The structure and reality of business has changed. Traditional brick-and-mortar business is a thing of the past – physical buildings and conventional employees no longer define the organization. Instead, modern organizations are an interconnected web of relationships, interactions, and transactions that extend far beyond traditional business boundaries. Further, organizations rely on relationships with suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, partners, and more, for critical operations. Even the smallest organization can have dozens of relationships they depend on for goods, services, processes, and transactions. In large organizations, this can expand to tens of thousands of third-party relationships with suppliers, vendors, partners, and service providers.
With businesses increasingly relying on a complex network of third-party relationships to thrive, the governance, risk management, and compliance (GRC) of third-party relationships is even more critical. Without effective GRC, organizations will fail to manage uncertainty, avoid disruptions, act with integrity, and achieve business objectives.
In a dynamic risk environment, resiliency requires agility and the ability to navigate great uncertainty. Effectively mitigating the exposure of potentially disruptive events requires real-time and comprehensive risk intelligence within and across the extended enterprise with insights to both assess the current and future risk landscape, and drive sagacious action. Resiliency regulations such as in the U.K. with the FCA/PRA/Bank of England as well as the EU Digital Operational Resilience Act requires resilience of third-party relationships that organizations depend upon.
This is even more apparent in the age of ESG. The world is seeing a broad sweep of regulations impacting ESG in third-party relationships. Germany’s Corporation Due Diligence Act which went into effect January 1, 2023 has organizations worldwide concerned about ongoing due diligence activities in the extended enterprise. With the corresponding EU Directive this is going to require every member country of the EU to pass similar legislation that impacts anyone doing business with organizations in these countries. Then there is the range of regulations that focus on aspects of ESG in the extended enterprise. These include the proposed SEC climate change rule, U.S. FCPA, U.K. Bribery Act, Sapin II, U.K. Modern Slavery Act, Australia’s Slavery Act, California’s Transparency in Supply Chains Act, Conflict Minerals in the Dodd Frank Act, and so many more. Privacy laws such as the EU GDPR and California’s CPRA have impact on the extended enterprise.
The inevitability of failure – Fragmented views of third-party risk & compliance
Too often, organizations struggle to adequately govern their third-party relationships because of their reliance on outdated practices. Silos of documents, spreadsheets and emails give a false perspective of risk as they do not show the big picture. Technology enables organizations to be more effective and do more with fewer resources, but unfortunately, too many organizations have failed to seize the opportunity to evolve their third-party risk processes.
Failure in third-party GRC comes about when organizations rely on outdated risk practices including:
-
Silos of third-party oversight. Silos of oversight occur when an organization allows different business functions to conduct third-party oversight without coordination, collaboration, and architecture. The risk posed by a third party for one business function may seem immaterial but is actually significant when factored into multiple risk exposures across all of the business functions relying on the same third-party. Without a single pane of visibility into the risk in their third-party relationships, silos leave the organization blind to risk exposures that are material when aggregated.
-
Limited resources to handle growing risk and regulatory concerns. Organizations are facing a barrage of increasing regulatory requirements and an ever-expanding risk landscape. While risk functions are operating with limited budgets and human teams, they need to do more with less. In reality, truly effective continuous monitoring and mitigation of today’s dynamic and ever-expanding risk landscape is beyond human capabilities alone.
-
Overreliance on manual processes. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for risks to be missed amidst the extensive volume of data. In addition, when things go wrong, these manual processes neither support agility nor a robust feedback loop to improve processes going forward.
-
Limited view of risk vectors. Organizations often over-rely on third-party financial and cyber risk management and suffer from risk exposure in domains such as compliance, operations, ESG, location and Nth parties. To fully understand the complete risk picture, an organization needs to have full-spectrum risk coverage.
-
Scattered third-party risk solutions. When different parts of the organization use different third-party risk solutions, silos of risk data and intelligence are created that are difficult to assimilate, thus making it difficult to maintain, aggregate and provide comprehensive, accurate, and current third-party analysis. The resulting redundancies and inefficiencies make organizations less agile and impact the effectiveness of third-party risk programs.
-
Overreliance on Periodic Assessments. For many organizations, third-party risk analysis occurs primarily during the onboarding process at the onset of the business relationship with only periodic reassessment of risk over the length of the engagement. This approach fails to keep organizations informed in a timely manner when the risk exposure changes between assessments. Without a continuous source of real-time risk intelligence feeds, the organization lacks the ongoing situational awareness necessary for proactive risk mitigation.
The modern business is dependent on third-party relationships and requires real-time and continuous awareness of its current and future risk landscape in the extended enterprise. A manual and point-in-time approach to third-party risk intelligence compounds the problem and can lead to elevated risk exposure. It is time for organizations to step back and move from legacy practices, defined by manual processes and periodic assessments, to a third-party risk strategy that includes integrated full-spectrum real-time views of situational awareness that impacts the extended enterprise and operations.
The modern business is dependent on third-party relationships and requires real-time and continuous awareness of its current and future risk landscape in the extended enterprise. A manual and point-in-time approach to third-party risk intelligence compounds the problem and can lead to elevated risk exposure.
A dynamic business environment requires the capability to actively manage risk intelligence and fluctuating risks impacting the organization and its relationships. The old paradigm of uncoordinated third-party risk management is inadequate given the volume of risk information, the pace of change, and the broader operational impact on today’s business environment and operations. Organizations need to address third-party risk management with an integrated strategy and an enterprise-wide information architecture that provides 360° third-party risk situational awareness. The goal is to provide actionable and relevant risk intelligence to support third-party risk governance and oversight to ensure the organization is agile, resilient, and acting with integrity in its business relationships.
The end goal in mature third-party risk management is agility. This is where organizations will find the greatest balance in collaborative third-party risk management and oversight. It allows for aggregation of third-party risk intelligence relevant to individual departments, business functions, and relationship owners with a common integrated risk intelligence information architecture that aggregates and monitors risk across these areas.
2023 prediction
Organizations in 2023 need to clearly implement a well-defined third-party risk strategy, process, and architecture that delivers agility through the ability to connect, understand, analyze, and monitor risks and underlying patterns of risk in context of relationships and services across the extended enterprise. Different functions participate in third-party risk strategy with a focus on coordination and collaboration through a common core risk technology and process architecture.
For the full 2023 Top 10 Trends in Risk and Compliance eBook: