2023 EY Global Third-Party Risk Management Survey

A centralized risk management approach provides complete, more accurate data and improved program communications. In all, 90% of organizations are moving toward centralized risk management, up from 85% in our survey from the prior year. Among those surveyed, 54% of organizations use centralized risk management (down 6% from 2021), 36% use a hybrid approach (up 11% from 2021), and 10% use a decentralized program (compared with 12% in 2021). Financial services are a step ahead. Financial services organizations are more likely to use a centralized TPRM program structure (62% compared with 46% of non-financial services and 54% of respondents overall).

Organizations with centralized TPRM structures manage almost twice as many third-parties effectively as their counterparts with hybrid TPRM structures. They have a better understanding of the correlating risks and mitigating measures. They are also able to perform control assessments faster than those with decentralized models: 64% of those with centralized risk structures can perform control assessments in 31 to 60 days. Only 43% of organizations with hybrid structures are able to say the same. For organizations with a hybrid model, about half say they are completing their assessments in 61 to 90 days.

ESG commitments are a developing area of third-party risk management.

Most organizations (54%) report that they include ESG in risk inventory reporting. Their top priorities include compliance with local regulations, corporate responsibility and stakeholder expectations. Nearly one-third (32%) include clauses requiring third-parties to comply with their own ESG policies and regulations, and 23% said if a key supplier did not meet their ESG requirements, they would stop working with that supplier.

“In order for organizations to have a robust ESG program, their ESG commitments need to extend into their third-parties as well,” said Michael Giarrusso, EY Americas FSO Third-Party Risk Leader. “They need to make sure that they are performing proper due diligence of their third-parties to confirm that they are in line with their own strategic goals from a sustainability and social justice perspective.”

These commitments can cause conflicting views. In our EY Global Board Risk Survey 2021, although 33% of boards expected climate change to impact their businesses, survey respondents still only ranked it as their ninth most important risk. “Organizations are facing challenges with their identity — not only what they want to represent as a company, but also how they want to measure, monitor, track and report against that commitment,” said Chris Watson, EY Americas Risk and Supplier Services Leader. 

Despite their differing priorities, about two-thirds of respondents across industries experience the same pain points for meeting ESG goals: a lack of coordination between internal stakeholders and third-party risk management.

Here is what your organization can do to better prepare for third-party risks:

1. Define objectives and scope
   
   To build a successful TPRM program and operational resilience, organizations should consider aligning their plans to an existing operational resilience framework, such as the Digital Operational Resilience Act, NIS2 Directive and the UK Operational Resilience Framework. These frameworks set criteria and expectations for cybersecurity, information technology, third-party dependency management and business continuity planning and testing. Perform an impact assessment and gap analysis against the currently proposed drafts.
   
   
2. Fully understand, document and maintain your third-party inventory
   
   
3. Develop policies and procedures
   
   Lack of coordination between internal stakeholders was cited as the biggest pain point for organizations.
   
   
4. Enhance ongoing monitoring
   
   While initial due diligence is vital, more robust ongoing monitoring of third-parties enables more dynamic risk reporting.
   
   
5. Establish a governance structure
   
   Regardless of ownership, TPRM requires input from multiple functions and teams, making well-defined governance crucial. It is recommended to have a consistent global policy with local addendum for multi-jurisdictional organizations.
   
   
6. Implement technology and automation
   
   TPRM programs that integrate automation and external data providers into the supplier lifecycle and embed cross-functional workflows, e.g., procurement, cyber risk, resiliency, are more effective in managing third-party risk and reporting to senior leadership.
   
   
7. Streamline customer experience
   
   More than half (54%) of organizations send one aggregated/centralized questionnaire, while 46% send multiple questionnaires from different risk domains.

Additional contributors include Harald deRopp, Asia-Pacific (Japan) Third-Party Risk Leader; Joseph Kelly, EY Oceania Third-Party Risk Leader; Scott McCowan, EY Americas Risk Management Leader; and Chris Watson, EY Americas Risk and Supplier Services Leader.

Summary

Third-party risk management increases resiliency and has the potential to become a strategic business tool. While organizations are aware of the advantages, establishing and developing an effective TPRM program presents difficulties.

Leading organizations are making efforts to advance their TPRM programs by attempting to get a better picture of overall third-party risk, tiering risk according to critical needs and adding more TPRM reporting and resourcing capabilities. To increase efficiency and enable more strategic risk management decisions, organizations are evaluating emerging risks and impacts on their third-party and risk governance and continuing to use centralized and hybrid risk-management programs.