Guest blog by Michael Rasmussen, The GRC Pundit, GRC 20/20
Organisations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organisation is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Two decades ago the term insider was synonymous with employee, now over half of the insiders in many organisations are not employees; they are contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more.
The extended enterprise of third party relationships brings on a range of risks that the organisation has to be concerned about. Managing third party risk has risen to be a significant regulatory, contractual, and board level governance mandate. Organisations need to be fully aware of the risks in third party relationships and manage this risk throughout the lifecycle of the relationship, from on-boarding to off-boarding of a third party.
Third party risks that are of primary concern to organisations include:
- Bribery, Corruption, & Fraud
- Conflict Minerals
- Corporate Social Responsibility
- Environmental, Health & Safety
- Information Security
- International Labour Standards (e.g., child labour, forced labour)
- Physical Security
- Slavery & Human Rights
These risks poise significant reputational, financial, and operational concerns. They also poise a growing burden of regulatory concern and oversight (e.g., UK Modern Slavery Act, UK Anti-Bribery Act).
As organisations confront the growing exposure in third party risks they soon realise that the scattered redundant ad hoc approaches of the past are not sustainable. Third party risk can no longer be managed by different departments doing similar things in different ways, often with a mountain of emails, documents, and spreadsheets that are out of date and cost a significant amount of employee time to keep on top of. Managing third party risk requires a structured and integrated process that is supported by an information and technology architecture that can address the range of third party risks consistently without things slipping through the cracks.
An effective third party risk management process enables the organisation to consistently manage the following lifecycle of third party relationships:
- On-boarding process. Automate the process of standardising the identification of third parties to work with and moving them through registration and on-boarding while collecting required third party information and conducting appropriate due-diligence in context of the nature of the relationship.
- Identification. Provide an objective and standardised process to identify new third parties or existing third parties to contract with for new business purposes. This includes defining the purpose of the relationship and detailing performance, risk, and compliance requirements and concerns in the so the relationship can be properly governed and the organisation reliably achieve the objectives of the relationship.
- Qualification. After identification, the organisations needs to manage the sequence of steps and integrated content to qualify and screen third parties to ensure they can meet the requirements of the relationship and does not introduce unwarranted risk and compliance exposure. The screening process involves thorough due diligence steps to ensure that the third party is the right organisation to establish a relationship with. Relationships, particularly high risk ones, are evaluated against defined criteria to determine if the relationship should be established or avoided.
- Contracting. Upon passing the initial qualification process, the organisation then manages the tasks and workflow for contracting and negotiations to document the interactions and define the formal agreement of the relationship with service level, performance indicators, and risk indicators.
- On-boarding. After contracting and negotiation is complete, the organisation needs to finalise the registration of the third party through on-boarding. The process for registration has already started in the qualification phase as it gathers information, but concludes in the on-boarding phase as the third party has finished being set up with master data records, financial and payment information, contact information, insurance and licensing documentation, and other critical information. This includes communication of code of conduct and other relevant policies, associated training requirements, initial audits and inspections if needed, as well as attestations.
- Ongoing communication processes. The organisation manages the ongoing periodic tasks of communications, attestations and interactions with third parties.
- Policies. Oversee the regular periodic communication and reminders to third parties about code of conduct and related policies they need to follow.
- Training. Document the completion of training required of third parties.
- Attestation. Providing accountability by the gathering of periodic attestations by third parties to their behaviour and conformance to policies and contractual requirements.
- Self-assessments. Send surveys and self-assessments to third parties for them to evaluate themselves and send back to the organisation.
- Reporting. Provide detailed evidence trail of all communications, attestations, and interactions with third parties on aspects of the relationship and in that context of performance, risk, and compliance.
- Monitoring processes. Enable the management and automation of the array of processes to continuously monitor third party relationships over their lifecycle in the organization. These activities are the ones typically done within the organisation to monitor and assess the third party.
- Performance monitoring. Organisations need 360° contextual performance monitoring to govern the health of the relationship, satisfaction of service level agreements, and value the relationship is providing.
- Risk monitoring. Provide integrated risk monitoring processes to identify and evaluate potential risks relevant to each third party relationships throughout their lifecycle in the organisation.
- Compliance monitoring. Manage the processes in place to monitor relationships for ongoing conformance to compliance requirements.
- Ongoing due diligence monitoring. In context of risk and compliance monitoring, the organisation manages the workflow and tasks, with integrated content, to conduct ongoing periodic due diligence and screening processes to ensure the third party is still the right organisation to be doing business with.
- Issue reporting & resolution. Even the most successful business relationships encounter issues. Organisations need a process for capturing issues and their details that arise in third party relationships. Issue reporting processes may be internal and done by employees and management, by the third parties themselves, or through external sources such as customer complaints.
- Audit & inspections. Facilitating the range of monitoring processes, organisations manage audits and inspections of third parties as they systematically exercise right to audit clauses and do onsite inspections of third party premises and facilities.
- Forms & approvals. Manage the development and automation of internal processes to collect and report information and route things for approval in context of third party relationships. This includes:
- New vendor/supplier request
- Gifts, hospitality & entertainment
- Political & charitable contributions
- Facilitated payments
- Metrics & reporting. Through a solid information architecture and reporting engine, the organisation brings together the data elements of the entire lifecycle to provide end-to-end reporting and metrics on third party relationships at the relationship level, risk area, or in aggregate.
- Re-evaluation. Utilising the detailed history of interactions, issues, performance, non-conformance, and evolving risk scenarios, the organisation manages the processes to evaluate, maintain, and renew third party relationships.
- Off-boarding. All good things must come to an end, the third party management lifecycle is concluded by managing the tasks and details many organisations neglect, or forget, in off-boarding relationships that are no longer needed.
Managing this lifecycle in documents, spreadsheets, and emails leads to the inevitability of failure. It is simply a matter of time before something is missed and slips through the cracks leaving the organisation exposed. In this context, regulators are requiring structured processes with full audit trails of what was done, by whom it was done, and when was it done to support third party risk and compliance management requirements. To facilitate third party management processes the organisation should look to agile third party management solutions that provide for efficient and effective interaction with the organisations back-end processes for managing third party risk while being able to be accessible to the range of third parties that have to respond to requests.