EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
Discover how EY's TPRM team can enable your business to make better decisions about the third parties they choose to work with.
Read more
As companies focus on their own resilience, the resilience of their third-parties is a high priority. Companies are building resiliency by maintaining an integrated resiliency plan, conducting internal resiliency testing and performing scenario analysis, exit strategies, contingency plans and business continuity plans. Organizations also use risk tiering to zero in on critical third-parties and separate them for additional monitoring activities.
Most organizations surveyed ask more than 100 questions on their control assessments, and nearly half (48%) of organizations have exit strategies or contingency plans for high-risk third-parties. However, that means that more than half are unprepared.
“Having a strong third-party program can support resiliency, but it needs to be intentional,” Giarrusso said. “Make sure that you’re identifying those third-parties that are supporting critical business processes and then have plans in place — whether it’s contingency or exit strategies — for those third-parties in the event of a business disruption.”
Organizations are seeking smarter ways to understand risk by using external resources and embedding technology, automation and external data into their risk reporting process, Kelly said, noting that 63% of organizations plan to integrate external data providers and automation to better manage inherent risk assessments in the next two to three years.