Ensuring Integrity in the Extended Enterprise

The value of a third-party risk management strategy

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define your organization. The modern organization is the extended enterprise: an interconnected maze of relationships and interactions that span traditional business boundaries. These relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains and subcontracting relationships.

The challenge today is that issues of integrity in your extended business relationships are your organization’s issues. You stand in the shoes of your third-party relationships. Third-party integrity problems are the organization’s integrity problems and directly impact the brand, as well as reputation, while increasing exposure to risk and compliance matters. Compliance and ethics challenges do not stop at organizational boundaries.

An organization can face reputation and economic disaster by establishing or maintaining the wrong third-party relationships, or by allowing good business relationships to sour because of weak governance of the relationship. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third-party partners behave appropriately.

Third party risk management challenges

Maintaining integrity across the extended enterprise is challenging, as your organization faces:

  • Growing risk and regulatory concerns. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world.
  • Interconnected third-party risks that are managed in silos. A risk in one area may seem minor, but when factored into other risk exposures in the same relationship, can become significant.
  • Document- and email-centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for things to get overlooked and bury third-party management in mountains of data that is difficult to maintain, aggregate, and report on.
  • Processes focused on onboarding only. Integrity and compliance issues are often only analyzed during the on-boarding process, which fails to recognize that additional compliance exposure is incurred over the life of the third-party relationship.
  • Third party performance evaluations that neglect integrity and compliance. Metrics are focused on third party delivery of products and services, but do not include monitoring risks such as compliance and ethical considerations.

An ad hoc approach to third-party management results in poor visibility across the extended enterprise. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no ability to be intelligent about third party performance, risk management, and compliance while understanding its integrity impact on the organization.

Creating a third party risk management process

It is time for organizations to step back and mature their third-party management program approaches with a cross-functional and coordinated strategy and team to define and govern the integrity of third-party relationships. Third-party management is more than compliance and more than risk, but is also more than procurement. Using the definition for GRC[1] – governance, risk management and compliance – third party management is a “capability to reliably achieve objectives, while addressing uncertainty, and act with integrity” in the organization’s third-party relationships.

A targeted third party management strategy with common processes, information, and technology gets to the root of the problem. Leading organizations adopt a common framework, architecture, and shared processes to manage third-party risk and compliance, increase efficiencies, and be agile in response to the needs of a dynamic and distributed business environment.

A strong third party GRC delivers stronger business integrity across the extended enterprise, which will:

  • Lower costs, reduce redundancy, and improve efficiencies.
  • Deliver consistent and accurate information.
  • Improve decision-making and insight into what is happening across business relationships.
  • Enable the organization to ensure integrity across relationships, transactions, and third-party activities/engagements and that they are aligned with the value and commitments of the organization.

From the Convercent team:

Surfacing risks from around the world—and around your extended enterprise—is more possible with our Third-Party Risk Management and Due Diligence solution. Get in touch with us via the form below to see how we can help you maximize integrity across the enterprise, as Michael recommends above.

See Third Party Risk Management and Due Diligence in action

[1] This is the OCEG definition of GRC.