April 2021

Third-Party GRC Management by Design

Federated Governance of the Extended Enterprise

STRATEGYPERSPECTIVE
Governance, Risk Management & Compliance Insight
 © 2021 GRC 20/20 Research, LLC. All Rights Reserved.

No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form
by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of
GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage
Guidelines established in client contract.

The information contained in this publication is believed to be accurate and has been obtained from sources
believed to be reliable but cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability
whatever for actions taken based on information that may subsequently prove to be incorrect or errors in
analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements
of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information
and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may
include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research
should not be construed or used as such.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 2

 Table of Contents

The Extended Enterprise Demands Attention................................................................... 4

The Modern Organization is an Interconnected Web of Relationships...........................4
Inevitable Failure of Silos of Third-Party Governance.......................................................5
This is More Than Third-Party Risk Management..............................................................7

Third-Party GRC Management by Design.......................................................................... 8

Defining Third-Party GRC Management.............................................................................8
Value of a Third-Party GRC Approach...........................................................................10
Third-Party GRC Management Strategic Plan..................................................................11
Critical Elements of a Third-Party GRC Strategic Plan.................................................12
Third-Party GRC Management Architecture....................................................................14
Third-Party GRC Management Process Architecture...................................................14
Third-Party GRC Management Information Architecture............................................17
Third-Party GRC Management Technology Architecture............................................18

GRC 20/20’s Final Perspective.......................................................................................... 20

Fundamental Steps to Establishing Your Third-party GRC Strategy..............................21

About GRC 20/20 Research, LLC..................................................................................... 23

Research Methodology..................................................................................................... 23

TALK TO US . . .
We look forward to hearing from you and learning what you think about GRC 20/20
research. GRC 20/20 is eager to answer inquiries from organizations looking to improve GRC
related processes and utilize technology to drive GRC efficiency, effectiveness, and agility.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 3

Third-Party GRC Management by Design
Federated Governance of the Extended Enterprise

The Extended Enterprise Demands Attention

The Modern Organization is an Interconnected Web of Relationships

No man is an island, entire of itself;
Every man is a piece of the continent, a part of the main.1

Replace the word ‘man’ with ‘organization’ and the seventeenth-century English poet
John Donne is describing the modern organization. In other words, “No organization is
an island unto itself, every organization is a piece of the broader whole.”

The structure and reality of business today has changed. Traditional brick and mortar
business is a thing of the past: physical buildings and conventional employees no
longer define the organization. The modern organization is an interconnected web of
relationships, interactions, and transactions that span traditional business boundaries.
Layers of relationships go beyond traditional employees to include suppliers, vendors,
outsourcers, service providers, contractors, subcontractors, consultants, temporary
workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity
grows as these interconnected relationships, processes, transactions, and systems nest
themselves in intricacy, such as deep supply chains and sub-contracting relationships.
Roaming the hallways of an organization means crossing paths with contractors,
consultants, temporary workers, and more. Business today relies and thrives on third-
party relationships; this is the extended enterprise.

In this context, organizations struggle to govern their third-party relationships, and

too often manage risk and compliance in relationships in silos that fail to see the big
picture of risk exposure and impact on the relationship’s objectives. Risk and compliance
challenges do not stop at organizational boundaries though. An organization can face
reputational and economic disaster by establishing or maintaining the wrong business
relationships, or by allowing good business relationships to sour because of weak
governance. Third-party problems are the organization’s problems and directly impact
the brand, as well as reputation, increasing exposure to risk and compliance matters.
When questions of delivery, business practice, ethics, privacy, safety, quality, human
rights, resiliency, corruption, security, and the environment arise, the organization is held
accountable, and it must ensure that third-party partners behave appropriately.

1 A famous line from English Poet John Donne’s Devotions Upon Emergent Conditions (1624) found in
the section Meditation XVII.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 4

 The business’s ability to reliably achieve corporate objectives directly depends on the
governance of third-party relationships and whether the organization has established
the right relationships and can reliably achieve objectives in the relationship. The
organization’s ability to manage uncertainty, risk, and resiliency in its relationships
requires that the relationship’s objectives, values, and risks be managed together.

Corporate integrity and the ability of the organization to comply with regulations,
commitments, and values are measured in by its relationships as well. The saying,
“Show me who your friends are, and I will tell you who you are” translates to business:
show me who your third-party relationships are, and I will tell you who you are as an
organization.

Inevitable Failure of Silos of Third-Party Governance

Fragmented governance of third-party relationships through disconnected department
silos leads the organization to inevitable failure. Siloed information and/or reactive,
document-centric, and manual processes fail to actively govern relationships and
manage risk and compliance in the context of the third-party relationship and broader
organizational objectives and values. Silos leave the organization blind to the intricate
relationships of risk and compliance exposures that fail to get aggregated and evaluated
in context of the overall relationship and its goals, objectives, and performance.

