Manage third parties? This workshop offers guidance
Every company of consequence uses third parties to conduct its business. You may call third parties by another name like vendors, resellers, distributors, or affiliates. Many organizations have hundreds, even thousands, of third parties with each one performing an essential task needed for the journey from raw material to finished product.
Because a third party’s business is integral to operations, your company bears a lot of risk. If something goes wrong with a third party, it impacts the business. That’s why managing third-party risk is so important. By actively managing third parties, you can help mitigate the risk of using them.
That’s easier said than done. It’s why GRC 20/20’s Michael Rasmussen has been barnstorming the country this year presenting his Third Party Management by Design workshop.
As the sponsor, we thought we’d share key insights from a few of the workshops.
What keeps you up at night?
One of Rasmussen’s first tasks in the workshop is to ask attendees, “What keeps you up at night?” A workshop assistant records attendee response on whiteboards.
What’s notable is how varied the responses are and how many center on one’s area of responsibility, be it business, compliance, procurement, HR, or legal.
One attendee manages 100,000 vendors across 12 different organizations. He needs both a business case for vendors and a way to ensure the organization is getting a benefit from all vendors. Another attendee is kept awake at night concerned about due diligence, continuity of contracts, and international compliance.
Many workshop attendees cite obtaining completed SIG questionnaires and SOC reports, issuing assessments, dealing with oversight, making subcontractors accountable, and more. For other attendees, it’s protecting against data breaches, maintaining service level agreements, and managing concentration risk.
The cure for insomnia is building a sustainable third-party program tailored to your organization’s needs.
Building your third-party program
Now that we’ve identified sleep-depriving challenges, we can move on to the critical steps needed to build an effective third-party program.
A crucial first step is assembling a cross-functional governance committee to create a governing document for third-party engagements. Having such a document helps address a major challenge for many organizations with little or no collaboration between departments.
When building a program, Rasmussen is a proponent of a federated approach. It balances third-party centralization with distributed participation and collaboration. The board and executive management own oversight while various departments actively involved in third-party management contribute their expertise but also collaborate and communicate with each other. Doing so ensures the efficient execution of third-party risk management.
Embrace a technology solution
While every program is unique, success may well depend on harnessing the power of technology. High-tech solutions streamline processes, aid stakeholders in their activities, and make programs run more efficiently and effectively. But which solution is right for your organization?
In his workshop, Rasmussen gives an overview of the two major types of solutions, but rather than endorse any, he empowers attendees to be smart shoppers. The solution you seek needs to serve as the central hub of third-party information and provides automation and tracking that streamlines processes and delivers accountability.
Another consideration is what Rasmussen refers to as 360-degree contextual intelligence. Management that has real-time visibility into third-party management operations can make more intelligent decisions, more rapidly.
The Third Party Management by Design workshop takes you through the A-Z of managing third parties. You discover what keeps you up at night, gain guidance on building a program and receive a primer on technology solutions for managing third-party risk. Bookmark our events page and watch for upcoming By Design workshops.
Read about third parties being both a necessity and a burden.
Read about some of the highlights from our expert panel discussion.
Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.