Latest White PaperThird-Party Governance & Oversight 2019 Survey Results
Latest White PaperThird-Party Governance & Oversight 2019 Survey Results
Shared Compliance Communities gather supplier/third-party responses to standardized assessments with the promise of increased efficiencies and improved data quality. This concept isn’t necessarily new – at least not outside the U.S. – but there has been some recent development in terms of interest in the model.
Earlier this week, TruSight announced the launch of an industry consortium based on collaboration with 4 major US Financial Institutions. Forrester’s Chris McLean provided an insightful blog post about this development which can be accessed here. Chris makes some excellent points in his article, and I agree that all of them are important considerations for companies looking into leveraging these types of shared compliance solutions. Aravo has some experience supporting these types of communities, and in the spirit of sharing, I thought I would add some perspective to complement his thoughts.
Disclaimer: I’m not an unbiased observer of this development in the market. My company (Aravo Solutions) has experience with and derives revenue from shared compliance communities, although we have no commercial relationship with or interest in TruSight. I will also add that my comments in this article are based on the experience I’ve gained through Aravo in supporting the delivery of these solutions in the market.
One of Chris’ points is that “As long as this solution is proprietary and for-profit, it’s not a standard.” For consortiums formed primarily through investments from their “members”, this can certainly be a valid concern. How can the market be assured of standards if the format is being driven primarily through a small number of very large and influential market leaders? Will smaller members receive equal input as their larger peers? Will any of the members enforce (if not mandate) that the standard be used consistently across their own organizations?
Aravo has some experience with these challenges based on a model that has been accepted and proven in the U.K. for the past 20 years. About 3 years ago, we formed a partnership with Hellios to deliver shared compliance communities in the United Kingdom for Financial Services (FSQS) and Defence (JOSCAR) sectors. Both of these communities are thriving, but they’re based on a fundamentally different model than the one on which TruSight appears to be founded. First of all, these communities are not owned by the member firms. Hellios is an independent company that offers access to supplier information in the form of validated, high-quality, standardized assessments as a service. All of the members (buyers and suppliers) are customers of Hellios and, importantly, they have input and influence over the structure and enforcement of the standards. The key point here is that all members are Hellios’ customer as opposed to institutional investors in the business. The model is funded through annual fees that are paid to Hellios, and the fees are transparent and published for all to see. It’s this transparency in the model that helps ensure the community approach becomes a standard which is accepted and enforced by all.
It’s a lot of work to make these communities work, and Hellios conducts regular governance working groups, which include members (buyers and suppliers) of the community, for agreeing on the approach. Everyone provides input, and their feedback is incorporated into the communities every 6 months or so. The requested changes are discussed and agreed in an open forum to ensure alignment. This ensures that the communities are continuing to evolve and meet the changing demands within the market. A recent example is the introduction of a series of EU GDPR questions within the FSQS community to help the members come into compliance with that important regulation by May 2018. The value to members is that all of these questions were discussed and rationalized according to requirements across the industry. This ensures a common approach and potentially removes the cost and effort for each member issuing their own similar – but different – questionnaires for the suppliers.
Another issue Chris identifies is “This solution does not mitigate risk for those most exposed to potential loss.” I agree with this point completely. The information being published by these communities is valuable in that it can provide a standardized view of inherent risk associated with suppliers and third-parties. Inherent risk, by definition, is the risk that exists before controls have been implemented to mitigate the risk. Each company subscribing to the data (output) from the community will still be required to implement their own internal processes to assess that risk and apply their own risk management processes to absorb or mitigate to an acceptable level of residual risk. To date, these risk management processes have not been broadly standardized across companies, nor are they likely to be anytime soon. Importantly, it’s these risk management activities that are increasingly being regulated and examined according to various global legislation, so companies will continue to need to solve for their compliance with their own internal implementation of controls that are not addressed by communities. I could argue that Aravo is a great solution for these programs, but that’s subject to due-diligence conducted on all vendors that claim to participate in the space.
Finally, Chris mentions that “The scope of risks reviewed in this new solution is vague, and apparently narrow.” I can’t speak for the specific scope that is being proposed by TruSight, but I agree that communities need to provide coverage for a broad swath of risk domains. Information and Cybersecurity are certainly important areas of concern, but Chris raises many others that deserve equal consideration with respect to supplier and third-party relationships, including: ethical sourcing, conduct, consumer protection, and privacy.
This observation is consistent with what we’ve seen in our experience. The Hellios communities mentioned above, cover all of these and more, including: insurance policy compliance, customer treatment, records management, business continuity, social media usage/compliance and the reliance on subcontractors in the delivery of products & services (just to name a few). All of these categories are important factors in determining the holistic view of inherent risk that must be considered when monitoring relationships with suppliers and third parties.
This is an interesting development in the market, for sure. And it’s good to see it gaining some traction here in the U.S. After proving successful in other international markets, I thought it would be helpful for those of you investigating these shared compliance communities to have some additional insight as a complement to Chris’ observations.
Please feel free to share your insights – I’d love to hear them.
Dave Rusher has over 20 years’ experience working with large global enterprises to find the right solutions to complex business problems.
His experience in the enterprise software industry spans across most functional areas of business including engineering, product management, product marketing, solutions consulting and executive leadership.
As Aravo Solution’s Senior Vice President of Product Strategy and Alliances, Dave works closely with Global 2000 customers to define and deliver best-in-class enterprise third-party risk management (TPRM) solutions that can scale to the business size, complexity and change requirements of large multinationals. He is also responsible for partner alliances, which has included pioneering work in building community/utilities TPRM applications for the defense and financial services industries in the UK.
Dave particularly enjoys the relationship-building, problem-solving, teamwork and accountability that comes with his experience of working with compliance, risk and procurement professionals.