Failure in third-party governance comes about when organizations have:

n Growing risk and regulatory concerns with inadequate resources. Organizations

are facing a barrage of growing regulatory requirements and expanding geo-
political risks around the world. The organization is encumbered with inadequate
resources to monitor risk and regulations impacting third-party relationships;
different parts of the organization end up finger pointing, thinking others are
doing this. Or the opposite happens: different parts of the organization react to
the same development without collaborating, which increases redundancy and
inefficiency.

n Interconnected third-party risks that are not connected. The organization’s

risk exposure across third-party relationships is becoming increasingly
interconnected. A risk in one area may seem minor, but when factored into other
risk exposures in the same relationship can become significant. The organization
lacks a complete visibility or understanding of the scope of risk in third parties
that are material to the organization.

n Silos of third-party oversight. This is when the organization allows different parts
of the organization to go about third-party governance in different ways without
any coordination, collaboration, and architecture. This is exacerbated when the
organization fails to define responsibilities for third-party oversight. This leads to
the unfortunate situation of the organization having no end-to-end visibility of
third-party relationships.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 5

 n Document and email centric approaches. When organizations govern third-party
relationships in a maze of documents, spreadsheets, emails, and file shares, it
is easy for things to get overlooked and bury silos of third-party management
in mountains of data that is difficult to maintain, aggregate, and report on.
There is no single source of truth on the relationship, and it becomes difficult
to impossible to get a comprehensive, accurate, and current analysis of a
third-party. To accomplish this requires a tremendous amount of staff time and
resources to consolidate, analyze, and report on siloed third-party information.
When things go wrong, document trails are easily covered up and manipulated
as they lack a robust audit trail of who did what, when, how, and why.

n Scattered and non-integrated legacy third-party risk technologies. When

different parts of the organization use legacy internal third-party risk solutions
and processes for onboarding third-parties, monitoring risk and compliance,
and managing the relationships, the organization is often limited in capabilities
and depth in the governance of third-party relationships. This leads to a
significant amount of redundancy, inefficiency, impacts effectiveness, while also
encumbering the organization when it needs to be agile.

n Processes focused on onboarding only. Risk and compliance issues are often
only analyzed during the on-boarding process to validate the organization is
doing business with the right companies through an initial due diligence process.
This approach fails to recognize that additional risk and compliance exposure is
incurred over the life of the third-party relationship.

n Inadequate processes to manage change. Governing third-party relationships

is cumbersome in the context of constantly changing regulations, relationships,
employees, processes, suppliers, strategy, and more. Organizations are in a
constant state of flux. The organization has to monitor the span of regulatory,
geo-political, economic, and operational risks across the globe in context of its
third-party relationships. Just as much as the organization itself is changing, each
of the organization’s third-party relationships are changing, introducing further
risk exposure.

n Third-party performance evaluations that neglect risk and compliance. Metrics

and measurements of third parties often fail to fully analyze and monitor risk
and compliance exposures. Often, metrics are focused on third-party delivery of
products and services, but do not include evaluating risks such as compliance,
security, resiliency, and ethical considerations.

Managing third-party activities in disconnected silos leads the organization to inevitable

failure. Without a coordinated third-party management strategy, the organization and its
various departments never see the big picture and fail to put third-party management
in the context of business strategy, objectives, and performance, resulting in complexity,
redundancy, and failure. The organization is not thinking about how processes can
be designed to meet a range of third-party needs. An ad hoc approach to third-party
management results in poor visibility across the organization, because there is no
framework or architecture for managing risk and compliance as an integrated part of the
business. When the organization approaches third-party management in scattered silos

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 6

 that do not collaborate with each other, there is no possibility to be intelligent about
third-party performance, risk management, and compliance while understanding its
impact on the organization.

This is More Than Third-Party Risk Management

Gone are the years of simplicity in operations. Exponential growth and change in risks,
regulations, globalization, distributed operations, competitive velocity, technology, and
business data impedes third-party relationships and the business’s ability to manage
them.

The world of business is distributed, dynamic, and disrupted. It is distributed across a

web of relationships. It is dynamic as business and relationships change day-by-day -
processes change, employees change, relationships change, regulations change, risks
change, and objectives change. The ecosystem of business relationships is complex,
interconnected, and requires a holistic, contextual awareness of third-party GRC
(governance, risk management, and compliance), rather than a dissociated collection
of processes and departments. Change in one area has cascading effects that impact
the entire ecosystem. This interconnectedness of business is driving demand for 360°
contextual awareness in the organization’s third-party relationships. Organizations need
to see the intricate intersection of objectives, risks, and boundaries in each relationship.

Third-party risk management is not enough. Organizations are shifting their focus
towards third-party GRC management. It starts with the governance of relationships. The
relationship’s objectives and sub-relationships (e.g., contracts, service levels, facilities,
etc.) need to be clearly defined and governed. It is only after a clear understanding of
the objectives (and the governance of those objectives) that risk/uncertainty, as well as
compliance/integrity, can be managed in the context of the relationship to deliver those
objectives. Organizations need to develop a more assertive approach to governance of
relationships to ensure greater risk, resiliency, and integrity in and across relationships to
deliver value to the organization.

This challenge is even greater when third-party risk management is buried in the depths
of departments and operating from silos, not as an integrated discipline of decision-
making that has a symbiotic relationship on performance and strategy of relationships.

The bottom line: The modern business depends on, and is defined by, the governance,
risk management, and compliance of third-party relationships to ensure the organization
can reliably achieve objectives, manage uncertainty, and act with integrity in each of its
third-party relationships. A haphazard department and document-centric approach for
third-party risk management compounds the problem and does not solve it. It is time
for organizations to step back and move from third-party risk management to third-party
GRC management with a cross-functional and coordinated strategy and team to define
and govern third-party relationships. Organizations need to address third-party GRC
with an integrated strategy, process, and architecture to manage the ecosystem of third-
party relationships with real-time information about third-party performance, risk, and
compliance, and how it impacts the organization.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 7

 Third-Party GRC Management by Design

The physicist, Fritjof Capra, made an insightful observation on biological ecosystems that
rings true when applied to third-party management:

“The more we study the major problems of our time, the more we come to realize that
they cannot be understood in isolation. They are systemic problems, which means that
they are interconnected and interdependent.”2

Capra’s point is that biological ecosystems are complex, interconnected, and require a
holistic understanding of the intricacy in interrelationship as an integrated whole, rather
than a dissociated collection of parts. Change in one segment of an ecosystem has
cascading effects and impacts to the entire ecosystem.

This is true in third-party GRC management. What further complicates this is the
exponential effect of third-party risk on the organization. Business operates in a world
of chaos. Applying chaos theory to business is like the ‘butterfly effect’, in which the
simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that ultimately
impact the development and path of a hurricane. A small event cascades, develops, and
influences what ends up becoming a significant event.

Dissociated data, systems, processes, and a myopic risk vision leaves the organization
with fragments of the truth that fail to see the big picture of third-party performance, risk,
and compliance across the enterprise and how it supports the organization’s strategy and
objectives. The organization needs to have holistic visibility and situational awareness
into third-party relationships across the enterprise. Complexity of business, intricacy, and
interconnectedness of third-party data requires that the organization implement a third-
party GRC management strategy.

Defining Third-Party GRC Management

The primary directive of a mature third-party GRC management program is to deliver
effectiveness, efficiency, and agility to the business in managing the breadth of third-
party relationships in context of performance, risk, and compliance. This requires a
strategy that connects the enterprise, business units, processes, transactions, and
information to enable transparency, discipline, and control of the ecosystem of third
parties across the extended enterprise. In the end, third-party GRC management is more
than compliance and more than risk but is also more than procurement.

The integrity of the organization relies on the integrity of its third-party relationships.
Organizations are re-evaluating their internal core values, ethics, and standards of
conduct and how this extends and is enforced across third-party relationships. This
includes a focus on human rights, privacy, environmental standards, health and safety,
conduct with others (e.g., customers, partners), and security in third-party relationships.

2 Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor
Books, 1996).

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 8

 The organization has to maintain operations amid uncertainty and change. This requires
a holistic view of a third-party relationships’ objectives and performance in the context
of uncertainty and risk within those relationships. The organization has to be a resilient
organization with full situational awareness of the interconnected risk environment that
impacts them. Given the reliance on third-party relationships, this requires a holistic view
into the governance, risk management, and compliance of each third-party relationship
and how it serves and provides value to the organization.

Third-party GRC is a “capability to reliably achieve objectives [GOVERNANCE], while

addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]” in
and across the organization’s third-party relationships.” This is adapted from the official
GRC definition in the OCEG GRC Capability Model. Breaking this down, third-party GRC
delivers:

n Third-party governance. It starts with integrated governance of third-party

relationships and monitoring relationships across the extended enterprise
to ensure they are meeting the objectives and purpose the relationship was
established for, and thus, returning value to the organization.

n Third-party risk management. Understanding the governance objectives of the

relationship sets the context to then assess, analyze, and monitor the uncertainty
and risk in the relationship. Risk, by official definition, is the effect of uncertainty
on objectives. Each relationship has its objectives (or component of the
relationship like contract or service level agreement) and uncertainty needs to be
managed against those objectives.

n Third-party compliance. Compliance aims to see that the organization acts with
integrity in fulfilling its regulatory, contractual, and self-imposed obligations
and values across its third-party relationships. Compliance follows through on
risk treatment plans to assure that risk is being managed within limits and that
controls are in place and functioning within each relationship to mitigate risk.

GRC 20/20 has identified three approaches organizations take to manage third-party
relationships:

n Anarchy – ad hoc department silos. This is when the organization has different
departments doing different yet similar things with little to no collaboration
between them. Distributed and siloed third-party initiatives never see the
big picture and fail to put third-party management in the context of business
strategy, objectives, and performance. The organization is not thinking big
picture about how third-party management processes can be designed to meet
a range of needs. An ad hoc approach to third-party GRC management results
in poor visibility into the organization’s relationships. As there is no framework
for bringing the big picture together, there is no possibility to be intelligent
about third-party risk and performance. The organization fails to see the web of
risk interconnectedness and its impact on third-party performance and strategy,
leading to greater exposure than any silo understood by itself.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 9

 n Monarchy – one size fits all. If the anarchy approach does not work, then
the natural reaction is the complete opposite: centralize everything and get
everyone to work from one perspective. However, this has its issues as well.
Organizations run the risk of having one department be in charge of third-party
GRC management that does not fully understand the breadth and scope of third-
party risks and needs scattered across the entire organization. The needs of one
area may shadow the needs of others. From a technology point of view, it may
force many parts of the organization into managing third-party relationships with
the lowest common denominator and watering down third-party management.
Further, there is no one-stop shop for everything third-party management,
as there are a variety of pieces to third-party management that need to work
together.

n Federated – an integrated and collaborative approach. The federated approach

is where most organizations will find the greatest balance in collaborative third-
party governance and oversight. It allows for some department/business function
autonomy where needed but focuses on a common governance model and
architecture that the various groups in third-party GRC management participate
in. A federated approach increases the ability to connect, understand, analyze,
and monitor interrelationships and underlying patterns of performance,
risk, and compliance across third-party relationships, as it allows different
business functions to be focused on their areas while reporting into a common
governance framework and architecture. Different functions participate in third-
party management with a focus on coordination and collaboration through a
common core architecture that integrates and plays well with other systems. This
is true third-party GRC management.

Value of a Third-Party GRC Approach

The lack of a coordinated strategy for third-party GRC management fails to deliver
insight and context, rendering it nearly impossible to make a connection between risk
management and decision-making, business strategy, objectives, and performance in
and across relationships. This results in business processes, partners, employees, and
systems that behave like leaves blowing in the wind.

In contrast, a third-party GRC strategy with common processes, information, and

technology gets to the root of the problem. Leading organizations are adopting a
common framework, architecture, and shared processes to manage third-party GRC,
increase efficiencies, and enable an agile response to the needs of a dynamic and
distributed business environment. Mature third-party GRC delivers better business
outcomes because of stronger governance, which will:

n Lower costs, reduce redundancy, and improve efficiencies.

n Deliver consistent and accurate information.

n Continuously (e.g., daily) monitor and assess third parties by using external data
sources to get updates on risk data on a daily basis.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 10

 n Improve decision-making and insight into what is happening across business
relationships.

n Enable the organization to defend itself with a robust third-party governance

program designed to mitigate risk and ensure integrity of relationships - aligned
with the value and commitments of the organization.

Third-Party GRC Management Strategic Plan

Designing a federated, third-party GRC management program starts with defining the
third-party GRC strategy. The strategy connects key business functions with a common
third-party governance framework and policy. The strategic plan is the foundation that
enables third-party transparency, discipline, and control of the ecosystem of third parties
across the extended enterprise.

The core elements of the third-party strategic plan include:

n Third-party governance team. The first piece of the strategic plan is building
the cross-organization third-party governance team (e.g., committee, group).
This team needs to work with third-party relationship owners to ensure a
collaborative and efficient oversight process is in place. The goal of this group
is to take the varying parts of the organization that have a vested stake in third-
party management and get them collaborating and working together on a
regular basis. Various roles often involved on the third-party governance team are
procurement, compliance, ethics, legal, finance, information technology, security,
audit, quality, health & safety, environmental, and business operations. One of
the first items to determine is who chairs and leads the third-party governance
team.

n Third-party GRC management charter. With the initial collaboration and

interaction of the third-party governance team in place, the next step in the
strategic plan is to formalize this with a third-party GRC management charter.
The charter defines the key elements of the third-party GRC management
strategy and gives it executive and board authorization. The charter will contain
the mission and vision statement of third-party GRC management, the members
of the third-party governance team, and define the overall goals, objectives,
resources, and expectations of enterprise third-party GRC management. The
key goal of the charter is to establish alignment of third-party management to
business objectives, performance, and strategy. The charter also should detail
board oversight responsibilities and reporting on third-party management.

n Third-party GRC management policies and procedures. The next critical item to
establish in the third-party GRC strategic plan is the writing and approval of the
third-party management policy (and supporting policies and procedures). This
sets the initial third-party governance structure in place by defining categories
of third-parties, associated responsibilities, approvals, assessments, evaluation,
audits, and reporting. The policy should require that an inventory of all third-

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 11

 party relationships be maintained with appropriate categorizations, approvals,
and identification of risks.

