How to reimagine your TPRM program with GenAI and scalable operations

Organizations are reshaping their third-party risk management (TPRM) by integrating generative AI (GenAI) to stay.

In brief

• TPRM programs are evolving with GenAI, focusing on scalable tech-led processes for dynamic risk management.
• Continuous AI monitoring in TPRM enables real-time risk identification, moving beyond periodic assessments.
• Scalable operations in TPRM are essential as GenAI increases data and insights for proactive risk management.

Over the recent past, transformations of third-party risk management (TPRM) programs were focused on governance, risk and compliance (GRC) technology, with automated workflows, reporting and analytics across an organization’s third-party base.

Now, with the increased adoption of technology-enabled capabilities, the focus in the market has shifted to operating tech-led TPRM programs and enabling processes at scale.

Historically, TPRM programs have approached expanded risk coverage by adding resources focused on reviewing fairly basic documentation provided by third parties to identify risks. An emerging disruptive capability, generative AI (GenAI), is creating significant opportunity for improving the TPRM space. Initial GenAI capabilities have already revealed the next frontier of TPRM programs. By reducing the effort on manual document validation, resource time is being unlocked, and through greater dynamic decision-making within their TPRM programs, companies are achieving elevated risk coverage and enhancing strategic value. With the injection of technology-enabled capabilities and GenAI, and the increased usage of all available data, comes the need for robust and scalable operations that can keep up with higher expectations in ongoing monitoring and greater depth and breadth across an expanding population of third parties.

Moving beyond point-in-time assessments

TPRM assessments have traditionally been performed periodically, typically annually or biennially.

However, in the current business environment, with a greater reliance on third parties and the ever-changing landscape driven by world events, increased regulations and cybersecurity incidents, boards are asking for more than a point-in-time approach to assess third-party risk.

Today, leaders are asking TPRM program owners to do more with less, while also encouraging them to be more proactive, ongoing and agile. Continuous and trigger-based risk monitoring allow for real-time identification and mitigation of risks.

The introduction of artificial intelligence (AI) and machine learning further enhances this continuous risk monitoring, enabling a more predictive approach to risk management. AI can aggregate data from multiple sources, analyze it for patterns and anomalies, and provide insights that humans might miss or find time-consuming to unearth. These data sources can include disparate internal data points and external data feeds to inform your program.

Examples of how AI can be leveraged across the TPRM lifecycle include:

• Planning: enabling business users to complete sourcing and risk profiling activities to identify any errors in real time
• Due diligence: automating third-party evidence ingestion and reviewing against control standards for expedited assessments
• Contracting: reviewing contract terms against standard terms and conditions to automatically identify discrepancies and provide suggested updates instantaneously to de-risk the engagement
• Ongoing monitoring: triaging automated alerts generated by cybersecurity, geopolitical, reputational, ESG (environmental, social and governance) or other external events against a supplier base
• Issue management: reviewing remediation plans and flagging potential discrepancies against control standards
• Termination: parsing agreements for termination clauses, early termination fees and data rights to optimize the business position 

We would like to acknowledge the following contributors to this article: Adam Horowitz and A.J. Spalding.