DOUBLECHECK VENDOR MANAGEMENT

Transcription

1 August 2014 DOUBLECHECK VENDOR MANAGEMENT Managing Risk & Compliance Across 3rd Party Relationships SOLUTION VIEWPOINT Governance, Risk Management & Compliance Insight

2 2014 GRC 20/20 Research, LLC. All Rights Reserved. No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines established in client contract. The information contained in this publication is believed to be accurate and has been obtained from sources believed to be reliable but cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability whatever for actions taken based on information that may subsequently prove to be incorrect or errors in analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research should not be construed or used as such.

3 Table of Contents Managing Islands of Relationships in an Ocean of Risk...4 DoubleCheck Vendor Management...7 Managing Risk & Compliance Across 3rd Party Relationships...7 The Value of DoubleCheck Vendor Management...7 Capabilities of DoubleCheck...9 GRC 20/20 s Final Perspective About GRC 20/ Research methodology...12 TALK TO US... We look forward to hearing from you and learning what you think about GRC 20/20 research. GRC 20/20 is eager to answer inquiries from organizations looking to improve GRC related processes and utilize technology to drive GRC efficiency, effectiveness, and agility.

4 DOUBLECHECK VENDOR MANAGEMENT Managing Risk & Compliance Across 3rd Party Relationships Executive Summary Across industries organizations are facing global regulatory pressure in 3rd party oversight and due diligence. Organizations are a complex and diverse network of business relationships in which risk and compliance challenges do not stop at traditional organizational boundaries. Third party relationships are critical to business today but introduce significant risk. Organizations fail when they look at the formation of a business relationship and do not foresee that issues cascade and cause severe damage to reputation and exposure to legal and operational risk throughout the ongoing relationship. Third-party management is enabled at an enterprise level through implementation of an integrated third-party management platform. The right third-party risk management platform enables the orga nization to effectively manage risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans. DoubleCheck is a GRC solution that GRC 20/20 has researched, evaluated, and reviewed with organizations that are using it in distributed and dynamic business environments across industries and of varying size. DoubleCheck has recently updated their Vendor Management solution to the 3.0 version which provides increased capabilities to manage third parties on an ongoing and continuous basis. Managing Islands of Relationships in an Ocean of Risk No company is an island. Organizations are a complex and diverse network of business relationships in which risk and compliance challenges do not stop at traditional organizational boundaries. Organizations struggle to identify, manage, and govern business relationships. The challenge is: Can you attest that risk and compliance are managed across extended business relationships? An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak oversight. This is true across industries, but some, like financial services, are seeing greater regulatory oversight of third party/vendor risks (e.g., US OCC). Across industries organizations are facing global regulatory pressure in 3rd party oversight and due diligence in the context of anti-bribery and corruption (e.g., US FCPA, UK Bribery Act, OECD Principles) and conflict minerals (e.g., Dodd Frank Act, Europe s Conflict Mineral Regulation). Major brands have focused efforts on social accountability in the context of international labor standards (e.g., child labor, forced labor, working hours, health and safety). There is significant pressure in 3rd party management in the context of PCI DSS and protection of credit card data. The Target breach is a case in point in which an air-conditioning vendor was the doorway into the largest credit card breach of a POS system to date. Third party relationships are critical to business today but introduce a significant exposure to risk. Organizations fail when they look at the formation of a business relationship and do not foresee that issues cascade and cause severe damage to reputation, and 4

