Is Your Third-Party Risk Management Program Ready for What’s Next?

If the people who keep you in business go under, what happens to you?

This is the single most important question that risk management leaders must answer with regard to their third parties and supply chain partners considering today’s COVID-19 pandemic crisis. And yet, only 10% of leaders and decision-makers are extremely confident in their third-party risk management programs and only 50% are satisfied with their current solutions. What does this add up to? Insufficient programs and a lack of preparedness to handle the unknown.

In partnership with Shared Assessments, Prevalent conducted a survey of senior risk decision-makers in February 2020 to study current third-party risk trends, challenges and initiatives impacting organizations today. The goal of the study was to provide a state-of-the-market on third-party risk with actionable recommendations that organizations can take to grow and mature their programs. This post summarizes what we learned from the study and what you can do to better equip your third-party risk management program for resiliency.

• Read the complete report with 17 pages of survey statistics, analysis and recommendations.
• Check out our infographic highlighting key findings from the report.

Key findings from the 2020 Third-Party Risk Management study

Findings from the study suggest that:

Lack of process is damaging third-party program effectiveness

Compliance (particularly meeting data protection requirements such as GDPR) dominates project drivers, yet organizations lack the resources (budget) and processes to assess even their top-tier vendors with most assessments taking more than a month to complete. Considering the state of your supply chain, can you afford this kind of lag?

Third-party risk management is a team sport

Compliance and cybersecurity teams aren’t the only ones necessary to contribute to a mature program; you also need contributors who can assess and interpret business and financial risks – especially in today’s climate. With resourcing a challenge and continuing lack of confidence in programs, it will be difficult to operate in a silo.

Significant consequences exist for organizations that don’t get third party right

76% of respondents said that they experienced one or more issues that impacted vendor performance, 74% indicated operational issues, and 55% indicated a compliance violation in the last two years. Considering how resource-drained the average TPRM program is, how would you be able to recover?

Few organizations are happy with their existing toolsets

When asked if they were planning to implement a new, or augment/replace an existing, third-party risk management solution in the next 12 months, nearly half of respondents said “yes.” When half the market is looking to change their solution, it must mean needs aren’t being met. And it’s no wonder, considering that the satisfaction levels among existing tools hovers in the 50% range, and weighted average of satisfaction for GRC tools caps out at 3.4/5.0. Standardized Assessment Content Providers buck this trend – clearly, organizations are relying on standardized assessment content to help clear the path.

IRM – a way out?

42% of respondents indicate that they will invest in IRM in the next year, yet they’re concerned about limited resources/staffing/expertise, no real-time awareness of changes, and no integration with other tools used for vendor management or risk management. Since Digital Transformation is also a driver, it’s important for organizations to determine if a general-purpose IRM has the flexibility to meet needs, compared to a purpose-built TPRM assessment platform.

The third-party risk management market is at an inflection point. Users aren’t assessing enough of their top their vendors. They lack resources and budget to fund it correctly. Third-party risk is broken, and supply chains are at risk.

What is the path forward? Read the recommendations below.

Recommendations for Third-Party Risk Management

Growing and maturing an adaptable and agile third-party risk management program doesn’t have to be a complex and time-consuming process. Here are five (5) recommendations to jump start your vendor risk activities:

#1 – Develop a Programmatic Process

A programmatic process should help your team progressively:

• Define who your vendors are and what inherent risks they present to your business
• Assess the right strategy to collect the right insights from the right third parties
• Analyze results from assessments and score risk levels based on a broad ecosystem of inputs
• Remediate risks raised from analysis of completed assessments
• Report against industry and regulatory requirements, and for the board
• Optimize the program to adapt to ongoing changing requirements and resource levels

The outcomes of such a standardized and repeatable methodology? Download the full report to find out.

#2 – Build a Cross-Functional Team

Given the complexity, no one person can likely figure all that out, so internal and external collaboration is key to not just identifying risk but mitigating it too.

#3 – Be Comprehensive Without Being Complex

There are solutions available on the market that offer a library of pre-defined questions that map back to any number of regulatory or industry frameworks. This lets you avoid the duplication of effort and patchwork of requirements you would get if you tried to assess against each framework individually. It’s also much easier to prove compliance when it’s one question that covers many requirements at once.

#4 – Stay Agile with Options for Assessment and Analysis

Don’t pigeon-hole yourself into a single rigid option for collecting and analyzing surveys from your third parties. There are multiple ways to assess all of your top-tier vendors (and thereby overcome a major challenge cited in this survey).

• Self-service: Collect just the basics to inform your profiling and tiering logic. At the very least, centralize the management of all your vendors into a single place so you maintain visibility.
• Managed service: Outsource the assessment of your top-tier third parties to a specialist in risk identification and analysis, and free your team to focus on long-tern, residual risk management.
• Shared service: Leverage a network of completed vendor questionnaires and supporting evidence for your lower-tier vendors so you can focus your team’s efforts (and the correct amount of resources) on higher-tier vendors.

#5 – Complement Your Decision-Making with Risk-Based Intelligence

Making decisions in silos with a limited dataset will not enable your team to be effective vendor risk managers. Instead, seek out solutions that are built on an open platform with integrations to multiple business and risk solutions. A solid solution will offer:

• A comprehensive risk profile that informs assessment tiering, assessment frequency, and SLA measurement
• A quantified and contextualized risk model inclusive of cyber risks and business risks, plus ISO and FAIR calculations
• Response management with enabled workflow and automation to ensure that vendor intelligence is routed to the right people on your team
• Risk reporting and prioritization, including context and guidance for prioritization
• Automated dissemination of reports to ensure transparency with third parties and within your organization

How Do You Stack Up?

Existing tools and IRM solutions aren’t enough to overcome third-party risk management challenges. Only a comprehensive model that offers a programmatic process to maturity with options to manage costs and reporting for compliance will provide a solid foundation for risk management teams to adapt over time.

How does your third-party risk management program stack up compared to the respondents to our survey? Download the full results and review the infographic to benchmark your own TPRM practices.

For more on how Prevalent can help address third-party risk management challenges, request a demo of our platform today.