Critical Elements of a Third-Party GRC Strategic Plan

Organizations need to be intelligent about what processes and technologies they deploy.
A sustainable third-party GRC strategy means looking to the future and mitigating risk,
as opposed to putting out fires. With increased exposure to regulations and scrutiny of
third-party relationship, how does an organization respond? It requires that the following
third-party GRC elements are in place:

n Understand performance and risk. An organization must have an integrated

performance and risk-based approach to managing each third-party relationship.
This includes periodic assessment (e.g., annual) of relationships. However, the
risk-assessment process should also be dynamic — completed each time there is
a significant business change or event that could lead to exposure. Assessments
should cover the performance of third parties overall, as well as at each sub-level
(e.g., contract, service level, facility), exposure in specific markets, relationships,
and geographies.

n Approach third-party GRC in proportion to risk. How an organization

implements requirements and controls is based on the proportion of risk
it faces. If a certain area of the world or a business partner carries a higher
risk, the organization must respond with stronger governance and controls.
Proportionality of risk also applies to the size of the business — smaller
organizations are not expected to have the same measures as large enterprises.

n Tone at the top. The third-party GRC program must be fully supported by the
board of directors and executives. Communication with top-level management
must be bidirectional. Management must communicate that they support the
third-party GRC program and will not tolerate corruption in any form. At the
same time, they must be well-informed about the effectiveness and strategies for
third-party GRC initiatives.

n Know who you do business with. It is critical to establish a monitoring framework

that catalogs third-party relationships, markets and geographies. Due diligence
efforts must be in place to make sure the organization is contracting with ethical
entities. If there is a high degree of corruption risk in a relationship, additional
preventive and detective controls must be established in response. This includes
knowing your contractors and third parties’ beneficial owners and conducting
background checks to understand if they are susceptible to corruption and
unethical conduct.

n Keep information current. Third-party performance evaluations, as well as due

diligence and risk assessment efforts, must be kept current. These are not point-
in-time efforts; they need to be done on a regular basis or when the business
becomes aware of conditions that point to increased risk.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 12

 n Third-party oversight. The organization needs a group who is responsible for
the oversight of third-party relationships. This often involves a collaborative
effort between legal, compliance, procurement, and other business functions.
This cross-functional team should have the authority to report to independent
monitoring bodies, such as the audit committee of the board, to disclose issues.

n Established policies and procedures. Organizations need documented and

up-to-date policies and procedures that govern third-party relationships. This
starts with a vendor/supplier code of conduct and filters down to other policies
that address risks in the relationship and its activities that serve the organization.
These requirements and processes must be clearly documented and adhered to.

n Effective training and communication. Written policies are not enough —

individuals need to know what is expected of them. Organizations must
implement training to educate employees and business partners. This includes
getting acknowledgements from employees and business partners to affirm their
understanding, and attestation of their commitment to behave according to
established policies and procedures.

n Implement communication and reporting processes. The organization must

have channels of communication where employees and third parties can get
answers. This could take the form of a help line that allows an individual to ask
questions, a FAQ database, or via form processing for approval on activities
and requests. The organization must also have a hotline reporting system for
individuals, including those within third parties, to report misconduct.

n Assessment and monitoring. In addition to periodic risk assessment, the

organization must also have regular due diligence, assessment, and monitoring
activities to ensure that policies, procedures and controls that govern third
parties are in place and working. This includes the ongoing and continuous
screening of third parties against external data sources, such as on a daily instead
of annual/infrequent basis.

n Investigations. Even in the best organization, things go wrong. Investigation

processes must be in place to quickly identify potential incidents, and quickly and
effectively investigate and resolve issues. This includes reporting and working
with outside law enforcement and authorities.

n Third-party controls. Organizations must keep detailed records that fairly and
accurately reflect transactions and interactions of third-party relationships.
This includes contract-pricing review, due diligence, and verification of foreign
business representatives, accounts payable, financial account reconciliation, and
commission payments.

n Conduct audits and inspections. Every contract with a third-party typically

includes right to audit/inspection language. The organization should establish
clear and consistent practices on when and how these are conducted and follow
through with them.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 13

 n Manage business change. The organization must monitor for changes that
introduce greater risk of third-party relationships. The organization must
document changes that result from observations and investigations, and address
deficiencies through a careful program of change management.

Third-Party GRC Management Architecture

The third-party GRC management strategy and policy is supported and made
operational through a third-party GRC management architecture. The organization
requires complete situational and holistic awareness of third-party relationships
across operations, processes, transactions, and data to see the big picture of third-
party performance and risk in the context of organizational performance and strategy.
Distributed, dynamic, and disrupted business requires that the organization take a
strategic approach to third-party GRC management architecture. The architecture defines
how organizational processes, information, and technology is structured to make third-
party GRC management effective, efficient, and agile across the organization and its
relationships.

There are three areas of the third-party management architecture:

1. Third-party GRC management process architecture

2. Third-party GRC management information architecture

3. Third-party GRC management technology architecture

It is critical that these architectural areas be initially defined in this order. It is the business
processes that often determine the types of information needed, gathered, used, and
reported. It is the information architecture combined with the process architecture
that will define the organization’s requirements for the technology architecture. Too
many organizations put the cart before the horse and select technology for third-
party management first, which then dictates what their process and information
architecture will be. This forces the organization to conform to a technology for third-
party management instead of finding the technology that best fits their process and
information needs.

Third-Party GRC Management Process Architecture

The third-party GRC management architecture starts with the process architecture.
Third-party management processes are a part and subset of overall business processes.
Processes are used to manage and monitor the ever-changing relationship, risk, and
regulatory environments in extended business relationships.

