Guest Author: Michael Rasmussen, GRC Economist & Pundit, GRC 20/20 Research LLC
When thinking about third party risk management we have to consider that organizations are an intricate organism of complex relationships. The modern organization does not operate in isolation, but as part of an ecosystem of interactions with third parties.
The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third-party risk management:
“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”
Capra’s point is that biological ecosystems are complex and interconnected requiring a holistic understanding of the intricacies as an integrated whole rather than a dissociated collection of parts. Change in one segment has cascading effects and impacts on the entire ecosystem.
This is also true when managing third party risk. Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected mess of third party relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include an array of third parties such as suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Third-party risk management complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains.
Business operates in a world of chaos
Dissociated data, systems, and processes leave the organization with fragments of truth that fail to see the big picture of third-party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third-party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third-party data requires that the organization implement a third-party risk management strategy.
Third-party relationships are non-linear
To maintain the integrity of the organization and execute on third party risk management strategy, the organization has to be able to see their individual third-party relationships (the tree) as well as the interconnectedness of third-party relationships (the forest). Third-party relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, the effect is proportional with cause, in the non-linear world of business third-party risk management is exponential. Business is chaos theory realized. The small flutter of third-party risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.
Third-party risks are the organization’s problems
In this context, organizations struggle to identify and govern their third-party relationships with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third-party problems are the organization’s problems that directly impact the brand and reputation while increasing exposure to third party risk and compliance matters. When questions of business practice, ethics, privacy, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third-party partners behave appropriately.
How to manage your third-party risks effectively . . .
A haphazard department and document-centric approach for third-party risk management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated third party risk management strategy and team to define and govern third-party relationships. Organizations need to wipe the slate clean and approach third-party risk management with an integrated strategy, process, and architecture to manage the ecosystem of third-party relationships with real-time information about third-party performance, third party risk, and compliance and how it impacts the organization.
There can and should be a central core technology platform for third-party management that connects the fabric of the third-party risk management processes, information, and other technologies together across the organization. Organizations suffer when they take a myopic view of third-party risk management software that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time the business operates in. The third-party risk management software operationalizes information and processes to support an organization’s third-party risk management strategy. The right technology architecture enables the organization to effectively manage third-party performance and risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.
As Fritjof Capra illustrated, the problems of today require us to understand the third party risk and exposure that interconnected and interdependent relationships bring. What Capra says in the context of living organisms and ecosystems is directly applicable to the modern organization that needs to strive to understand how operations, processes, and data interconnect and are shared across relationships and the risk and exposure this brings to the organization as well as the opportunity.
Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.