5 exposure to legal and operational risk throughout the ongoing relationship. They make two common mistakes: n Risk is only considered during the on-boarding process. Risks in extended business relationships are often only analyzed during the on-boarding pro cess to validate the organization is doing business with the right companies. This approach fails to recognize that additional risk is incurred over the life of the business relationship. n Partner performance evaluations neglect risk. Metrics and measurements often fail to fully analyze and monitor risk. Often, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considerations. Risk and compliance issues and corresponding processes constantly bear down on these relationships. Business processes and corresponding technologies that operate autonomously introduce further risk, as there is no view into the range of risk issues that a single business relationship brings to the organization. Organizations need an integrated approach to third-party risk and compliance management that brings together people, process, and technology to deliver not only efficiency and effectiveness but also agility. Ignoring an integrated view of extended business relationships can result in business relationships that behave like leaves blowing in the wind, with no one monitoring the ever-changing risks in a dynamic business environment. The building blocks of an effective, efficient, and agile third-party risk management program are: 1. Define Your Program. The first step is to define the third-party manage ment program. While an individual needs to lead the program, it also ne cessitates that different parts of the organization work with this role. Defining your program includes understanding board oversight and reporting for third-party risk and compliance, and a cross-functional team to ensure that the operational, reputational, and compliance risks in business relationships are appropri ately addressed. This team needs to work with the relationship owners to ensure a collaborative and efficient oversight process is in place. 2. Establish Framework. The third-party management framework is used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships. The framework starts with developing a list of third-party relationships cross-referenced to risks and regulations affecting those relationships. A framework is an organized set of controls used to measure compliance against multiple risks, regulations, standards, and best practices. 3. Onboarding. Evaluation of risk and compliance needs to be integrated with the process of procurement and vendor/supplier/partner relations. A business 5

6 relationship is to be evaluated against defined criteria to determine if the relationship should be established or avoided. When there is a high degree of inherent risk, but the relationship still is necessary, manage the risk within tolerance level by establishing compensating controls and monitoring requirements. 4. Ongoing Monitoring. A variety of environmental and geo-political factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geopolitical risks. The potential risks relevant to each business partner should be taken into consideration to monitor the health and success of business relationships on an individual and aggregate level. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships. 5. Resolve Issues. Even the most successful business relationships encounter issues. These may arise from quality, health and safety, regulatory, environmental, business continuity, economic, fraud, or legal and regulatory mishaps. The fallout from incidents is exacerbated when everyone scrambles because nobody developed defined action and resolution plans ahead of time. Management of risk across extended business relationships should account for issues and plan for containment, mitigation, and resolution. The challenge is that many organizations try to manage all of this with spreadsheets, documents and . These approaches are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of ex tended business relationships. Bottom Line: Third-party risk management is enabled at an enterprise level through implementation of an integrated third-party risk management platform. This offers the adaptability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third-party risk management platform enables the organization to effectively manage risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans. Effectively managing and monitoring risk across third party relationships requires a centralized platform to document, communicate, report, and monitor the range of 6

7 assessments, documents, tasks, responsibilities, and action plans. The ideal platform engages extended business partners and employees as well as internal staff. Ideally, these systems provide capabilities that help the organization: n Ensure ownership and accountability are clearly established and understood n Manage the on-boarding and the ongoing risk and compliance scoring and assessment processes n Conduct initial and ongoing assessments n Actively monitor all business partners for adherence to code-of-conduct and related policies n Make changes in risk profiles based on targeted risk assessments n Leverage built-in question sets to streamline surveys and questionnaires n Initiate and mange incident follow-ups and investigations n Use verifiable evidence to readily attest to in compliance status n Third-party risk management is enabled at an enterprise level through implementation of an integrated third-party risk management platform. DoubleCheck Vendor Management Managing Risk & Compliance Across 3rd Party Relationships DoubleCheck is a GRC solution that GRC 20/20 has researched, evaluated, and reviewed with organizations that are using it in distributed and dynamic business environments across industries and of varying size. DoubleCheck has recently updated their Vendor Management solution to 3.0 which provides increased capabilities to manage third parties on an ongoing and continuous basis. GRC 20/20 has seen signficant progress in user interface design with a focus on intuitiveness and ease of use in the 3.0 release. The Value of DoubleCheck Vendor Management Successful governance, risk management, and compliance (GRC) delivers the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment with agility. GRC solutions should achieve better performing processes that utilize more reliable information. This enables a better performing, and a less costly, more flexible business environment. Clients engage DoubleCheck with the goals of understanding and managing risk, ensuring compliance with obligations, improving human and financial efficiencies, enhancing transparency, and managing GRC in the context of business change. 7

