6 minute read 8 Apr 2021
EY - People in face masks sitting during corporate meeting in office

How businesses can address a growing range of third-party risks

By Judith Idemudia

Senior Manager, Consulting, Ernst & Young LLP

Experienced consultant. Focused on managing evolving third-party and IT risks in a changing threat landscape.

6 minute read 8 Apr 2021
Related topics Consulting Cybersecurity

Show resources

  • Bill C-11: Strengthening the protection of personal information for Canadians

The challenges of 2020 have uncovered multiple risk areas, leading many companies to rethink their third-party risk management programs.

In brief:

  • Organizations need to re-examine how they manage vendor risks, particularly around business continuity, financial viability and consumer privacy.
  • A centralized third-party risk management operations model that employs automated technologies can streamline assessments while covering multiple risk areas.
  • Risk management should define policies for all risk areas, involve functional stakeholders from the enterprise, and monitor the expanded risk universe.

The COVID-19 pandemic has exposed the cracks in how organizations manage their third-party risks, with disruption looming as a constant hazard. And those risks go beyond the cybersecurity threats that have historically captured the attention of risk management functions.

The EY Global Third-Party Risk Management Survey 2019–20 reveals that, although cybersecurity risk management remains incredibly important, organizations increasingly understand that their third-party risk universe is expanding to include other key risk areas like business continuity and resiliency risk, financial risk, and privacy risk. 

EY - Expanded risk universe

An expanding risk universe creates new challenges

At the start of the pandemic, businesses across all sectors showed an urgent need to identify those third parties that were critical to maintaining revenues. They reviewed their business continuity and resiliency plans and took steps to understand the financial viability of their suppliers. The questions flowed fast and furious as companies pondered whether their third parties could remain resilient while dealing with potentially ill personnel, inadequate remote working structures and even the instability of any supporting fourth parties.

Each of these risks exposed gaping holes in organizations’ existing third-party risk management (TPRM) programs. For instance, some businesses realized their continuity plans accounted for few scenarios beyond how to recover their systems and data following a disruption. There was little to no consideration as to which third parties supported those systems or even supported their business in general. Even some of those organizations with more comprehensive continuity plans had not tested their viability or anticipated a disruption of this magnitude.

As COVID-19 conditions worsened, companies and consumers alike became more reliant on digital services and platforms. This increased use meant people were sharing more data online than ever before, with a corresponding uptick in privacy awareness. In fact, the EY Global Consumer Privacy Survey revealed that 54% of consumers say that COVID-19 has made them more aware of the personal data they share than they were before the pandemic.

Privacy awareness


of consumers say that COVID-19 has made them more aware of the personal data they share.

That sharing of data was accompanied by an increased expectation of security, with a majority of consumers pointing to secure collection and storage (63%), control over what data is being shared (57%) and trust in the company collecting their data (51%) as the most important reasons in deciding where they choose to share personal information.

In addition, existing privacy regulations like European Union’s General Data Protection Regulation and emerging privacy regulations, such as Canada’s Digital Charter Implementation Act and an array of state-level laws in the US, will lead to even greater third-party risk monitoring expectations from organizations. Organizations can assume that the regulatory landscape in relation to third-party risks will only become more heightened post-pandemic. 

Show resources

  • See how your organization might be impacted by Canada’s bill c-11 (digital charter implementation act)

Therefore, to adapt and thrive in this new risk landscape, businesses must align their policies with consumer expectations — and that includes third parties who handle data. Organizations have a chance to build trust with consumers, but their reputation could be easily damaged if third parties do not properly secure data.

Addressing the expanding risk universe through centralization, functional integration and automation

Faced with this expanding risk universe and regulatory requirements, TPRM programs are increasing their scrutiny of third parties while striving to recognize how various risks are interconnected. But trying to do more in this arena often runs into the roadblock of reduced resources, so organizations seeking cost and process efficiencies will need to consider how their TPRM program can work more closely with other functions and teams, such as procurement, finance, privacy and compliance.

According to our TPRM survey, only 50% of companies currently have centralized TPRM programs, with 39% embedding separate programs within each business function. Decentralized functions increase the cost of conducting risk management activities while also increasing the fatigue of third parties as they answer multiple assessment questionnaires. For example, our survey shows that the typical post-contract risk assessment questionnaire has nearly 200 questions, and more than 30% of organizations have over 1,000 suppliers to assess, increasing time and costs across the board. 

EY - Third-party volume

Faced with this volume of assessments across the various components of third-party risk, organizations should consider pursuing a well-integrated and functional approach that offers the following benefits:

  1. Provide a holistic view of the risk a third party poses to the organization, which can be used as an input to future sourcing and contracting decisions
  2. Streamline the risk assessment process
  3. Improve the user experience while maintaining strategic relationships with third parties

This functional approach could feature an engaged team working collaboratively to complete a single assessment covering multiple risk areas — business continuity, financial, privacy, cybersecurity — rather than a variety of siloed efforts.

Such a move to a more centralized operating model allows for the attainment of both vendor risk management and relationship management objectives, ensuring that the organizations comprehensively assess their third parties in a cost-effective fashion. Additional efficiencies can be realized through data-driven technology solutions that employ automated, real-time data to proactively monitor diverse risk areas. In fact, more than 50% of the organizations surveyed plan to increase their spend on technology and advanced analytics.

EY - Technology investment

In their pursuit of an integrated TPRM approach, some organizations are looking to more actively leverage external solutions to further achieve increased operational efficiencies, scalability and an improved quality review of a broad range of risk areas. Over 40% of the organizations surveyed expect to more frequently use managed service providers or co-sourcing to execute their TPRM function; that figure jumps to more than 50% for market utilities or sector-based consortiums.

Keys to building a centralized and integrated TPRM program

As organizations weigh their options to effectively expand the risks assessed for their third parties and drive consistency and efficiencies through functional integration, they will need to enhance their TPRM program’s foundational elements to embed all risk areas.

This process includes defining policies and standards for each risk area, as well as establishing governance and oversight for the TPRM program that involves stakeholders across all areas. The inherent risk models will also need to be designed to help identify third parties that pose a critical or higher risk for certain areas. For example, privacy risk could be reviewed based on the sensitivity of data shared and the third party’s geographic location.

A renewed risk assessment review should also look for areas of synergy across multiple functions. This could include creating consolidated questionnaires that eliminate duplication, as well as using external data tools to provide real-time risk insights for ongoing monitoring. Consolidation of this nature will also allow for scalable, enterprise-wide TPRM processes and procedures that reflect the efficient integration among all relevant functional groups.

EY - Elements of a comprehensive TPRM program

With the high reliance every organization has on third parties, it is business-critical to manage the third-party risks that come with doing business. Proactively monitoring the expanded risk universe will help companies to minimize reputational damages, gain consumer trust and sustain their businesses. The key is to do this efficiently and cost-effectively by consolidating processes across multiple functions.


Organizations are facing a growing array of third-party risks, from business continuity and financial viability to consumer digital privacy. A revised risk management model that embeds all risks and functions within a centralized process can allow companies to proactively monitor potential risks in an efficient and cost-effective manner.

About this article

By Judith Idemudia

Senior Manager, Consulting, Ernst & Young LLP

Experienced consultant. Focused on managing evolving third-party and IT risks in a changing threat landscape.

Related topics Consulting Cybersecurity