GRC – short for Governance, Risk, and Compliance – is the alignment of processes, technologies, and people in an organization with a repeatable framework for risk-based decision making. But what is involved in GRC, and does it account for the risks presented by third parties? Considering that more than 60% of data breaches involve a third-party of some kind, how can organizations develop a simplified, holistic risk management strategy that encompasses not only internal risk factors, but also those introduced by external parties they do business with? This blog will address those questions and provide a summary of capabilities to look for as you build out your GRC strategy using a common industry-standard framework: the OCEG.
GRC starts with defining business goals and arranging business processes and organizational oversight to ensure the business achieves those goals. This is the “G” – governance. Then comes the “R” part – employing the principles of risk management in defense of those goals, for example having IT risk management processes in place that provide a framework for gaining visibility into and taking action on potential cyber risks that could impact the business. Finally, ensuring compliance – the “C” – with regulatory and industry frameworks built to ensure your organization’s “G” and “R” factors are aligned with proven and accepted practices.
While inherently an internal exercise, fundamental GRC practices can be extended to include organizational third-party/external business relationships. Leveraging many of the same principles, third-party risk management – or TPRM – is an outward-facing subset of GRC in that TPRM provides the capability to identify and manage IT risk in the supply chain (e.g., vendors, suppliers, partners, etc.) – your extended enterprise – to ensure an acceptable level of partner risk and to measure vendors’ adherence to compliance mandates. The extended enterprise is a point of concern in the modern, outsourced, flexible environment – a simple extension of the business supporting revenue generating activities.
Specifically, TPRM automates collection and analysis of questionnaire-based vendor evidence; identifies and prioritizes vendor risks; outlines risk remediation recommendations with specific actionable guidance; continuously monitors cyber and business risks through external scanning, business intelligence, and penetration testing; and reports by compliance regime or industry framework.
Conceptually, GRC and TPRM are similar in their approaches and outcomes, with TPRM benefiting from GRC in that a holistic GRC strategy helps make TPRM more proactive and less reactive. And, TPRM considers second and fourth parties in the extended enterprise as well.
If you are looking to provide some structure around your GRC program – or start up a more formal program – and want to ensure your third-party risk concerns are addressed from the start, we recommend the Open Compliance and Ethics Group’s OCEG Red Book – a well-received common industry framework for GRC. We have mapped best practices TPRM capabilities into this model in the table below.
OCEG GRC Capability Model
Best Practice TPRM Capabilities
|L – Learn: Examine and analyze context, culture, and stakeholders to learn what the organization needs to know to establish and support objectives and strategies.|
External Context: Understand the external business context in which the organization operates.
Internal Context: Understand the internal business context in which the organization operates.
Culture: Understand the existing culture, including how leadership models culture, the organizational climate, and individual mindsets about the governance, assurance, and management of performance, risk, and compliance.
Flexible, easy-to-use interface to ensure all levels of the organization benefit from the solution
Stakeholders: Interact with stakeholders to understand expectations, requirements, and perspectives that impact the organization.
|A – Align: Align performance, risk, and compliance objectives, strategies, decision-making criteria, actions, and controls with the context, culture, and stakeholder requirements.|
Direction: Provide direction by establishing clear mission, vision and values statements, high-level objectives, as well as guidance about how decisions will be made.
Objectives: Define a balanced set of measurable objectives that are consistent with decision-making criteria and appropriate for the established frame of reference
Identification: Identify forces that may cause desirable (opportunity) or undesirable (threat) effects on the achievement of objectives, as well as those that may compel the organization to conduct itself in a particular way (requirement).
Assessment: Analyze current and planned approach to address opportunities, threats and requirements using decision-making criteria with quantitative and qualitative methods.
Design: Develop strategic and tactical plans to achieve the objectives, while addressing uncertainty and acting with integrity, consistent with decision-making criteria.
|P - Perform: Address threats, opportunities, and requirements by encouraging desired conduct and events, and preventing what is undesired, through the application of proactive, detective, and responsive actions and controls.|
Controls: Establish a mix of management, process, human capital, technology, information, and physical actions and controls that serve governance, management, and assurance needs.
Policies: Implement policies and associated procedures to address opportunities, threats and requirements and set clear expectations of conduct for the governing authority, management, the workforce and the extended enterprise.
Advisory and health check services help to define and refine TPRM policies
Communication: Deliver and receive relevant, reliable, and timely information to the right audiences, as required by mandates, or as needed to perform responsibilities and effectively shape attitudes.
Stakeholder-specific reporting – internal and external – showing inherent, residual, and actual risks throughout the vendor management lifecycle to drive action based on identified or dispositioned risks
Education: Educate the governing authority, management, the workforce, and the extended enterprise about expected conduct, and increase the skills and motivation needed to help the organization address opportunities, threats, and requirements.
Using Advisory services, use adaptive enablement and key performance and risk indicators to drive improvements in Talent, Tools and Techniques.
Incentives: Implement incentives that motivate desired conduct and recognize those who contribute to positive outcomes to reinforce desired conduct.
Advisory services to define the program, help train internal stakeholders, and drive adoption
Notification: Provide multiple pathways to report progress toward objectives, and the actual or potential occurrence of undesirable and desirable conduct, conditions, and events.
Inquiry: Periodically analyze data and seek input about progress towards objectives; and the existence of undesirable conduct, conditions and events.
Response: Design and, when necessary execute responses to identified or suspected undesirable conduct, conditions, events, or weaknesses in capabilities.
|R – Review: Conduct activities to monitor and improve design and operating effectiveness of all actions and controls, including their continued alignment to objectives and strategies.|
Monitoring: Monitor and periodically evaluate the performance of the capability to ensure it is designed and operated to be effective, efficient, and responsive to change.
Assurance: Provide assurance to management, the governing authority, and other stakeholders that the capability is reliable, effective, efficient and responsive.
Improvement: Review information from periodic evaluations, detective and responsive actions and controls, monitoring, and assurance, to identify opportunities for capability improvements.
If your GRC strategy fails to address these TPRM best practices, act now. Download our best-practice guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, for a full review of the required capabilities to account for third-party risks in your GRC program.