8 GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be: n Effective. At the end of the day GRC is about effectiveness to ensure that the organization manages risk and compliance and is properly understood, monitored and managed at all levels of the organization. Effectiveness delivers a holistic understanding and prioritization of risk and compliance aligned with the business and kept under control. GRC effectiveness is validated through greater assurance of the design and operational effectiveness of controls to mitigate risk, achieve performance, protect integrity of the organization, and meet regulatory requirements. DoubleCheck Vendor Management is effective. Organizations that GRC 20/20 interviewed utilizing DoubleCheck for Vendor Management stated that they had increased ability to manage all parts of the vendor/ third party lifecycle on a regular ongoing basis to identify and respond to risk and compliance concerns as they arose in the changing nature of business and the relationship. n Efficient. GRC solutions provide efficiency and savings in human and financial capital resources. Technology solutions that support business and GRC processes reduce operational costs by automating processes, particularly those that take a lot of time consolidating and reconciling information in order to manage and mitigate risk and meet compliance requirements. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations. GRC should reduce operational costs by providing access to the right information at the right time, and reduce the time spent searching for answers. DoubleCheck Vendor Management is efficient. Organizations that GRC 20/20 interviewed utilizing DoubleCheck for Vendor Management reported that they were able to conduct more assessments of more relationships over a time period than they could with their previous approach. Overall they were able to streamline processes, and reduce employee time on individual assessments. They saw significant savings in the time spent aggregating and reporting on risk across their third party relationships. n Agile. GRC solutions deliver business agility when organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) as well as the external environment (e.g. economic risk, new laws, and regulations) and communicate changes to employees. GRC s agility is also measured in responsiveness to events and issues; organizations can identify and react quickly to incidents so that action can be taken. DoubleCheck Vendor Management is agile. Organizations that GRC 20/20 interviewed utilizing DoubleCheck for Vendor Management 8

9 reported that the flexibility of the solution allowed them to adapt and expand it as they needed to keep current with their changing business, as well as risk and regulatory environments. A financial services firm specifically stated they have seen value in being able to manage risk and compliance in vendor relationships as regulatory scrutiny in this area has increased with enhanced requirements. Capabilities of DoubleCheck DoubleCheck Vendor Management enables an organization to be proactive in managing dynamic and extended business relationships across a range of third parties. It assures stakeholders and the board that their third party business relationships do not bring unnecessary exposure to organization operations and strategy. GRC 20/20 has evaluated the DoubleCheck Vendor Management solution and finds that it delivers a capable offering across the core needs of third party management. The DoubleCheck Vendor Management solution delivers the following capabilities to make GRC programs effective as well as efficient and agile: n Ease-of-use. A critical quality of a third party management solution is easeof-use. A system that is difficult to use is an impediment to effectiveness, and inhibits the acceptance and use across an organizations extended business relationship network. DoubleCheck Vendor Management is designed to adapt to the way risk is logically managed, enabling the solution to function and allow staff to concentrate on their tasks rather than working around the limitations of tools. n Process lifecycle. Going beyond a pure risk and compliance view of third party relationships, DoubleCheck delivers a solution that helps with the onboarding, the ongoing lifecycle and monitoring of the relationship, and the final offboarding of the relationship. n Role and use case focus. The DoubleCheck solution goes beyond complex dashboads that just simply pump metrics in all direction. The 3.0 version has show specific focus on the development of portals with integration and reporting of information in context of specific roles and use cases. n Onboarding. With DoubleCheck Vendor Management, organizations gain a solution that can be used to define the relationship, store and manage contracts, establish service levels, and conduct initial due diligence. The onboarding process allows for the efficient establishment of a relationship and the ability to move it to an ongoing continuous monitoring function. Checklist for 3rd Party Risk Management Ease of Use Process Lifecycle Role and Use-Case Focus Onboarding System of Record Issue Management Dashboarding & Reporting Relationship Documentation Policy Communication & Attestation Risk & Compliance Assessments Due Diligence Workflow Automation & Task Management Audit Management 9

