Businessman and businesswoman sitting at table in front of laptop and working

Spreadsheet or AI: Why third-party risk management needs to evolve

As more businesses work with third parties to enable growth, the need for integrated third-party risk management becomes more pronounced.


In brief

  • Third-party risk management (TPRM) encompasses all aspects of the business.
  • An effective TPRM technology allows businesses to react and pivot accordingly.
  • While outsourcing is still very prevalent, businesses cannot outsource liability. It is up to the companies to manage their risk profiles.

Today, many organizations are doing more with less while operating in an interconnected environment and embracing digital transformation and new ways of working. As they do so, they are increasingly reliant on third-party vendors and suppliers to enable their growth - instant transactions, frictionless access to information, and seamless user experiences. These partnerships are crucial for business, but they also have the potential to expose the business to new risks.

When working with clients across industries, EY sees third-party risk management (TPRM) as a source of daily concern for leadership. There are multiple factors adding to that pressure:

  • The breadth of potential risk: With the proliferation of electronic data and data breaches often grabbing the media headlines, the risk that gets the most boardroom attention is cybersecurity. But the picture is much broader than that. Think about geopolitical, ESG, privacy, financial, reputational, operational, and the list goes on.
  • Internal scrutiny and reporting: Executives and boards are asking for more detailed reporting and insights into third-party risk.
  • Increasing globalization and outsourcing complexity: Many organizations are struggling to stay up to date with changing regulations and guidelines. At the same time, regulations and standards concerning third-party relationships are continually evolving.
Many organizations are stabilizing their TPRM program spending, and many are still using outdated tools like spreadsheets and email – vulnerable to human error – to manage it.

As many would agree, it’s a vast and complex picture. Despite this, many organizations are stabilizing their TPRM program spending, and many are still using outdated tools like spreadsheets and email – vulnerable to human error – to manage it. According to EY data, the percentage of in-scope third parties that were assessed by organizations dropped significantly in 2021 as a direct result of the pandemic. Too many organizations are dependent on people to execute the control assessments, which greatly increases their supplier risk.

But the combination of humans and technology can be transformative. Here are a few illustrations:

  • An international pharmaceutical company adopted a technology platform to transform their TPRM capability and expand the coverage beyond just cyber risk to include areas of privacy, modern slavery, workplace health and safety, operational, resilience, etc. Moving from a very manual operation reliant on spreadsheets and multi-systems to a single integrated TPRM platform, the organization managed to increase by more than 300% both inherent risk assessment (IRA) and third-party assessments (TRA) which included in-scope third parties and selected fourth parties deemed critical to the business.
  • The TPRM technology platform enabled easy access by third parties through a portal to perform questionnaire-based assessments during the planning, sourcing and due diligence stages. The solution also has the capability to re-run screening at pre-defined periods, e.g., annually for low risk, quarterly for medium risk or monthly for high risk to provide continuous risk monitoring. The TPRM solution is aligned to TPRM lifecycles from planning and sourcing, due diligence, contracting, on-boarding, and monitoring to renewal or termination of third parties – saving human manhours by simplifying the onboarding, renewal or termination of third parties.
  • Critically, all risk-related information is captured on a single platform which provides a centralized view of third-party risk at any one time and is available at-risk leadership’s fingertips for oversight and internal reporting needs.

While there is much buzz today around the future potential of AI technology to transform business in the future, the area of TPRM is a very practical case study of how Generative AI can be leveraged today to make a fundamental difference to a business and its exposure to significant risk. Specific examples include:

  • Translating risk assessment into proactive actions: Generative AI’s vast knowledge of various industries and risk data can be leveraged to identify relevant risk factors. It can be trained to analyze news feeds to identify potential risk themes and social media posts, for example, related to customer complaints to identify common patterns to assess the likelihood and potential impact of these complaints on the company’s reputation as part of risk assessments and on-going monitoring. These can be used to proactively guide the implementation of security controls to mitigate such risks.
  • Training and guidance for assessors: Generative AI can provide ongoing education and training for third-party assessors. It can be trained to provide guidance on assessment criteria and assist third-party assessors in understanding specific assessment requirements. It can provide information on industry best practices for security and compliance, including frameworks such as SOC 2, Payment Card Industry Data Security Standard (PCI DSS) and various standard regulatory requirements.

In this complex landscape, it’s more important than ever for risk leaders to recognize that, while the organization can outsource business processes, it can’t outsource all liability. Technology can enable humans to move away from outdated systems and manage third-party risk more intelligently and efficiently.

To learn more, here is a paper EY and ServiceNow co-authored on trends and challenges in third-party risk management.

Managing risk in the extended enterprise

Summary

Organizations need to ensure that they are protected from any risk that could compromise their business and reputation. As more businesses work with third parties to enable growth, the need for integrated third-party risk management becomes more pronounced. Combining humans and technology can be transformative in the management of third-party risk, resulting in more intelligent and efficient management.

About this article