Professional Documents
Culture Documents
STRATEGYPERSPECTIVE
Governance, Risk Management & Compliance Insight
© 2021 GRC 20/20 Research, LLC. All Rights Reserved.
No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form
by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of
GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage
Guidelines established in client contract.
The information contained in this publication is believed to be accurate and has been obtained from sources
believed to be reliable but cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability
whatever for actions taken based on information that may subsequently prove to be incorrect or errors in
analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements
of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information
and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may
include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research
should not be construed or used as such.
Research Methodology..................................................................................................... 23
TALK TO US . . .
We look forward to hearing from you and learning what you think about GRC 20/20
research. GRC 20/20 is eager to answer inquiries from organizations looking to improve GRC
related processes and utilize technology to drive GRC efficiency, effectiveness, and agility.
Replace the word ‘man’ with ‘organization’ and the seventeenth-century English poet
John Donne is describing the modern organization. In other words, “No organization is
an island unto itself, every organization is a piece of the broader whole.”
The structure and reality of business today has changed. Traditional brick and mortar
business is a thing of the past: physical buildings and conventional employees no
longer define the organization. The modern organization is an interconnected web of
relationships, interactions, and transactions that span traditional business boundaries.
Layers of relationships go beyond traditional employees to include suppliers, vendors,
outsourcers, service providers, contractors, subcontractors, consultants, temporary
workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity
grows as these interconnected relationships, processes, transactions, and systems nest
themselves in intricacy, such as deep supply chains and sub-contracting relationships.
Roaming the hallways of an organization means crossing paths with contractors,
consultants, temporary workers, and more. Business today relies and thrives on third-
party relationships; this is the extended enterprise.
1 A famous line from English Poet John Donne’s Devotions Upon Emergent Conditions (1624) found in
the section Meditation XVII.
Corporate integrity and the ability of the organization to comply with regulations,
commitments, and values are measured in by its relationships as well. The saying,
“Show me who your friends are, and I will tell you who you are” translates to business:
show me who your third-party relationships are, and I will tell you who you are as an
organization.
n Silos of third-party oversight. This is when the organization allows different parts
of the organization to go about third-party governance in different ways without
any coordination, collaboration, and architecture. This is exacerbated when the
organization fails to define responsibilities for third-party oversight. This leads to
the unfortunate situation of the organization having no end-to-end visibility of
third-party relationships.
n Processes focused on onboarding only. Risk and compliance issues are often
only analyzed during the on-boarding process to validate the organization is
doing business with the right companies through an initial due diligence process.
This approach fails to recognize that additional risk and compliance exposure is
incurred over the life of the third-party relationship.
Third-party risk management is not enough. Organizations are shifting their focus
towards third-party GRC management. It starts with the governance of relationships. The
relationship’s objectives and sub-relationships (e.g., contracts, service levels, facilities,
etc.) need to be clearly defined and governed. It is only after a clear understanding of
the objectives (and the governance of those objectives) that risk/uncertainty, as well as
compliance/integrity, can be managed in the context of the relationship to deliver those
objectives. Organizations need to develop a more assertive approach to governance of
relationships to ensure greater risk, resiliency, and integrity in and across relationships to
deliver value to the organization.
This challenge is even greater when third-party risk management is buried in the depths
of departments and operating from silos, not as an integrated discipline of decision-
making that has a symbiotic relationship on performance and strategy of relationships.
The bottom line: The modern business depends on, and is defined by, the governance,
risk management, and compliance of third-party relationships to ensure the organization
can reliably achieve objectives, manage uncertainty, and act with integrity in each of its
third-party relationships. A haphazard department and document-centric approach for
third-party risk management compounds the problem and does not solve it. It is time
for organizations to step back and move from third-party risk management to third-party
GRC management with a cross-functional and coordinated strategy and team to define
and govern third-party relationships. Organizations need to address third-party GRC
with an integrated strategy, process, and architecture to manage the ecosystem of third-
party relationships with real-time information about third-party performance, risk, and
compliance, and how it impacts the organization.
The physicist, Fritjof Capra, made an insightful observation on biological ecosystems that
rings true when applied to third-party management:
“The more we study the major problems of our time, the more we come to realize that
they cannot be understood in isolation. They are systemic problems, which means that
they are interconnected and interdependent.”2
Capra’s point is that biological ecosystems are complex, interconnected, and require a
holistic understanding of the intricacy in interrelationship as an integrated whole, rather
than a dissociated collection of parts. Change in one segment of an ecosystem has
cascading effects and impacts to the entire ecosystem.
