Today’s business landscape is becoming increasingly complex and globally interconnected, with the average business now working with over 100 third-party vendors. While this presents a wealth of opportunities, it also brings a range of challenges for boards and GRC professionals alike when it comes to third-party risk management.
I recently visited with Diligent’s Senior Vice President of Products, Adam Bailey, on how to tackle these challenges.
In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. You can access Episode 1 on third-party risk mitigation here, Episode 2 on due diligence here and Episode 3 on ongoing program management here.
Join this episode as we discuss how to leverage third-party risk management to identify opportunities and equip boards to take risks, innovate and drive things forward.
1. Understand the Role of the Board in Oversight
Understanding the role of the board in oversight and providing clarity on third-party risk management is an essential step in any risk management strategy. Obviously, the Caremark Doctrine is the leading authority which boards must follow. But going beyond simply oversight to meet a legal requirement, organizations should recognize the business opportunity to create a process which connects employees, compliance professionals, executives and boards together in a seamless process.
This connection enables a culture of continuous improvement that starts at board level and cascades down through the structures of the business. In turn, it allows two-way communication between boards and compliance professionals, so that boards can clearly communicate their risk management strategy and expectations.
2. Board Review of Codes of Conduct
A key role for any board is to regularly review and refresh your organization’s Code of Conduct as needed. When it comes to third-party risk management, this is needed to ensure that the third parties are following the company's established guidelines.
A board should understand the importance of third-party risk management and how to fulfill its role of oversight. There should be an enterprise-wide single source of data for every board to ensure effective governance, risk and compliance. Boards should also be provided with dashboards to allow for continuous monitoring of third-party relationships and to provide real-time information and data to enable businesses to react to changing times. Ultimately, companies need to show that their board is making a good-faith effort to address risks by having due diligence processes in place and effective plans to monitor those processes.
3. Continuous Improvement View of Risk Management
A key role for any board is to implement a continual improvement view of risk management. This shifts an organization’s focus from a one-time due diligence approach to ongoing, rigorous due diligence designed to identify risk areas and set benchmarks for improvement.
In turn, this allows a board to have a clear view of the risks involved and make informed decisions. A two-way dialogue is also important, with data flowing up to the board and actions cascading back down to the compliance team.
4. Utilize Real-Time Data to React to Changing Times
There is probably no more important task for a board in 2023 than responding to changing times. Obviously COVID-19 is still in front-of-mind, but political, geographic, economic and even climate changes are also moving much more quickly now.
For a board to provide effective oversight, it must have access to real-time data to react to changing times. This is both from a regulatory perspective and a business/reputational perspective. All internal stakeholders should be connected with an enterprise-wide single source of all nonfinancial data required for effective governance, risk and compliance. The platform also provides real-time information and data so boards can quickly react to changing times. Furthermore, the platform adds relevancy and context to the risk data which helps boards make informed decisions based on the potential upside and downside of taking on certain risks.
5. Ensure Commitment to Ethical Values and Ethical Cultures
It really all does start at the top, and boards must ensure commitment to ethical values and ethical cultures. Boards should mandate that companies adopt a continual improvement view and embrace not just one-and-done due diligence, but ongoing monitoring and continuous improvement. Boards should mandate that organizations enforce their commitment to ethical values, ethical cultures and honest business practices.
When it comes to third parties, boards must understand the risk each third-party poses. They should also consider the business in question and the sort of inherent nature of the dealings with that third party. Having a robust platform also provides real-time information and data throughout the relationship with the third party, dashboards to monitor third-party information and a single source of truth for all nonfinancial data. This allows for a two-way dialogue between GRC professionals and the board to ensure that the board has the clearest, most relevant and most targeted information to enable better decisions.
To further explore how compliance teams can work with the board and other teams to drive business success, read our white paper on bringing compliance, risk and audit into the boardroom here.
Listen to Adam Bailey on the podcast series here.
Learn how Third-Party Risk Management from Diligent can help your organization with reporting. Request a demo today.