GRC 2020 CoreStream GRC

Hosted by Michael Rasmussen, GRC2020

25th September 2023 10am to 5pm (including lunch and drinks reception)

Home House Private Members Club

20 Portman Square,

London,

W1H 6LW

Register Interest

Third Party Management by Design Workshop

25th September 2023 10am to 5pm Including lunch and drinks reception

Third Party Risk Management (TPRM) workshop abstract:

The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacies, such as deep supply chains and subcontracting relationships. Roaming the hallways of an organization means crossing paths with contractors, consultants, temporary workers, and more. Business today relies and thrives on third-party relationships; this is the extended enterprise. 

In this context, organizations struggle to govern their third-party relationships and too often manage risk and compliance within those relationships in silos that fail to see the big picture of risk exposure and the impact on the relationship’s objectives. Risk and compliance challenges do not stop at organizational boundaries. This is particularly true in this new era of ESG in the extended enterprise. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships or allowing good business relationships to sour because of weak risk governance. Third-party problems are the organization’s problems and directly impact the brand and reputation, increasing exposure to risk and compliance matters. When questions of delivery, business practice, ethics, privacy, safety, quality, human rights, resiliency, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third-party partners behave appropriately. 

Dissociated data, systems, processes, and a myopic risk vision leaves the organization with fragments of the truth that fail to see the big picture of third-party performance, risk, and compliance across the enterprise and how it supports its strategy and objectives. The organization needs to have holistic visibility and situational awareness of third-party risk across the enterprise. The complexity of business, intricacy, and interconnectedness of third-party risk data requires that the organization implement a third-party risk management strategy. 

This workshop aims to provide a blueprint for attendees on effective third-party risk management in a dynamic business, regulatory, ESG, and risk environment. Attendees will learn third-party risk management strategies and processes that can be applied across the organization at either an enterprise or a department level. Learning is done through lectures, collaboration with peers, and workshop tasks.

Objectives of the Third Party Risk Management workshop:

Attendees will take back to their organization approaches to address:

  • Effectively managing due diligence and third-party risk.
  • Understand the challenges and pitfalls of managing third-party risk
  • Achieve success capitalizing on third-party relationships while maintaining compliance
  • Facilitate ongoing monitoring of third-party partners.
  • Define a third party management lifecycle for managing and monitoring third party relationships
  • Establish third party management ownership and accountability
  • Provide third party management process consistency
  • Communicate effectively with third parties on matters of risk and compliance
  • Track critical workflow and tasks internally and with third party relationships
  • Deliver effective third party governance and assurance to the board of directors, regulators, and stakeholders
  • Monitor metrics to establish effectiveness or third party management
  • Identify and resolve issues with third parties
  • Map third party relationships to objectives, risks, controls, issues, and other GRC areas

Benefits to TPRM workshop attendees:

  • Understand a top-down as well as a bottom-up approach to third party management
  • Implement third party management in the context of business strategy, process, and operations
  • Explore third party management architecture models and how they apply to your organization
  • Discover various third party assessment and monitoring techniques and how they apply to your business
  • Develop an third party information architecture that aligns with business operations and processes
  • Effectively communicate and gather attestation on third parties across your organizations

Who should attend the TPRM workshop?

  • Procurement Professionals
  • Supply Chain Professionals
  • Ethics & Compliance Professionals
  • Risk Management Professionals
  • IT Security Professionals
  • Legal Professionals
  • Environmental, Health & Safety Professionals
  • Corporate Social Responsibility & Accountability Professionals
  • Individuals with third party management, ownership, or oversight responsibilities

Proposed agenda for the Third Party Risk Management workshop:

Part 1: Third Party Management by Design
Why Third Party Management Matters
  • Third Parties in Disarray: how organizations mismanage third parties
  • Third Party Exposure: how mismanaged third parties expose the organization to risk
  • Current drivers & trends pressuring organizations in third party management
  • Different ways organizations approach third party management
  • What Effective Third Party Management Achieves: third party management’s role in governance, risk management, and compliance
Part 2: Third Party Governance
Blueprint for Effective Third Party Management
  • Third Party Governance Committee: bringing together the range of third party management roles and responsibilities in the organization
  • Third Party Management Charter: defining a structure to govern third party relationships
  • How to Develop a Third Party Management Strategic Plan
Part 3: Third Party Management Lifecycle
Managing Third Parties from Onboard to Offboarding
  • Third party identification & onboarding
  • Ongoing context monitoring
  • Third party communications & attestations
  • Third party monitoring & assessment
  • Third party forms & approvals
  • Third party metrics & reporting
  • Third party re-evaluation and offboarding
Part 4: Third Party Management Architecture
Enabling Information & Technology Management of Third Party Relationships
  • Third Party Management Information Architecture: Blueprint for Managing Third Party Content and Related Data
    • Types of third party management information and how it integrates into third party processes
    • Components and requirements for a third party information architecture
  • Third Party Management Technology Architecture: Blueprint for Enabling Third Party Management Processes with Technology
    • Kinds of third party management technologies and what best serves the organization
    • Capabilities and requirements of third party management platforms
  • Third Party Management Business Case: Articulating the Value of Effective Third Party Management
    • Defining a business case and value of third party management platforms

