Chapter 1
Centralized TPRM has clear advantages
Centralization, risk tiering, technology and external support are attempts to strengthen TPRM.
A centralized risk management approach provides complete, more accurate data and improved program communications. In all, 90% of organizations are moving toward centralized risk management, up from 85% in our survey from the prior year. Among those surveyed, 54% of organizations use centralized risk management (down 6% from 2021), 36% use a hybrid approach (up 11% from 2021), and 10% use a decentralized program (compared with 12% in 2021). Financial services are a step ahead. Financial services organizations are more likely to use a centralized TPRM program structure (62% compared with 46% of non-financial services and 54% of respondents overall).
Central view across third-party risk
90%of organizations are moving toward centralized risk management
Organizations with centralized TPRM structures manage almost twice as many third-parties effectively as their counterparts with hybrid TPRM structures. They have a better understanding of the correlating risks and mitigating measures. They are also able to perform control assessments faster than those with decentralized models: 64% of those with centralized risk structures can perform control assessments in 31 to 60 days. Only 43% of organizations with hybrid structures are able to say the same. For organizations with a hybrid model, about half say they are completing their assessments in 61 to 90 days.
Chapter 2
ESG risk conversations are evolving
Environmental, social and governance commitments and risk management extend to third-parties.
ESG commitments are a developing area of third-party risk management.
Most organizations (54%) report that they include ESG in risk inventory reporting. Their top priorities include compliance with local regulations, corporate responsibility and stakeholder expectations. Nearly one-third (32%) include clauses requiring third-parties to comply with their own ESG policies and regulations, and 23% said if a key supplier did not meet their ESG requirements, they would stop working with that supplier.
“In order for organizations to have a robust ESG program, their ESG commitments need to extend into their third-parties as well,” said Michael Giarrusso, EY Americas FSO Third-Party Risk Leader. “They need to make sure that they are performing proper due diligence of their third-parties to confirm that they are in line with their own strategic goals from a sustainability and social justice perspective.”
These commitments can cause conflicting views. In our EY Global Board Risk Survey 2021, although 33% of boards expected climate change to impact their businesses, survey respondents still only ranked it as their ninth most important risk. “Organizations are facing challenges with their identity — not only what they want to represent as a company, but also how they want to measure, monitor, track and report against that commitment,” said Chris Watson, EY Americas Risk and Supplier Services Leader.
In order for organizations to have a robust ESG program, their ESG commitments need to extend into their third-parties.
Despite their differing priorities, about two-thirds of respondents across industries experience the same pain points for meeting ESG goals: a lack of coordination between internal stakeholders and third-party risk management.
Meeting ESG requirements
23%of survey respondents would stop working with a key supplier that did not meet ESG requirements
Chapter 3
Resiliency and TPRM
Organizations rely on risk tiering and technology to better understand third-party risk posture.
As companies focus on their own resilience, the resilience of their third-parties is a high priority. Companies are building resiliency by maintaining an integrated resiliency plan, conducting internal resiliency testing and performing scenario analysis, exit strategies, contingency plans and business continuity plans. Organizations also use risk tiering to zero in on critical third-parties and separate them for additional monitoring activities.
Most organizations surveyed ask more than 100 questions on their control assessments, and nearly half (48%) of organizations have exit strategies or contingency plans for high-risk third-parties. However, that means that more than half are unprepared.
“Having a strong third-party program can support resiliency, but it needs to be intentional,” Giarrusso said. “Make sure that you’re identifying those third-parties that are supporting critical business processes and then have plans in place — whether it’s contingency or exit strategies — for those third-parties in the event of a business disruption.”
Organizations are seeking smarter ways to understand risk by using external resources and embedding technology, automation and external data into their risk reporting process, Kelly said, noting that 63% of organizations plan to integrate external data providers and automation to better manage inherent risk assessments in the next two to three years.
Chapter 4
Seven leading practices for third-party risk
Organizations need to put foundational TPRM components in place to build a robust program.
Here is what your organization can do to better prepare for third-party risks:
- Define objectives and scope
To build a successful TPRM program and operational resilience, organizations should consider aligning their plans to an existing operational resilience framework, such as the Digital Operational Resilience Act, NIS2 Directive and the UK Operational Resilience Framework. These frameworks set criteria and expectations for cybersecurity, information technology, third-party dependency management and business continuity planning and testing. Perform an impact assessment and gap analysis against the currently proposed drafts.
- Fully understand, document and maintain your third-party inventory
- Develop policies and procedures
Lack of coordination between internal stakeholders was cited as the biggest pain point for organizations.
- Enhance ongoing monitoring
While initial due diligence is vital, more robust ongoing monitoring of third-parties enables more dynamic risk reporting.
- Establish a governance structure
Regardless of ownership, TPRM requires input from multiple functions and teams, making well-defined governance crucial. It is recommended to have a consistent global policy with local addendum for multi-jurisdictional organizations.
- Implement technology and automation
TPRM programs that integrate automation and external data providers into the supplier lifecycle and embed cross-functional workflows, e.g., procurement, cyber risk, resiliency, are more effective in managing third-party risk and reporting to senior leadership.
- Streamline customer experience
More than half (54%) of organizations send one aggregated/centralized questionnaire, while 46% send multiple questionnaires from different risk domains.
Additional contributors include Harald deRopp, Asia-Pacific (Japan) Third-Party Risk Leader; Joseph Kelly, EY Oceania Third-Party Risk Leader; Scott McCowan, EY Americas Risk Management Leader; and Chris Watson, EY Americas Risk and Supplier Services Leader.
Summary
Third-party risk management increases resiliency and has the potential to become a strategic business tool. While organizations are aware of the advantages, establishing and developing an effective TPRM program presents difficulties.
Leading organizations are making efforts to advance their TPRM programs by attempting to get a better picture of overall third-party risk, tiering risk according to critical needs and adding more TPRM reporting and resourcing capabilities. To increase efficiency and enable more strategic risk management decisions, organizations are evaluating emerging risks and impacts on their third-party and risk governance and continuing to use centralized and hybrid risk-management programs.