This is the second in a two-part series by Michael Rasmussen on how to take a strategic approach to effectively manage and mitigate third-party risk.

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual third party relationships (the tree) as well as the interconnectedness of third party relationships (the forest). Third party relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive and cascading impact. In a linear system, effect is proportional with cause. In the non-linear world of business, third party risk is exponential. If we fail to see the interconnections of third party risk on the organization, the result is often massive to unpredictable.

The challenge is that different organizational areas are doing similar things in different ways in context of their third parties. Various departments with different responsibilities for pieces of third party oversight will communicate and interact with third parties in different ways. The chaos of these many-to-many communications is slowing down relationships in a time where they need to be more nimble and agile.

The organization needs a common process, information, and technology architecture to support third party management across organization departments that includes a vested interest in third party relationships. Third party management is enabled at an enterprise level through implemen­tation of an integrated third party man­agement architecture. This offers the adapt­ability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third party management platform enables the orga­nization to effectively manage risk across extended business relationships and fa­cilitates the ability to document, commu­nicate, report, and monitor the range of assessments, documents, tasks, responsi­bilities, and action plans.

Third Party Management Process Architecture

Third party management processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships. While third party processes can vary by organization and industry, the common components are:

  1. Ongoing context monitoring. On an ongoing basis, and separate from monitoring of individual third party relationships, is the ongoing process to monitor the external risk, regulatory and business environments as well as the internal business environment. The purpose is to identify opportunities as well as risks and regulatory requirements that are evolving and that impact the overall third party management program. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.
  2. Third party identification & onboarding. This is the collection of processes aimed at automating a standard, objective approach for identifying third parties to work with and onboarding them through the collection of third party data and conducting appropriate due-diligence.
  3. Third party communications & attestations. These are the set of ongoing processes to manage the communications and interactions with the third party throughout the relationship lifecycle.
  4. Third party monitoring & assessment. This process grouping includes the array of processes to continuously monitor the third party relationship over their lifecycle in the organization. These activities are the ones typically done within the organization to monitor and assess the third party throughout its functional lifecycle in the organization.
  5. Forms & approvals. The set of internal processes to collect and report information and route things for approval in context of third party relationships.
  6. Metrics & reporting. Processes to gather metrics and report on third party relationships at the relationship level or in aggregate.
  7. Third party re-evaluation. The processes in place to evaluate, maintain, renew, and off-board relationships.

Third Party Management Information Architecture

The third party management information architecture supports the process architecture and overall third party management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support third party processes.

The third party management information architecture involves the structural design, labeling, use, flow, processing, and reporting of third party management information to support third party management processes. Categories of third party information that organizations often collect and process include:

  • Master data records. This includes data on the third party such as address, contact information, bank/financial information.
  • Third party compliance requirements. Listing of compliance/regulatory requirements that are part of third party relationships.
  • Third party risk and control libraries. Risks and controls to be mapped back to third parties.
  • Policies and procedures. The defined policies and procedures that are part of third party relationships.
  • Contracts. The contract documentation.
  • SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for individual relationships as well as aggregate sets of relationships.
  • External databases. The information connections to external databases used for screening and due diligence purposes such as sanction and watch lists, politically exposed person databases, as well as financial performance or legal proceedings.
  • Transactions. The data sets of transactions in the ERP environment that are payments, goods/services received, etc.
  • Forms. The design and layout of information needed for third party forms and approvals.

Third party management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. Successful third party management information architecture will be able to integrate information across third party management systems, ERP, procurement solutions, and third party databases. Successful third party management requires a robust and adaptable information architecture that can model the complexity of third party information, transactions, interactions, relationship, cause and effect, and analysis of information. 

Third Party Management Technology Architecture

The third party management technology architecture enables and operationalizes the information and process architecture to support the overall third party management strategy. The goal of the technology architecture is to operationalize the process and information architecture. The right third party management architecture enables the organization to effectively manage third party performance and risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans. 

The right third party technology architecture choice for an organization often involves integration of several components into a core third party management platform solution to facilitate the integration and correlation of third party information, analytics, and reporting. Organizations suffer when they take a myopic view of third party management technology that fails to connect all the dots and provide context to business analytics, performance, objectives and strategy in the real-time business operates in. 

Some of the core capabilities organizations should consider in a third party management technology platform are:

  • Internal integration. Third party management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization – procurement system, spend analytics, ERP, and GRC. So the ability to pull and push data through integration is critical.
  • External integration. With increasing due diligence and screening requirements, organizations need to ensure that their solution integrates well with third party databases. This involves the delivery of content from knowledge/content providers through the third party technology solution to rapidly assess changing regulations, risks, industry and geopolitical events. 
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis. Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with third party relationships in context of performance, risk, and compliance. Contextual awareness requires that third party management have a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third party relationships.

Effectively managing and monitoring risk across third party relationships requires technology to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans. The ideal third party management platform engages extended business partners and employees as well as internal staff.

The bottom line: The haphazard department and document centric approaches for third party management of the past compound the problem and do not solve it. It is time the organization steps back and defines a cross-functional and coordinated team to define and govern third party management. Organizations often need to wipe the slate clean and approach third party management with a strategy and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization. This is done through third party governance enabled by a common third party process, information, and technology architecture.  


 


About The Author

Michael Rasmussen

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 18+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.