Frequently Asked Questions (FAQ)

  1. What is third-party risk management, and why is it important?
    • Third-party risk management is the process of identifying, assessing, and mitigating risks associated with third-party relationships. In today’s interconnected business environment, organizations rely heavily on external partners, vendors, contractors, and suppliers. Managing these relationships effectively is crucial to preventing reputational damage, financial losses, compliance violations, and operational disruptions.
  2. What are the key risks in third-party relationships?
    • Key risks in third-party relationships include reputational risk, compliance risk (e.g., violating regulations or standards), financial risk (e.g., third-party failure), security risk (e.g., breaches in data protection), and operational risks (e.g., disruptions due to third-party failures). These risks can affect the organization’s brand, performance, and compliance standing.
  3. How do I manage third-party risk across the organization?
    • Effective third-party risk management involves establishing a holistic strategy that spans the entire organization. This includes setting up governance structures, defining ownership, conducting due diligence, continuously monitoring third-party performance, and ensuring compliance with internal and external standards. Integration of risk data, communication, and transparency is essential to managing these risks across departments and functions.
  4. What is a third-party risk management lifecycle, and what does it include?
    • The third-party risk management lifecycle consists of several stages: identifying and onboarding third parties, ongoing monitoring of their performance, communicating and attesting compliance with standards, assessing their continued viability and performance, and finally, offboarding when the relationship is no longer needed or poses significant risks. Properly managing each phase ensures that risks are continually evaluated and mitigated.
  5. How can I implement a third-party risk management strategy?
    • To implement a third-party risk management strategy, organizations need to start by defining clear roles and responsibilities for third-party oversight, establishing policies and procedures, conducting risk assessments, and selecting appropriate technologies to manage and monitor these relationships. Training teams, ensuring accountability, and aligning third-party management with business goals are also key components of a successful strategy.
  6. What role does governance play in third-party management?
    • Governance provides the structure and oversight necessary to ensure that third-party relationships are managed effectively. This involves creating a governance committee, developing a third-party management charter, setting policies and procedures for risk management, and ensuring accountability through clear ownership. Governance also includes reporting to stakeholders such as boards of directors and regulatory bodies.
  7. What is the role of technology in third-party risk management?
    • Technology plays a critical role in enabling organizations to manage third-party risks at scale. Tools for monitoring, reporting, and automating workflows can help track third-party performance, risks, and compliance. Implementing an information and technology architecture helps streamline data management, improves transparency, and enhances the ability to respond to emerging risks.
  8. How can I measure the effectiveness of third-party management?
    • The effectiveness of third-party management can be measured through key performance indicators (KPIs) such as compliance rates, the frequency of risk incidents, third-party performance metrics, audit results, and the effectiveness of communication and attestations. Regular assessments and re-evaluations of third-party relationships also help ensure continuous improvement.
  9. What are the common challenges in managing third-party risk?
    • Some common challenges include fragmented risk data, lack of centralized oversight, insufficient communication across departments, difficulty in monitoring complex, multi-layered supply chains, and aligning third-party management with overall business objectives. Organizations may also struggle with regulatory compliance, especially in the context of global operations and evolving ESG expectations.
  10. How do I integrate third-party risk management into my organization’s business strategy?
    • Third-party risk management should be aligned with overall business strategy by ensuring that third-party relationships support business goals, operational needs, and compliance requirements. Integrating third-party management processes into business operations, using data-driven insights, and fostering a culture of accountability helps create a seamless connection between third-party risk management and the organization’s strategic objectives.
  11. Who should be involved in third-party risk management?
    • Third-party risk management should involve cross-functional teams including procurement, compliance, legal, IT security, risk management, finance, and operations. A collaborative approach ensures that all aspects of third-party relationships are appropriately monitored and governed, and that risks are identified and addressed across all departments.
  12. What is the importance of ESG (Environmental, Social, Governance) in third-party management?
    • ESG considerations are crucial in third-party management, as organizations are increasingly held accountable for the practices of their third-party partners. Failure to ensure compliance with environmental standards, social responsibility, and ethical governance can lead to reputational damage and legal consequences. Monitoring ESG risks in third-party relationships helps safeguard an organization’s integrity and long-term sustainability.
  13. How do I communicate risk and compliance matters to third parties?
    • Effective communication with third parties involves clear, transparent dialogue regarding expectations, compliance requirements, and risk mitigation strategies. This can include formal agreements, ongoing communications, regular attestations, and the sharing of relevant risk data. It is essential to establish a mutual understanding of risk responsibilities and to maintain open channels for addressing any concerns that arise.
  14. What tools and platforms are best for managing third-party risks?
    • The best tools for managing third-party risks depend on the complexity of the organization’s third-party network. Technologies such as third-party risk management platforms, enterprise risk management software, and supply chain management tools can help monitor compliance, assess risks, track metrics, and streamline communication. These platforms should integrate with other organizational systems to ensure that risk data is centralized and actionable, like CoreStream GRC.

Hosted by Michael Rasmussen, GRC2020

25th September 2023 10am to 5pm (including lunch and drinks reception)

Home House Private Members Club

20 Portman Square,

London,

W1H 6LW

Register Interest