The process architecture is the structural design of processes, including their components
of inputs, processing, and outputs. This architecture inventories and describes third-party
GRC management processes, each process’s components and interactions, and how
third-party processes work together as well as with other enterprise processes.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 14

 While third-party GRC processes can be very detailed and vary by organization
and industry, there are several general third-party management process areas that
organizations should have in place, these are:3

1. Ongoing context monitoring. On an ongoing basis, and separate from

monitoring of individual relationships, is the process of monitoring external
risk, regulatory, and business environments, as well as the internal business
environment. The purpose is to identify opportunities as well as risks and
regulatory requirements that are evolving and impact the overall third-party
GRC management program. A variety of regulatory, environmental, economic,
geo-political, and internal business factors can affect the success or failure of
any given business relationship. This includes the potential for natural disasters,
disruptions, commodity availability and pricing, industry developments, and
geo-political risks. This also involves monitoring relevant legal and regulatory
environments in corresponding jurisdictions to identify changes that could
impact the business and its extended relationships.

2. Third-party identification & onboarding. This is the collection of processes

aimed at automating a standard, objective approach for identifying third parties
to work with, onboarding them through the collection of third-party data, and
conducting appropriate due diligence.

† Purpose & identification. This is the process to identify new third parties
or existing third parties to contract with for new business purposes.
Third-party identification will detail the purpose of the relationship
and include initial definition of performance, risk, and compliance
requirements and concerns in the relationship so the proper relationship
can be identified.

† Qualification & screening. Once a third-party has been selected, the

next step is the qualification and screening process to validate that the
third-party can meet the requirements of the relationship and does not
introduce unwarranted risk and compliance exposure. The screening
process will go through due diligence steps to ensure that the third-party
is the right fit for the organization. Relationships, particularly high-risk
ones, are to be evaluated against defined criteria to determine if the
relationship should be established or avoided.

† Contracting & negotiation. Upon passing initial qualification and

screening, the next sets of processes are contracting and negotiation
processes to come to terms and establish the relationship.

† Registration & onboarding. When contracting and negotiation

processes are complete, the organization moves into registration and

3 Each area may have a number of processes and while the language and flow below indicate a linear
relationship, some of these can run in parallel and may need to as with registration processes that
may be needed for the organization to submit information that is reviewed in qualification and
screening processes.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 15

 onboarding. The registration process may have already started in the
qualification and screening phase to gather information but concludes
with setting up the third-party in the system with master data records,
financial and payment information, contact information, insurance, and
licensing documentation. Further steps of the onboarding process will
be the communication of code of conduct and related policies, getting
attestations to these, completing associated training requirements, and
conducting initial audits and inspections (if more are needed and were
not done in the qualification and screening stage).

3. Third-party communications & attestations. These are the set of ongoing

processes to manage the communications and interactions with the third-party
throughout the relationship’s lifecycle. These are done on a periodic (e.g., annual)
basis or when certain risk conditions are triggered.

† Policy communications & reminders. This is the regular communication

and reminders to third parties about code of conduct and related
policies and procedures they need to follow.

† Training. The regular training of third parties on matters of conduct,

policies, and procedures.

† Attestation. The regular attestation by third parties to their behavior and

conformance to policies and contractual requirements.

† Self-assessments. The regular surveys and assessments sent to

third parties for them to evaluate themselves and send back to the
organization.

† Reporting. The regular reporting on third parties on aspects of the

relationship and in the context of performance, risk, and compliance.

4. Third-party monitoring & assessment. This stage includes the array of processes
to continuously monitor the third-party relationship over their lifecycle in the
organization. These activities are the ones typically done within the organization
to monitor and assess the third-party relationship on an ongoing basis.

† Issue reporting & resolution. Even the most successful business

relationships encounter issues. This is the process for capturing issues
and their details that arise in third-party relationships. Issue reporting
processes may be internal and done by employees and management,
by the third parties themselves, or through external sources such as
customer complaints.

† Performance monitoring. Performance monitoring processes are in

place to monitor the health of the relationship, satisfaction of service
level agreements, and the value the relationship is providing.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 16

 † Risk monitoring. Risk monitoring processes identify and evaluate
potential risks relevant to each third-party relationship throughout their
lifecycle in the organization.

† Compliance monitoring & ongoing due diligence. The processes in

place to monitor relationships for ongoing conformance to compliance
requirements. This includes ongoing due diligence and screening
processes which can monitor and screen third parties on a continuous
basis (e.g., daily).

† Audit & inspections. The processes in place to exercise right to audit

clauses and do onsite inspections of third-party premises and facilities.

5. Forms & approvals. The set of internal processes to collect and report
information and route things for approval in context of third-party relationships.

† New vendor/supplier request.

† Gifts, hospitality & entertainment.

† Political & charitable contributions.

† Facilitated payments.

6. Metrics & reporting. Processes to gather metrics and report on third-party

relationships at the relationship level or in aggregate.

7. Third-party re-evaluation. The processes in place to evaluate, maintain, renew,

and off-board relationships.

† Relationship renewal. Managing the process of renewing contracts and

relationships under existing, revised, or new terms.

† Off-boarding & retirement. The off boarding/retired relationships that

are no longer needed.

