Spreadsheet or AI: Why third-party risk management needs to evolve

As many would agree, it’s a vast and complex picture. Despite this, many organizations are stabilizing their TPRM program spending, and many are still using outdated tools like spreadsheets and email – vulnerable to human error – to manage it. According to EY data, the percentage of in-scope third parties that were assessed by organizations dropped significantly in 2021 as a direct result of the pandemic. Too many organizations are dependent on people to execute the control assessments, which greatly increases their supplier risk.

But the combination of humans and technology can be transformative. Here are a few illustrations:

• An international pharmaceutical company adopted a technology platform to transform their TPRM capability and expand the coverage beyond just cyber risk to include areas of privacy, modern slavery, workplace health and safety, operational, resilience, etc. Moving from a very manual operation reliant on spreadsheets and multi-systems to a single integrated TPRM platform, the organization managed to increase by more than 300% both inherent risk assessment (IRA) and third-party assessments (TRA) which included in-scope third parties and selected fourth parties deemed critical to the business.
• The TPRM technology platform enabled easy access by third parties through a portal to perform questionnaire-based assessments during the planning, sourcing and due diligence stages. The solution also has the capability to re-run screening at pre-defined periods, e.g., annually for low risk, quarterly for medium risk or monthly for high risk to provide continuous risk monitoring. The TPRM solution is aligned to TPRM lifecycles from planning and sourcing, due diligence, contracting, on-boarding, and monitoring to renewal or termination of third parties – saving human manhours by simplifying the onboarding, renewal or termination of third parties.
• Critically, all risk-related information is captured on a single platform which provides a centralized view of third-party risk at any one time and is available at-risk leadership’s fingertips for oversight and internal reporting needs.

While there is much buzz today around the future potential of AI technology to transform business in the future, the area of TPRM is a very practical case study of how Generative AI can be leveraged today to make a fundamental difference to a business and its exposure to significant risk. Specific examples include:

• Translating risk assessment into proactive actions: Generative AI’s vast knowledge of various industries and risk data can be leveraged to identify relevant risk factors. It can be trained to analyze news feeds to identify potential risk themes and social media posts, for example, related to customer complaints to identify common patterns to assess the likelihood and potential impact of these complaints on the company’s reputation as part of risk assessments and on-going monitoring. These can be used to proactively guide the implementation of security controls to mitigate such risks.
• Training and guidance for assessors: Generative AI can provide ongoing education and training for third-party assessors. It can be trained to provide guidance on assessment criteria and assist third-party assessors in understanding specific assessment requirements. It can provide information on industry best practices for security and compliance, including frameworks such as SOC 2, Payment Card Industry Data Security Standard (PCI DSS) and various standard regulatory requirements.

In this complex landscape, it’s more important than ever for risk leaders to recognize that, while the organization can outsource business processes, it can’t outsource all liability. Technology can enable humans to move away from outdated systems and manage third-party risk more intelligently and efficiently.

To learn more, here is a paper EY and ServiceNow co-authored on trends and challenges in third-party risk management.