Understanding Third Party GRC Maturity: Fragmented Stage

July 25th, 2019 Michael Rasmussen Reading Time: 3 minutes
Aravo Blogs - Maturity Stages - Fragmented

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

Today we look at Stage 2, the Fragmented level of Third Party GRC

The Fragmented stage sees departments with some focus third party GRC within respective functions — but information and processes are highly redundant and lack integration. With siloed approaches to third party GRC, the organization is still very document-centric. Processes are manual and they lack standardization, making it hard to measure effectiveness.

Characteristics of the Fragmented Maturity stage are:

  • Tactical siloed approach to third party governance in different departments
  • Starting to determine a roadmap, with pockets of good practice emerging
  • Basic segmentation in place, and some standardization of on-boarding registration and qualification
  • Third party risk management framework agreed but not implemented
  • Some basic performance management
  • Third party governance and processes not fully embedded
  • Processes are defined at the department level
  • Some areas of risk management are in place (e.g., anti-bribery/corruption, information security) but are not approached in an integrated or structured way
  • No integration or sharing of third party related risk and compliance information
  • Reliance on fragmented technology and lots of documents
  • Measurement and trending is difficult

Key elements that identify an organization is at the Fragmented stage are:

  • Pockets of good practice emerging. Your program may have some pockets of good practice emerging but they need joining up.
  • Blind-spots. Businesses at this stage are still subject to blind-spots, especially across the organization as so much information exists in departmental silos.
  • Inefficient. You can all be working hard to address risk in silos, but without a full picture of risk you could duplicate a lot of efforts.
  • Disconnected. Risk is still being addressed in a disconnected way. Disconnected across departments, disconnected across domains and disconnected across systems. Not only is this inefficient, it means risk can be exacerbated as it is not understood and addressed across the enterprise.
  • Manual. With little technology support in place and a reliance on spreadsheets and email, processes fail to be consistent. This can slow your progress, with little ability to audit programs and activities.
  • Hard to measure and monitor. While some data is beginning to emerge, it’s in disparate systems and incomplete.

Organizations in the Fragmented stage of maturity answer many of the following questions affirmatively:

  • Are third-party risk and compliance activities tactical and siloed?
  • Does the organization lack an integrated third party risk and compliance approach across the organization?
  • Is third-party risk and compliance information scattered across various documents and technology sources?
  • Is it difficult and time-consuming to track and trend third-party risk and compliance information and reporting?

After reflecting on these points, it is time to next ask: is your organization at the Fragmented stage of Third Party GRC Maturity?

Aravo, leveraging the GRC 20/20’s Third Party GRC Maturity Model: A New Paradigm in Governing Third Party Relationships research report, Aravo has built the Third Party Risk Management Maturity Calculator that takes this deeper and provides insight on how to improve your organization’s maturity and approach.

Aravo, leveraging the GRC 20/20’s Third Party GRC Maturity Model: A New Paradigm in Governing Third Party Relationships research report, has built the Third-Party Risk Management Maturity Calculator that takes this deeper and provides insight on how to improve your organization’s maturity and approach.

Maturity Calculator - Map your journey

Michael Rasmussen

The GRC Pundit & Analyst

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management.  With 30+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile.  He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.

Michael has contributed to U.S. Congressional reports and committees, and currently serves on the Leadership Council of the OCEG and chairs the OCEG Technology Council, OCEG Policy Management Group, and the OCEG GRC Architect Group.

Michael is quoted extensively in the press and is respected for his commentary on broadcast news channels. He is an Honorary Life Member and Global Ambassador of Risk Management with The Institute of Risk Management for his contributions to risk management and GRC. Treasury & Risk recognized Michael as one of the 100 most influential people in finance with specific accolades noting his work in “Governance and Compliance: Saving the Planet and the Corporation” and as a “Rising Star in Rocky Times: Corporate America’s Outstanding Executives.”

Prior to founding GRC 20/20 Research, Michael was a Vice-President and  ’Top Analyst’ at Forrester Research, Inc. Before Forrester, he led the risk/compliance consulting practice at a professional services firm, and prior to that has specific experience managing compliance and risk within commercial organizations.

Michael’s educational experience consists of a Juris Doctorate in law and a Bachelor of Science in Business. Michael has a Master in Church History with a focus on Medieval Church History from Trinity Evangelical Divinity School, and is pursuing a Masters in Pastoral Ministry at Nashotah House.  He is a GRCP (GRC Professional), PMP (Policy Management Professional), CCEP (Certified Compliance and Ethic Professional), and a CISSP (Certified Information Systems Security Professional). OCEG has recognized him as an OCEG Fellow for his contributions and advancement of GRC practices around the world.

The GRC Pundit & Analyst

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management.  With 30+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile.

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management