This is true in third-party GRC management. What further complicates this is the
exponential effect of third-party risk on the organization. Business operates in a world
of chaos. Applying chaos theory to business is like the ‘butterfly effect’, in which the
simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that ultimately
impact the development and path of a hurricane. A small event cascades, develops, and
influences what ends up becoming a significant event.
Dissociated data, systems, processes, and a myopic risk vision leaves the organization
with fragments of the truth that fail to see the big picture of third-party performance, risk,
and compliance across the enterprise and how it supports the organization’s strategy and
objectives. The organization needs to have holistic visibility and situational awareness
into third-party relationships across the enterprise. Complexity of business, intricacy, and
interconnectedness of third-party data requires that the organization implement a third-
party GRC management strategy.
The integrity of the organization relies on the integrity of its third-party relationships.
Organizations are re-evaluating their internal core values, ethics, and standards of
conduct and how this extends and is enforced across third-party relationships. This
includes a focus on human rights, privacy, environmental standards, health and safety,
conduct with others (e.g., customers, partners), and security in third-party relationships.
2 Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor
Books, 1996).
n Third-party compliance. Compliance aims to see that the organization acts with
integrity in fulfilling its regulatory, contractual, and self-imposed obligations
and values across its third-party relationships. Compliance follows through on
risk treatment plans to assure that risk is being managed within limits and that
controls are in place and functioning within each relationship to mitigate risk.
GRC 20/20 has identified three approaches organizations take to manage third-party
relationships:
n Anarchy – ad hoc department silos. This is when the organization has different
departments doing different yet similar things with little to no collaboration
between them. Distributed and siloed third-party initiatives never see the
big picture and fail to put third-party management in the context of business
strategy, objectives, and performance. The organization is not thinking big
picture about how third-party management processes can be designed to meet
a range of needs. An ad hoc approach to third-party GRC management results
in poor visibility into the organization’s relationships. As there is no framework
for bringing the big picture together, there is no possibility to be intelligent
about third-party risk and performance. The organization fails to see the web of
risk interconnectedness and its impact on third-party performance and strategy,
leading to greater exposure than any silo understood by itself.
n Continuously (e.g., daily) monitor and assess third parties by using external data
sources to get updates on risk data on a daily basis.
n Third-party governance team. The first piece of the strategic plan is building
the cross-organization third-party governance team (e.g., committee, group).
This team needs to work with third-party relationship owners to ensure a
collaborative and efficient oversight process is in place. The goal of this group
is to take the varying parts of the organization that have a vested stake in third-
party management and get them collaborating and working together on a
regular basis. Various roles often involved on the third-party governance team are
procurement, compliance, ethics, legal, finance, information technology, security,
audit, quality, health & safety, environmental, and business operations. One of
the first items to determine is who chairs and leads the third-party governance
team.
n Third-party GRC management policies and procedures. The next critical item to
establish in the third-party GRC strategic plan is the writing and approval of the
third-party management policy (and supporting policies and procedures). This
sets the initial third-party governance structure in place by defining categories
of third-parties, associated responsibilities, approvals, assessments, evaluation,
audits, and reporting. The policy should require that an inventory of all third-
n Tone at the top. The third-party GRC program must be fully supported by the
board of directors and executives. Communication with top-level management
must be bidirectional. Management must communicate that they support the
third-party GRC program and will not tolerate corruption in any form. At the
same time, they must be well-informed about the effectiveness and strategies for
third-party GRC initiatives.
n Third-party controls. Organizations must keep detailed records that fairly and
accurately reflect transactions and interactions of third-party relationships.
This includes contract-pricing review, due diligence, and verification of foreign
business representatives, accounts payable, financial account reconciliation, and
commission payments.
It is critical that these architectural areas be initially defined in this order. It is the business
processes that often determine the types of information needed, gathered, used, and
reported. It is the information architecture combined with the process architecture
that will define the organization’s requirements for the technology architecture. Too
many organizations put the cart before the horse and select technology for third-
party management first, which then dictates what their process and information
architecture will be. This forces the organization to conform to a technology for third-
party management instead of finding the technology that best fits their process and
information needs.
The process architecture is the structural design of processes, including their components
of inputs, processing, and outputs. This architecture inventories and describes third-party
GRC management processes, each process’s components and interactions, and how
third-party processes work together as well as with other enterprise processes.
Purpose & identification. This is the process to identify new third parties
or existing third parties to contract with for new business purposes.