Third-Party GRC Management Information Architecture

Third-party GRC management fails when information is scattered, redundant, non-
reliable, and managed as a system of parts that do not integrate and work as a collective
whole. The third-party GRC management information architecture supports the process
architecture and overall third-party GRC management strategy. With processes defined
and structured in the process architecture, the organization can now get into the specifics
of the information architecture needed to support third-party processes. The information
architecture involves the structural design, labeling, use, flow, processing, and reporting
of third-party management information to support third-party management processes.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 17

 Successful third-party GRC management information architecture will be able to integrate
information across third-party management systems, ERP, procurement solutions, and
third-party databases. This requires a robust and adaptable information architecture
that can model the complexity of third-party information, transactions, interactions,
relationship, cause and effect, and analysis of information that integrates and manages:

n Master data records. This includes data on the third-party such as address,
contact information, and bank/financial information.

n Third-party compliance requirements. Listing of compliance/regulatory

requirements that are part of third-party relationships.

n Third-party risk and control libraries. Risks and controls to be mapped back to
third parties.

n Policies and procedures. The defined policies and procedures that are part of
third-party relationships.

n Contracts. The contract and all related documentation for the formation of the
relationship.

n SLAs, KPIs, and KRIs. Documentation and monitoring of service level

agreements, key performance indicators, and key risk indicators for individual
relationships, as well as aggregate sets of relationships.

n Third-party databases. The information connections to third-party databases

used for screening and due diligence purposes, such as sanction and watch lists,
politically exposed person databases, as well as financial performance or legal
proceedings.

n Transactions. The data sets of transactions in the ERP environment that are
payments, goods/services received, etc.

n Forms. The design and layout of information needed for third-party forms and
approvals.

Third-Party GRC Management Technology Architecture

The third-party GRC management technology architecture operationalizes the
information and process architecture to support the overall third-party GRC management
strategy. The right technology architecture enables the organization to effectively
manage third-party performance and risk across extended business relationships and
facilitate the ability to document, communicate, report, and monitor the range of
assessments, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for third-party GRC
management that connects the fabric of the third-party GRC management processes,
information, and other technologies together across the organization. Many

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 18

 organizations see third-party GRC management initiatives fail when they purchase
technology before understanding their process and information architecture and
requirements. Organizations have the following technology architecture choices before
them:

n Documents, spreadsheets, and email. Manual spreadsheet and document-

centric processes are prone to failure as they bury the organization in mountains
of data that is difficult to maintain, aggregate, and report on, consuming valuable
resources. The organization ends up spending more time in data management
and reconciling, as opposed to active risk monitoring of extended business
relationships.

n Point solutions. The implementation of a number of point solutions that

are deployed and purpose built for very specific risk and regulatory issues.
The challenge here is that the organization ends up maintaining an array of
disconnected solutions that do very similar things but for different purposes. This
introduces a lot of redundancy in information gathering and communications
that taxes the organization and its relationships. They typically focus on one, and
possibly more, areas of third-party risk.

n ERP solutions. There are a range of solutions that are strong in the ERP and
procurement space that have robust capabilities in third-party transactions and
spend analytics. However, these solutions may be weak in overall third-party
governance, risk management, and compliance.

n Enterprise GRC platforms. Many of the leading enterprise GRC platforms have
third-party (e.g., vendor) risk management modules. However, these solutions
often have a predominant focus on risk and compliance and do not always have
the complete view of performance management of third parties. These solutions
are often missing key requirements such as third-party self-registration, third-
party portals, and established relationships with third-party data and screening
providers.

n Third-party GRC management platforms. These are solutions that are built
specifically for third-party GRC management and often have the broadest
array of built-in (versus built-out) features to support the breadth of third-party
management processes. In this context, they take a balanced view of third-
party governance and management that includes performance of third parties
as well as risk and compliance needs. These solutions often integrate with ERP
and procurement solutions, or may be provided by a procurement solution,
to properly govern third-party relationships throughout their lifecycle and can
feed risk and compliance information into GRC platforms for enterprise risk and
compliance reporting where needed.

The right third-party GRC technology architecture choice for an organization often
involves integration of several components into a core third-party GRC management
platform solution to facilitate the integration and correlation of third-party information,
analytics, and reporting. Organizations suffer when they take a myopic view of third-

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 19

 party management technology that fails to connect all the dots and provide context to
business analytics, performance, objectives, and strategy in the real-time that business
operates in.

Some of the core capabilities organizations should consider in a third-party GRC

management platform are:

n Internal integration. Third-party management is not a single, isolated

competency or technology within a company. It needs to integrate well with
other technologies and competencies that already exist in the organization –
procurement system, spend analytics, ERP, and GRC. The ability to pull and push
data through integration is critical.

n External integration. With increasing due diligence and screening requirements,

organizations need to ensure that their solution integrates well with third-
party databases. This involves the delivery of content from knowledge/content
providers through the third-party technology solution to rapidly assess changing
regulations, risks, industry, and geopolitical events.

n Content, workflow, and task management. Content should be able to be

tagged so it can be properly routed to the right subject matter expert to
establish workflow and tasks for review and analysis. Standardized formats for
measuring business impact, risk, and compliance.

n 360° contextual awareness. The organization should have a complete view of

what is happening with third-party relationships in context of performance, risk,
and compliance. Contextual awareness requires that third-party management
have a central nervous system to capture signals found in processes, data, and
transactions, as well as changing risks and regulations for interpretation, analysis,
and holistic awareness of risk in the context of third-party relationships.

