Editor's Note: This article, authored by Brad Hibbert and Alastair Parr, was originally published on SupplyChainBrain.com.
As 2024 gets into gear, a few key trends are shaping how organizations approach third-party risk management (TPRM). In the recent past, the TPRM process moved from ad hoc questionnaires to automated, continuous assessment of those risks, driven by the higher frequency and sophistication of supply chain data breaches and increasing regulatory requirements. What trends will be at the forefront of evolving the practice of third-party risk management in 2024?
As businesses rely increasingly on third-party cloud services, software-as-a-service (SaaS) platforms, and other digital solutions, the attack surface expands, increasing the potential for vulnerabilities stemming from reliance on third-party systems. Modern supply chains and business functions are highly inter-connected, often crossing geographical and technological boundaries and creating complex dependencies. To manage these complexities, more teams are focused on managing the third-party lifecycle. That can create considerable confusion, and a lot of data silos that are difficult to manage and review. To address these problems, organizations will work to consolidate a range of IT and non-IT risks into centralized vendor profiles. This approach transforms that data into a comprehensive risk model that is constantly updated. Individual teams across the organization can reference this source to make more informed operational decisions related to vendor and supplier relationships.
In 2024, expect cyber posture, business intelligence, financial records, geopolitical events, certifications, and nth-party information to be part of those centralized vendor profiles. Easy access to this additional information reflects the interests and requirements of different departments, particularly procurement and legal teams. To improve decision-making, vendors will need to provide more comprehensive information and ensure that data is kept up to date. In addition, vendor profiles will contain data related to geopolitical and environmental events to improve operational resilience. Monitoring solutions will be critical to enabling organizations to assess potential risks associated with specific vendor locations.
By creating and continuously updating a unified risk model, organizations will be able to conduct more advanced and predictive analytics. TPRM teams should analyze the relationships between different risks and use aggregated analysis to predict potential risk areas. This will improve resource allocation and empower organizations to scale programs effectively and efficiently.
Advanced and predictive analysis will also become more persona-driven in TPRM. Centralized data will make it easier to cater to the needs of key personas, such as the CISO, procurement and business leaders, and the board, allowing the TPRM team to deliver custom insights and, for each persona, reports that focus on relevant topics, such as cyber risk, environmental risk, external threats, and vendor compliance to regulations. Reports will include behavioral insights using advanced analytics models, which will both provide information on vendor interactions and response times and help predict and interpret user behavior, creating more comprehensive and useful TPRM programs.
As TPRM programs become increasingly mature in the year ahead, many organizations will also start sharing risk management maturity scores. Leveraging these scores and improved analytics capabilities, organizations will be able to engage with vendors to clarify risk concerns and address them effectively.
Cyberattacks, data breaches, and other malicious activities are becoming increasingly sophisticated and can spread rapidly across inter-connected networks, increasing the need for real-time insights into third-party vendor and supplier violations and issues. Attackers are all too quick to exploit vulnerabilities in third-party software and systems, as the MOVEit vulnerability demonstrated all too well, impacting at least 2,000 organizations since May of 2023. In response, organizations will prioritize continuous third-party risk monitoring in 2024 to evolve their programs beyond checking the compliance box to satisfy auditors
Collecting and analyzing data from diverse sources will not only create a single source of truth and improve TPRM program quality, it will also enable organizations to conduct more advanced analysis of this data, empowering risk management teams to make more informed decisions to manage risk. The newly adopted U.S. Securities and Exchange Commission (SEC) new rules and amendments regarding incident reporting, cybersecurity risk management, strategy, and governance for public companies will compel board members and leadership teams to demand continuous monitoring and proactive responses to local events and zero-day vulnerabilities while also ensuring they are prepared to report quickly and effectively to the SEC if needed.
Third-party vendor and supplier risk management is poised to change significantly in 2024, driven by natural language processing, generative AI, and a threat landscape that is evolving rapidly to take advantage of these new capabilities. Faced with new reporting rules and regulations, as well as a scarcity of skilled risk professionals, organizations will seek to increase the effectiveness and efficiency of their TPRM programs to ensure they are able to manage third-party risks effectively.
Third-party risk management requires a fundamental shift in 2024, moving away from spreadsheets and siloed insights to create a single source of truth, a unified platform containing all vendor risk data. By leveraging advanced and predictive analytics, organizations will be able to identify potential disruptions before they materialize, making it easier to pivot to a different supplier or solution to meet business goals. In this environment, continuous third-party monitoring becomes essential to ensure that the security team is able to respond to threats quickly and that leadership understands the varied risks, enabling the organization as a whole to manage third-party risk effectively and respond quickly and thoroughly if a material incident does occur.
Brad Hibbert is chief strategy officer & chief operating officer, and Alastair Parr is SVP products & services, both at Prevalent.