EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Limited, each of which is a separate legal entity. Ernst & Young Limited is a Swiss company with registered seats in Switzerland providing services to clients in Switzerland.
How EY can help
-
Utilizing technology, EY teams can help you make better-informed decisions faster about third parties. We examine risk from every angle and provide you with the insights you need to identify the partners that will create better long-term value for your business.
Read more
One way in which companies are responding to these heightened risks is by cracking down during control assessments of third parties. If third parties don’t respond to questionnaires in a timely manner, companies are now more likely to escalate enterprise processes (87% of respondents, up from 70% in 2023) or even cease operations entirely (29% vs 17% in 2023). When risks are identified during assessments, companies are far more inclined than before to take the path of remediation, with 57% of respondents saying they choose remediation, compared to only 17% in 2023.
The number and complexity of third-party relationships is increasing
While companies have always dealt with third parties, the number and complexity of such relationships has grown in recent years. A challenging business climate has driven an imperative to do more with less, and companies have often turned to third parties to unlock operating efficiencies. The adoption of digital transformation initiatives has expanded the third-party ecosystem, with companies increasingly using third parties for cloud services, software-as-a-service (SaaS) providers, and other digital platforms.
The end result is that companies rely more than ever on large numbers of specialized service providers. Today’s financial services companies, for instance, partner with a host of fintech service providers, including payment processors, loan providers and investment platforms. Healthcare companies rely on third-party vendors for services such as telemedicine, electronic health records and medical supplies. Across sectors, companies are turning to third-party service providers for everything from human resources to business intelligence and supply chain logistics.
This, in turn, has increased the number of business functions that rely on third parties and are exposed to third-party risks. In the past, a bank may have had one or two risk verticals that cared about third-party risk; today, that number could be in excess of 20.
The ascendance of these specialized service providers hasn’t just increased the number of third-party relationships; it has also increased their complexity. In the past, many of these activities might have been performed manually within the safety of a company’s environment, or at most with an application programming interface (API) that connected to the company’s environment. Today, those same activities may involve a network of third parties working in environments that are not owned or controlled by the company. In turn, those third parties engage with their own networks of third parties to deliver services. The bottom line is that “third-party risk management” is already something of a misnomer — today’s companies have to cast a wider net to consider not just third-party risks, but also fourth-party, fifth-party and nth-party risks.