GRC 20/20’s Final Perspective

The primary directive of a mature third-party governance program is to deliver

effectiveness, efficiency, and agility to the business in managing the breadth of third-
party relationships in context of performance, risk, and compliance. This requires a
strategy that connects the enterprise, business units, processes, transactions, and
information to enable transparency, discipline, and control of the ecosystem of third
parties across the extended enterprise.

The Agile Maturity approach is where most organizations will find the greatest balance
in collaborative third-party governance and oversight. It allows for some department/
business function autonomy where needed but focuses on a common governance
model and technology architecture that the various groups in third-party GRC utilize. A
federated approach increases the ability to connect, understand, analyze, and monitor
interrelationships and underlying patterns of performance, risk, and compliance across
third-party relationships, as it allows different business functions to be focused on their
areas while reporting into a common governance framework and architecture. Different

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 20

 functions participate in third-party GRC management with a focus on coordination and
collaboration through a common core architecture that integrates and plays well with
other systems.

Fundamental Steps to Establishing Your Third-party GRC Strategy

To achieve the full benefits from a third-party GRC strategy, GRC 20/20 recommends the
following next steps:

‰ Gain executive support and sponsorship of the third-party GRC strategy. The
organization needs to work in harmony on third-party GRC. Different groups
doing their own thing handicap the business. Executive support is critical to align
the organization.

‰ Establish a dedicated cross-functional team focused on a common approach.

It is vital to dedicate a cross-functional team to oversee ongoing harmonization
of third-party GRC processes, integration of information, collaboration across
risk and compliance functions, and execution of the third-party GRC strategy.
This group identifies strengths within existing functions and enables other areas
to benefit from them. The goal of this team is to develop shared framework,
processes, and information.

‰ Define a third-party GRC framework. Companies must document and prioritize

third parties and third-party risks. This includes defining who owns relationships,
who owns risk, the subject matter expert for risk, and which function or process
monitors third-party relationship. Policies, controls, and issues must be mapped
back to the third-party GRC framework.

‰ Develop harmonized processes. Key to success is identification of shared

processes and information for third-party GRC across the enterprise. This
includes identifying technology solutions to support integrated information and
process architecture.

The primary directive of a third-party GRC management program is to deliver

effectiveness, efficiency, and agility to the business in governing relationships and
address risk across the breadth of these relationships. This requires a strategy
that connects the enterprise, business units, processes, and information to enable
transparency, discipline, and risk control of the ecosystem of third parties across the
extended enterprise. Automation of third parties’ assessments that pose an exposure
to the organization enables the organization to manage their overall risk exposure and
deliver value to the organization. Organizations that are striving to improve their third-
party GRC management capability and maturity in their organization will find they are
more:

n Aware. Have a finger on the pulse of the business and its third-party
relationships. Closely monitor for changes in third-party relationships, including
the internal business environment and external risk and regulatory environments
that introduce risk to the organization and its relationships. Key to this is the

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 21

 ability to turn data into information that can be analyzed and shareable in every
relevant direction.

n Aligned. Align performance, risk management, and compliance to understand

and govern each relationship and the program overall to support and inform
business objectives. This requires continuously aligning objectives and
the operations of the integrated third-party GRC capability to those of the
organization and to giving strategic consideration to information from the third-
party GRC management capability to affect appropriate change.

n Responsive. Organizations cannot react to something they do not sense.

Mature third-party GRC management focuses on gaining greater awareness
and understanding of information that drives decisions and actions, improves
transparency, and quickly cuts through the morass of data to uncover what an
organization needs to know to make the right decisions.

n Agile. Stakeholders desire the organization to be more than fast; they require
it to be nimble. Being fast isn’t helpful if the organization is headed in the
wrong direction with managing third-party relationships. Third-party GRC
enables decisions and actions that are quick, coordinated, and well thought out.
Agility allows an entity to use third-party GRC to its advantage, grasp strategic
opportunities, and be confident in its ability to stay on course.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to Coupa 22

About GRC 20/20 Research, LLC

GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and
compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and
analysis. We provide objective insight into GRC market dynamics; technology trends; competitive landscape;
market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem
of GRC solution buyers, professional service firms, and solution providers. Our research clarity is delivered
through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC
challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000
companies, major professional service firms, and the breadth of GRC solution providers.

Research Methodology

GRC 20/20 research reports are written by experienced analysts with experience selecting and implementing
GRC solutions. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria,
regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research
reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and
best practices. Research facts and representations are verified with client references to validate accuracy. GRC
solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion.

GRC 20/20 Research, LLC

+1.888.365.4560
info@GRC2020.com
www.GRC2020.com