EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
Discover how EY's Third Party Risk Management team can enable your business to make better decisions about the third parties they choose to work with.
Read more
One way in which companies are responding to these heightened risks is by cracking down during control assessments of third parties. If third parties don’t respond to questionnaires in a timely manner, companies are now more likely to escalate enterprise processes (87% of respondents, up from 70% in 2023) or even cease operations entirely (29% vs 17% in 2023). When risks are identified during assessments, companies are far more inclined than before to take the path of remediation, with 57% of respondents saying they choose remediation, compared to only 17% in 2023.
The number and complexity of third-party relationships is increasing
While companies have always dealt with third parties, the number and complexity of such relationships has grown in recent years. A challenging business climate has driven an imperative to do more with less, and companies have often turned to third parties to unlock operating efficiencies. The adoption of digital transformation initiatives has expanded the third-party ecosystem, with companies increasingly using third parties for cloud services, software-as-a-service (SaaS) providers, and other digital platforms.
The end result is that companies rely more than ever on large numbers of specialized service providers. Today’s financial services companies, for instance, partner with a host of fintech service providers, including payment processors, loan providers and investment platforms. Healthcare companies rely on third-party vendors for services such as telemedicine, electronic health records and medical supplies. Across sectors, companies are turning to third-party service providers for everything from human resources to business intelligence and supply chain logistics.
This, in turn, has increased the number of business functions that rely on third parties and are exposed to third-party risks. In the past, a bank may have had one or two risk verticals that cared about third-party risk; today, that number could be in excess of 20.
The ascendance of these specialized service providers hasn’t just increased the number of third-party relationships; it has also increased their complexity. In the past, many of these activities might have been performed manually within the safety of a company’s environment, or at most with an application programming interface (API) that connected to the company’s environment. Today, those same activities may involve a network of third parties working in environments that are not owned or controlled by the company. In turn, those third parties engage with their own networks of third parties to deliver services. The bottom line is that “third-party risk management” is already something of a misnomer — today’s companies have to cast a wider net to consider not just third-party risks, but also fourth-party, fifth-party and nth-party risks.