Avoid These 9 Common Third-Party Risk Management Pitfalls

Tell me if this is you: You have more third parties to deal with than ever before and countless compliance requirements to meet. But you lack the resources and process to consistently assess third-party risk (at least in a way that doesn’t suck the life out of you). If this hits a little too close to home, take heart – you’re not alone.

Prevalent conducted in-depth maturity assessments with dozens of organizations over the last six months, and we learned that most third-party risk management practices slip up in five key areas: Content, Roles and Responsibilities, Coverage, Governance, and Remediation.

The good news? Our research shows that there are very specific steps you can take to keep from sliding backward.

>> Check out this infographic to see a summary of the top risks and recommendations.

How We Looked at the Data

When analyzing the results of the maturity assessments, we looked that the responses through five lenses:

• Content: Are there processes to ensure that assessment questionnaires are up-to-date and appropriate for the third parties being assessed?
• Roles & Responsibilities: Are TPRM program stakeholders aware of their responsibilities and expected level of involvement?
• Coverage: How comprehensive is the TPRM program scope? How much visibility does it have into the third-party community?
• Governance: How is program performance measured? Can success be demonstrated with clear metrics?
• Remediation: Are remediation processes consistent and optimized for efficiency?

On a Scale of 1 to 5 …

Shockingly (or perhaps not), the average maturity score across all five areas noted above was a whopping 2.53 out of 5. It wasn’t all bad news, though. Maturity levels by category were:

• Content: 2.6
• Roles & Responsibilities: 2.88
• Coverage: 2.67
• Governance: 2.14 (ouch)
• Remediation: 2.58

Are we seriously celebrating a 2.88? That’s still an “F” folks, even if you round up. And Governance? Nowhere to go but up!

The 3 Biggest Risks Uncovered

>> Download the research paper to read the complete findings of top risks and recommendations.

In analyzing the responses there were a few risks that stood out among the others, such as:

• Not standardizing remediation guidelines. Without standardized guidelines, the process of reviewing risk findings with third parties can be inconsistent and misaligned with organizational requirements. 86% of companies had inconsistent remediation guidelines.
• Stopping at third parties. If there is anything that the current pandemic has taught us from a supply-chain perspective, it’s that you have to be prepared to address disruptions. This includes disruptions that your third parties face as a result of their third parties. Failure to consider fourth parties or “Nth parties” can pose unidentified risks and operational bottlenecks. This was a problem for 79% of companies.
• Limiting risk reporting to tactical uses. Until risk reporting is used to drive strategic internal conversations, it is difficult to make informed decisions about emerging threats, areas of concern, change assessment and risk remediation. In the study we learned that 69% of companies were missing important strategic reporting opportunities.

Want to Learn More?

To see the full list of risks, plus recommendations to advance your program maturity, download “The Path from Reactive to Proactive Third-Party Risk Management” now. We’ll also share an infographic that summarizes the 9 pitfalls and offers 24 tips to help you climb the ladder to TPRM maturity.

After checking out the research, benchmark your own third-party risk management practices against your peers by registering for your own full, free maturity assessment. We even have a 10-question online version that will provide you with a quick score to provide some direction.

Don’t go it alone! Use this peer-driven guidance to get off that slippery slope and onto the path to TPRM maturity.