The modern organization is a complex web of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees, but rather third parties: suppliers, vendors, service providers, consultants, etc. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting.
Multi-national organizations are struggling to adequately monitor and manage their third-party relationships. In a highly interconnected and regulated business environment, third-party problems directly impact an organization’s brand, reputation, compliance, strategy, and risk.
In the eyes of regulators, NGOs, and the press, organizations bear responsibility for the actions or inactions of their third parties. Establishing or maintaining the wrong business relationships can lead to reputational and economic disaster, including fines that reach millions or even billions of dollars.
Characteristic Failures in Third Party Governance Are Multifaceted
Organizations manage third parties differently across departments and functions, often using manual approaches involving thousands of documents, spreadsheets, and emails. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships.
Common failures in third-party management include:
- Tracking regulatory change. There is a steadily increasing drumbeat of regulatory requirements, as exemplified by the Dodd-Frank Act of 2009 with its 16 Titles and 800+ pages of new laws.
- Identifying risks arising from interconnected third parties. An exposure in one area may seem minor, but when factored into other exposures the result can be significant. One of the most well publicized failures in InfoSec, 40 million credit card numbers stolen from Target’s customers, was achieved through malware installed via an HVAC subcontractor.
- Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency and a lack of agility.
- Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that are difficult to maintain, aggregate, and report on. When there is no single source-of-truth it becomes difficult to get a comprehensive, accurate, and current-state analysis of a third party.
- Scattered and non-integrated technologies. When different parts of the organization use different solutions and processes for on-boarding and managing third parties, monitor third party risk and compliance, and manage relationships; the big picture can never be seen.
- Due diligence done haphazardly or only during on-boarding. To be effective due diligence needs to be conducted on a periodic or continual basis.
- Inadequate processes to monitor changing dynamics. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more.
- Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators.
Enabling 360 Degree Insight and Control of Third Party Relationships
To manage third-party risks effectively, organizations need a comprehensive 360 degree view of third party status and risks. This view should encompass risks, applicable laws (which continue to change), compliance practices, and newsworthy events. Rather than burying or distributing this information in spreadsheets, the solution should provide executive teams and compliance experts with a “single source of truth” for understanding all third-party relationships.
In addition, the solution should integrate with critical business systems, such as payment systems and ERP platforms, so that third-party intelligence becomes actionable. Through automated actions, such as email alerts and commands to stop payment, an optimal third-party compliance solution assures compliance not just by reporting status but also by automating actions that keep organizations and key individuals safely within the limits of the law.
The Aravo Enterprise Platform meets all these requirements for monitoring and managing third party relationship lifecycles, from on-boarding through continuous monitoring, due diligence, and ongoing assessment to off-boarding. The Aravo solution integrates with other critical internal systems, such as payment systems and ERP platforms, as well as external databases to monitor and alert on third-party risks and interactions. Aravo also provides applications for addressing specific third party risks, such as Anti-Bribery/Anti-Corruption, Responsible Sourcing and IT Security.
To find out more about what’s importance in maintaining third-party risk and compliance, read analyst firm GRC 20/20’s white paper, “360 Degree Insight and Control of Third Party Relationships":
To learn more about the Aravo Enterprise solution for third-party compliance, please contact us.