10 n System of record. DoubleCheck Vendor Management is the system of record for the state of risk and compliance across the range of third party relationships. Everyone with a role in risk management the risk management team, procurement, internal audit, and the compliance department can securely access the system, enter information, notes, and analysis into their respective systems of record within the application. n Issue management. Managing incident response efforts and day-to-day issues across third party relationships requires effective coordination and collaboration between the organization and its GRC roles, and the third party. DoubleCheck Vendor Management provides the ability to report, document, track, and manage incidents from identification to resolution. The system keeps a complete record of issues that can feed back into risk models and analysis of business relationships. n Dashboards and reporting. DoubleCheck s dashboarding capability means that key risk indicators of third party relationships can be pushed directly to responsible parties, enabling them to make informed decisions. Through speedometers, graphs and tables, the solution transforms critical risk metrics into actionable information in easy-to-understand visuals. Drill-down capabilities allow leaders to obtain further details and to interact with generated results. n Relationship documentation. DoubleCheck Vendor Management allows for an organization to store relationship related information such as contracts, insurance documents, and certifications. These can be referred back to and mapped to other parts of the solution to keep context of risk and compliance throughout. n Policy communication and attestation. The DoubleCheck solution allows an organization to manage the communication and attestation of policies, procedures, and code-of-conduct to each third party relationship where appropriate representative(s) must read, acknowledge, and attest to adherence. n Risk and compliance assessments. The solution allows for the management, delivery, and analysis of assessments that each business partner has to answer on a periodic basis or as a specific need arises. n Due diligence. The DoubleCheck Vendor Management solution is easily configured to manage workflow and tasks to ensure that the monitoring of business relationships against risk criteria and watch-lists (e.g., verification for companies and individuals, such as OFAC checking) is completed and that the organization is doing business with lawful entities. n Workflow automation and task management. DoubleCheck has a solid workflow automation engine to streamline repetitive tasks and ensure tasks are assigned and monitored based on pre-defined milestones and deadlines. n Audit management. The DoubleCheck Vendor Management modules integrates with other DoubleCheck solutions such as Audit Management to 10

11 provide an interface for consultants and auditors to validate risk and controls and exercise right-to-audit clauses. This involves independent audits to validate controls, risk, and compliance to laws and contractual requirements. Considerations for DoubleCheck Vendor Management Every solution has its strengths and weaknesses, and may not be the ideal fit for all organizations in all situations. While GRC 20/20 has identified many positive attributes of DoubleCheck Vendor Management readers should not see this as a complete and unquestionable endorsement of DoubleCheck Vendor Management. DoubleCheck s Vendor Management offering delivers the core functionality that meets the requirements of the majority of third party risk and compliance needs within organizations. The solution has expanded significantly to take on broader third party management capabilities. The solution is ideally fit for managing the risk and compliance aspects of third party relationships in the context of third party lifecycle management. The solution has contract management capabilities, but does not offer advanced capabilities in this particular area in redlining and contract development. Overall, clients have shown a high degree of satisfaction with DoubleCheck. Client references for DoubleCheck have been very strong and many showing a long history of client satisfaction. Clients are particularly happy with the level of personal interaction and support they receive from DoubleCheck. GRC 20/20 s Final Perspective... Managing third party relationships requires a systematic process to monitor important aspects of business relationships and apply remedial action as soon as risks escalate past an organization s risk tolerances. Risk and compliance issues and corresponding processes are constantly coming to bear on these relationships. Organizations can t afford to use a fragmented approach to managing risk, compliance, and performance of business relationships. A new paradigm for managing third party relationships is needed. A targeted strategy that addresses risk, compliance, and performance is needed to address the root problems and deliver cost savings and efficiency. The more extended and distributed the business, the more challenging risk and compliance is to manage. A common architecture and process can make this efficient and manageable. Inefficiencies, redundancy, errors, and potential risks are identified, averted, or contained. This reduces risk exposure, enhances business agility, and aligns risk to third party performance and enables better-performing, less costly, and more flexible business relationships. 11

12 About GRC 20/20 GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide objective insight into GRC market dynamics; technology trends; competitive landscape; market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem of GRC solution buyers, professional service firms, and solution providers. Our research clarity is delivered through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000 companies, major professional service firms, and the breadth of GRC solution providers. Research Methodology GRC 20/20 research reports are written by experienced analysts with experience selecting and implementing GRC solutions. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria, regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and best practices. Research facts and representations are verified with client references to validate accuracy. GRC solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion. GRC 20/20 Research, LLC 4948 Bayfield Drive Waterford, WI USA info@grc2020.com