GRC 2020

Third-Party GRC Management by Design

More than ever before, organizations consist of an interconnected web of relationships and transactions that rely on third parties. If this describes your business, and if you’d appreciate guidance relating to your third-party governance processes, you will want to download this white paper.

Download White Paper

A Strategic Plan and Actionable Steps for Third-Party GRC Management

In his white paper from the analyst firm, GRC 20/20, you’ll learn how to:

  • Develop your organization’s third-party governance team
  • Optimize processes, information, and technology architecture
  • Design effective periodic risk assessment and monitoring
Download the GRC 20/20 White Paper

Organizations often struggle to govern their third-party relationships—and too often manage risk and compliance in silos that then fail to see the big picture (and exponential consequences) of risk exposure.

Approaching third-party GRC management with a design mindset creates holistic visibility and situational awareness across departments. The questions are—how do you define third-party GRC management? What are the critical elements of a strategic plan? And, what are the fundamental steps for success?

Fragmented governance of third-party relationships through disconnected department silos leads the organization to inevitable failure. Siloed information and/or reactive, document-centric, and manual processes fail to actively govern relationships and manage risk and compliance in the context of the third-party relationship and broader organizational objectives and values. Silos leave the organization blind to the intricate relationships of risk and compliance exposures that fail to get aggregated and evaluated in context of the overall relationship and its goals, objectives, and performance.
Third-Party GRC Management by Design White Paper, GRC 20/20


What are the most common ways that third-party governance fails?

One of the main ways that third-party governance fails is when there are growing risks and regulatory concerns, but there are insufficient resources to take them into account. A second reason for failure are interconnected third-party relationships that are not visible in a connected way. A third main way that third-party governance fails is when there are silos of third-party oversight that don’t talk to each other. Another reason for failure are document- and email-centric approaches that make it easy for important details to be overlooked. Scattered or non-integrated legacy third party technologies, processes focused on onboarding only, inadequate processes to manage change, and third-party performance evaluations that neglect risk and compliance are additional ways that governance in many organizations falls short.

What is third-party GRC?

Third-party GRC is a “capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in and across the organization’s third-party relationships.” This is adapted from the official GRC definition in the OCEG GRC Capability Model.

What are the various approaches that organizations take to manage third-party relationships?

GRC 20/20 has identified three approaches that organizations take to manage third-party relationships. The first approach is to manage third-party relationships in ad hoc department silos, otherwise known as the anarchy approach. The second approach is a one size fits all method, or the monarchy approach, in which third-party relationships are managed centrally by one department. The third way is an integrated and collaborative approach, termed the federated approach. Read the white paper for more details on these approaches and the challenges and benefits of each.