Understanding Third Party GRC Maturity: Ad Hoc Stage

July 17th, 2019 Michael Rasmussen Reading Time: 3 minutes
Blogs - Understanding Third Party GRC Maturity: Ad Hoc Stage

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

Today we look at Stage 1, the Ad Hoc level of Third Party GRC

Organizations at the Ad Hoc stage of maturity have siloed approaches to third-party governance, risk and compliance at the department level. Businesses at this stage do not understand risk and exposure in third party relationships; few if any resources are allocated to third party governance. The organization addresses third party GRC in a reactive mode — doing assessments when forced to. There is no ownership or monitoring of risk and compliance, and certainly no integration of risk and compliance information and processes in context of third party performance.

Characteristics of the Ad Hoc Maturity stage are:

  • Siloed and ad hoc practices
  • No third party segmentation
  • Lack of skills and resourcing,
  • No defined roles and responsibilities
  • No governance structure of third party risk management matrix in place
  • No defined third party management program or risk framework
  • No documented policies or procedures.
  • Ad hoc and reactive assessments
  • Document-centric approaches
  • Ad hoc reactive approach that addresses issues as they arise
  • Little to no technology in place
  • No visibility, trending or analytics
  • No board or senior management sponsorship

Key elements that identify an organization is at the Ad Hoc stage are:

  • Blind-spots. Businesses at this stage are subject to many blind-spots. Understanding of risk and exposure in third-party relationships is vital.
  • Reactive. The organization addresses third-party risk and compliance in a reactive, firefighting mode e.g. completing assessments when forced to.
  • Lack of ownership or accountability. No one has been appointed to take control of third-party risk.
  • Lack of process. There is no defined or consistent processes or methodologies for managing third parties or the risks that they expose the organization to.
  • Under resourced. Few resources, are allocated to third-party governance.
  • Manual. With little technology support in place and a reliance on spreadsheets and email, processes fail to be consistent.

Organizations in the Ad Hoc stage are very much in reactive mode and are likely to answer many of the following in the affirmative:

  • Does third-party governance, risk, and compliance lack clear owners and accountability within departments?
  • Are assessments and controls put in place after the fact, when the organization realizes it is exposed or someone is insisting on them?
  • Is third-party risk and compliance largely undocumented, or trapped in silos of spreadsheets and documents?
  • Does the organization lack any process, information and technology architecture to support third-party governance?
  • Does the department or business function have no ability to report and trend third-party risk and compliance over time?

After reflecting on these points, it is time to next ask: is your organization at the Ad Hoc stage of Third Party GRC Maturity?

Aravo, leveraging the GRC 20/20’s Third Party GRC Maturity Model: A New Paradigm in Governing Third Party Relationships research report, has built the Third-Party Risk Management Maturity Calculator that takes this deeper and provides insight on how to improve your organization’s maturity and approach.

Maturity Calculator - Map your journey

Michael Rasmussen

The GRC Pundit & Analyst

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management.  With 30+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile.  He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.

Michael has contributed to U.S. Congressional reports and committees, and currently serves on the Leadership Council of the OCEG and chairs the OCEG Technology Council, OCEG Policy Management Group, and the OCEG GRC Architect Group.

Michael is quoted extensively in the press and is respected for his commentary on broadcast news channels. He is an Honorary Life Member and Global Ambassador of Risk Management with The Institute of Risk Management for his contributions to risk management and GRC. Treasury & Risk recognized Michael as one of the 100 most influential people in finance with specific accolades noting his work in “Governance and Compliance: Saving the Planet and the Corporation” and as a “Rising Star in Rocky Times: Corporate America’s Outstanding Executives.”

Prior to founding GRC 20/20 Research, Michael was a Vice-President and  ’Top Analyst’ at Forrester Research, Inc. Before Forrester, he led the risk/compliance consulting practice at a professional services firm, and prior to that has specific experience managing compliance and risk within commercial organizations.

Michael’s educational experience consists of a Juris Doctorate in law and a Bachelor of Science in Business. Michael has a Master in Church History with a focus on Medieval Church History from Trinity Evangelical Divinity School, and is pursuing a Masters in Pastoral Ministry at Nashotah House.  He is a GRCP (GRC Professional), PMP (Policy Management Professional), CCEP (Certified Compliance and Ethic Professional), and a CISSP (Certified Information Systems Security Professional). OCEG has recognized him as an OCEG Fellow for his contributions and advancement of GRC practices around the world.

The GRC Pundit & Analyst

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management.  With 30+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile.

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management