How businesses can address a growing range of third-party risks

The challenges of 2020 have uncovered multiple risk areas, leading many companies to rethink their third-party risk management programs.

The COVID-19 pandemic has exposed the cracks in how organizations manage their third-party risks, with disruption looming as a constant hazard. And those risks go beyond the cybersecurity threats that have historically captured the attention of risk management functions.

The EY Global Third-Party Risk Management Survey 2019–20 reveals that, although cybersecurity risk management remains incredibly important, organizations increasingly understand that their third-party risk universe is expanding to include other key risk areas like business continuity and resiliency risk, financial risk, and privacy risk. 

That sharing of data was accompanied by an increased expectation of security, with a majority of consumers pointing to secure collection and storage (63%), control over what data is being shared (57%) and trust in the company collecting their data (51%) as the most important reasons in deciding where they choose to share personal information.

In addition, existing privacy regulations like European Union’s General Data Protection Regulation and emerging privacy regulations, such as Canada’s Digital Charter Implementation Act and an array of state-level laws in the US, will lead to even greater third-party risk monitoring expectations from organizations. Organizations can assume that the regulatory landscape in relation to third-party risks will only become more heightened post-pandemic. 

Therefore, to adapt and thrive in this new risk landscape, businesses must align their policies with consumer expectations — and that includes third parties who handle data. Organizations have a chance to build trust with consumers, but their reputation could be easily damaged if third parties do not properly secure data.

Addressing the expanding risk universe through centralization, functional integration and automation

Faced with this expanding risk universe and regulatory requirements, TPRM programs are increasing their scrutiny of third parties while striving to recognize how various risks are interconnected. But trying to do more in this arena often runs into the roadblock of reduced resources, so organizations seeking cost and process efficiencies will need to consider how their TPRM program can work more closely with other functions and teams, such as procurement, finance, privacy and compliance.

According to our TPRM survey, only 50% of companies currently have centralized TPRM programs, with 39% embedding separate programs within each business function. Decentralized functions increase the cost of conducting risk management activities while also increasing the fatigue of third parties as they answer multiple assessment questionnaires. For example, our survey shows that the typical post-contract risk assessment questionnaire has nearly 200 questions, and more than 30% of organizations have over 1,000 suppliers to assess, increasing time and costs across the board. 

Faced with this volume of assessments across the various components of third-party risk, organizations should consider pursuing a well-integrated and functional approach that offers the following benefits:

1. Provide a holistic view of the risk a third party poses to the organization, which can be used as an input to future sourcing and contracting decisions
2. Streamline the risk assessment process
3. Improve the user experience while maintaining strategic relationships with third parties

This functional approach could feature an engaged team working collaboratively to complete a single assessment covering multiple risk areas — business continuity, financial, privacy, cybersecurity — rather than a variety of siloed efforts.

Such a move to a more centralized operating model allows for the attainment of both vendor risk management and relationship management objectives, ensuring that the organizations comprehensively assess their third parties in a cost-effective fashion. Additional efficiencies can be realized through data-driven technology solutions that employ automated, real-time data to proactively monitor diverse risk areas. In fact, more than 50% of the organizations surveyed plan to increase their spend on technology and advanced analytics.

In their pursuit of an integrated TPRM approach, some organizations are looking to more actively leverage external solutions to further achieve increased operational efficiencies, scalability and an improved quality review of a broad range of risk areas. Over 40% of the organizations surveyed expect to more frequently use managed service providers or co-sourcing to execute their TPRM function; that figure jumps to more than 50% for market utilities or sector-based consortiums.

Keys to building a centralized and integrated TPRM program

As organizations weigh their options to effectively expand the risks assessed for their third parties and drive consistency and efficiencies through functional integration, they will need to enhance their TPRM program’s foundational elements to embed all risk areas.

This process includes defining policies and standards for each risk area, as well as establishing governance and oversight for the TPRM program that involves stakeholders across all areas. The inherent risk models will also need to be designed to help identify third parties that pose a critical or higher risk for certain areas. For example, privacy risk could be reviewed based on the sensitivity of data shared and the third party’s geographic location.

A renewed risk assessment review should also look for areas of synergy across multiple functions. This could include creating consolidated questionnaires that eliminate duplication, as well as using external data tools to provide real-time risk insights for ongoing monitoring. Consolidation of this nature will also allow for scalable, enterprise-wide TPRM processes and procedures that reflect the efficient integration among all relevant functional groups.

With the high reliance every organization has on third parties, it is business-critical to manage the third-party risks that come with doing business. Proactively monitoring the expanded risk universe will help companies to minimize reputational damages, gain consumer trust and sustain their businesses. The key is to do this efficiently and cost-effectively by consolidating processes across multiple functions.