Third-party identification will detail the purpose of the relationship
and include initial definition of performance, risk, and compliance
requirements and concerns in the relationship so the proper relationship
can be identified.
3 Each area may have a number of processes and while the language and flow below indicate a linear
relationship, some of these can run in parallel and may need to as with registration processes that
may be needed for the organization to submit information that is reviewed in qualification and
screening processes.
4. Third-party monitoring & assessment. This stage includes the array of processes
to continuously monitor the third-party relationship over their lifecycle in the
organization. These activities are the ones typically done within the organization
to monitor and assess the third-party relationship on an ongoing basis.
5. Forms & approvals. The set of internal processes to collect and report
information and route things for approval in context of third-party relationships.
Facilitated payments.
n Master data records. This includes data on the third-party such as address,
contact information, and bank/financial information.
n Third-party risk and control libraries. Risks and controls to be mapped back to
third parties.
n Policies and procedures. The defined policies and procedures that are part of
third-party relationships.
n Contracts. The contract and all related documentation for the formation of the
relationship.
n Transactions. The data sets of transactions in the ERP environment that are
payments, goods/services received, etc.
n Forms. The design and layout of information needed for third-party forms and
approvals.
There can and should be a central core technology platform for third-party GRC
management that connects the fabric of the third-party GRC management processes,
information, and other technologies together across the organization. Many
n ERP solutions. There are a range of solutions that are strong in the ERP and
procurement space that have robust capabilities in third-party transactions and
spend analytics. However, these solutions may be weak in overall third-party
governance, risk management, and compliance.
n Enterprise GRC platforms. Many of the leading enterprise GRC platforms have
third-party (e.g., vendor) risk management modules. However, these solutions
often have a predominant focus on risk and compliance and do not always have
the complete view of performance management of third parties. These solutions
are often missing key requirements such as third-party self-registration, third-
party portals, and established relationships with third-party data and screening
providers.
n Third-party GRC management platforms. These are solutions that are built
specifically for third-party GRC management and often have the broadest
array of built-in (versus built-out) features to support the breadth of third-party
management processes. In this context, they take a balanced view of third-
party governance and management that includes performance of third parties
as well as risk and compliance needs. These solutions often integrate with ERP
and procurement solutions, or may be provided by a procurement solution,
to properly govern third-party relationships throughout their lifecycle and can
feed risk and compliance information into GRC platforms for enterprise risk and
compliance reporting where needed.
The right third-party GRC technology architecture choice for an organization often
involves integration of several components into a core third-party GRC management
platform solution to facilitate the integration and correlation of third-party information,
analytics, and reporting. Organizations suffer when they take a myopic view of third-
The Agile Maturity approach is where most organizations will find the greatest balance
in collaborative third-party governance and oversight. It allows for some department/
business function autonomy where needed but focuses on a common governance
model and technology architecture that the various groups in third-party GRC utilize. A
federated approach increases the ability to connect, understand, analyze, and monitor
interrelationships and underlying patterns of performance, risk, and compliance across
third-party relationships, as it allows different business functions to be focused on their
areas while reporting into a common governance framework and architecture. Different
Gain executive support and sponsorship of the third-party GRC strategy. The
organization needs to work in harmony on third-party GRC. Different groups
doing their own thing handicap the business. Executive support is critical to align
the organization.
n Aware. Have a finger on the pulse of the business and its third-party
relationships. Closely monitor for changes in third-party relationships, including
the internal business environment and external risk and regulatory environments
that introduce risk to the organization and its relationships. Key to this is the
n Agile. Stakeholders desire the organization to be more than fast; they require
it to be nimble. Being fast isn’t helpful if the organization is headed in the
wrong direction with managing third-party relationships. Third-party GRC
enables decisions and actions that are quick, coordinated, and well thought out.
Agility allows an entity to use third-party GRC to its advantage, grasp strategic
opportunities, and be confident in its ability to stay on course.
GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and
compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and
analysis. We provide objective insight into GRC market dynamics; technology trends; competitive landscape;
market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem
of GRC solution buyers, professional service firms, and solution providers. Our research clarity is delivered
through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC
challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000
companies, major professional service firms, and the breadth of GRC solution providers.
Research Methodology
GRC 20/20 research reports are written by experienced analysts with experience selecting and implementing
GRC solutions. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria,
regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research
reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and
best practices. Research facts and representations are verified with client references to validate accuracy. GRC
solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion.