoing risk and compliance scoring and assessment processes
- Conduct initial and ongoing assessments
- Actively monitor all business partners for adherence to code-of-conduct and related policies
- Make changes in risk profiles based on targeted risk assessments
- Leverage built-in question sets to streamline surveys and questionnaires
- Initiate and mange incident follow-ups and investigations
- Use verifiable evidence to readily attest to “in compliance” status