Effective governance, program coverage and operating models
Organizations are seeking more efficient, self-funded ways to manage the third-party risk landscape.
To keep pace with the expanding risk universe, organizations require a foundation of smart governance and program execution. Unfortunately, it appears that resourcing and funding constraints have hit their limits even as the scope of TPRM programs continues to expand. In our most recent survey, released in 2020, respondents expected to increase their spend across multiple categories, from governance and oversight to policies and standards. But in this year’s survey, organizations say they are less willing to increase their budgets — each of the spend categories saw an average reduction of 13%. Ultimately, organizations need to find different, more efficient ways to manage the third-party risk landscape.
Spending continues to be concentrated in the core program itself (e.g., the TPRM team, external consulting), with 33% of organizations surveyed spending over US$500,000. The second largest spend is in assessment execution, with 22% spending over US$500,000. As TPRM programs identify automation opportunities and other cost efficiencies while driving a risk-based approach throughout the program, the historical drawbacks around centralized programs are being diminished. As a result, 60% of organizations are using a centralized model — compared to 50% in our 2020 survey.
However, this increase in centralization has revealed a lack of awareness across organizational functions. Companies are still struggling to find the right approach and resources to effectively execute programmatic change management activities. For example, fewer than half of respondents had a TPRM training module to communicate expectations to internal stakeholders, with 82% instead relying on intranet pages, policies, procedures or FAQs. As organizations continue to evolve at a rapid pace to address emerging technologies, new data capabilities and an ever-changing world, this passive education approach is simply not sufficient. This potential disconnect offers an opportunity to better engage stakeholders throughout the third-party life cycle so they understand the TPRM value proposition, along with their operational role and responsibility.
The two most common areas of focus for reviews by both internal audit and regulatory bodies were third-party assessments followed by oversight and governance. Strong governance and program execution are the backbone of good risk management, and internal and external reviewers are continuing to focus on those areas.
Program coverage and scope
TPRM program coverage has also continued to expand through inventory management of nontraditional third parties. To enable this expanded inventory and coverage, organizations are developing strong service catalogs to properly route engagements to the right level of oversight.
Operating models leveraging external support
As operating models change, so do decisions on delivery structures. This year’s survey found that respondents are leveraging multiple forms of external support. Managed service providers, market utilities and sector-based consortiums are helping companies do more with reduced spend and resources. In parallel, internal talent is being retained and enabled to focus on differentiating risks and high-value activities.
Expansion of the risk-based universe
Inventory scoping, tiering and a new view of criticality can help better deploy finite resources.
Over the next two to three years, the amount of effort required to effectively manage third-party risk is only going to increase, largely due to an expanding risk universe, increasing supply bases, more complex relationships, additional market capabilities and increasing regulatory focus, especially on anything deemed critical to a country’s infrastructure. With finite budgets and hours in a day, organizations will need to thoughtfully determine where and how resources can best be deployed.
Working smarter, not harder, in this context emphasizes the importance of inventory scoping, tiering and criticality. The third-party landscape continues to grow, so companies are significantly raising the bar to entry for the scope of their program (respondents indicated an average 25% of total third parties are in -scope for TPRM programs vs. 47% in last year’s survey). Organizations are making progress in using a risk-based approach for assessing third parties, decreasing the number of control assessments performed. In fact, responses show that 9% of the third-party population has been control assessed versus 26% in 2020. Through the challenges of the pandemic, organizations are learning what truly matters to their business and where the risk is present — and they are applying their finite resources in areas such as resiliency, technology infrastructure and third parties critical to the enterprise.
In 2020, respondents indicated that47%
of total third parties were in-scope for their TPRM program.
In 2021, respondents indicated that25%
of total third parties were in-scope for their TPRM program.
In 2020, respondents indicated that26%
of their third-party population were assessed.
In 2021, respondents indicated that8%
of their third-party population were assessed.
In terms of tiering, organizations are continuing to reduce the number of third parties classified as critical (organizations with more than 5,000 third parties have classified less than 5% of their population as critical). Fewer third parties are falling into high-risk categories as well, with respondents classifying an ever-increasing number of in-scope third parties within their “remaining risk” ranking versus a baseline of 26% last year. These expedited changes are likely a by-product of pandemic-related cost pressures and focus on third-party resiliency, prompting companies to re-evaluate and reassess their tiering criteria to focus on the third parties that matter most and have the largest impact on the organization. Respondents noted that their three most important criteria in defining critical third parties were criticality of services provided, sensitivity of data involved in providing services, and business continuity and resiliency.
Working across internal functions offers can improve data quality and streamline decision-making.
While most TPRM programs align with a few internal functions, such as information security and procurement, many other functions are left to their own devices as they assess third parties within silos. As they work with third parties, many functions are collecting similar questions yet not communicating with each other, leaving an organization unaware of the collective view of risk. Organizations that are able to bridge this gap with an integrated risk management approach will find it significantly easier to be resilient in times of uncertainty.
Approximately 86% of respondents supply information security functions with TPRM-related data as part of their TPRM programs. However, the level of integration drops dramatically across other key stakeholders surveyed, including procurement (71%), operational risk/enterprise risk (65%), compliance line of business (57%), legal/general counsel (52%) and technology/operations (51%).
Functional integration within the TPRM program offers a tremendous opportunity to further integrate taxonomies, improve data quality and prevent unnecessary data replication, driving an improved third-party inventory. This in turn would reduce fatigue on third-party business and control functions as they respond to fewer duplicative data requests.
Improved alignment would also expedite direct and indirect spend decision-making throughout the third-party life cycle. This would offer much-needed transparency to help reduce third-party proliferation in key areas like IT and cyber and within key business processes that rely heavily on large volumes of third parties, such as claims, loan origination, part suppliers and raw material suppliers.
The difficult path to integration
Unfortunately, the path to integration presents several roadblocks. Different functions may be using different tools or technologies to collect data, and 27% to 34% of respondents either do not have dedicated technology or remain unaware of the ecosystem of available tools to enable their programs. There’s no one-size-fits-all solution for enabling technology; however, organizations need to consider how to manage the full, integrated life cycle while weighing the benefits of a larger enterprise tool or a smaller, dedicated TPRM tool.
Technology, automation and external data sources
Organizations are still learning how to leverage technologies to drive value and efficiency.
According to the EY Global Board Risk Survey report, many organizations are investing heavily in technology to make internal processes more efficient and create new experiences for customers. But inherent in these digital transformations is a complex web of risk factors — from bias in artificial intelligence to data breaches. Effective risk management is essential to the design and application of transformation initiatives, taking into account the wide range of potential disrupters.
And while organizations seem intrigued by emerging technologies and services, their actions have yet to match their intentions. Much of what is possible remains just that — a possibility — as companies struggle to integrate external data providers, market utilities and robotic process automation (RPA) into their TPRM processes to reduce effort and cycle times while improving monitoring capabilities.
While 84% of organizations are now using some form of external data provider, a significant portion of companies are using them only in select areas. Just 34% of those organizations consider these technologies and products to be extremely or very useful, indicating that organizations are still overcoming growing pains around how to ingest these technologies, include them in risk methodologies, and leverage them to drive both value and overall efficiency.
There is an opportunity to leverage externally available data sources (e.g., financial, cyber, geopolitical) to monitor key risk indicators against predefined risk appetite and risk tolerance thresholds, reducing reassessment efforts. Rethinking the TPRM risk methodology to include external data providers offers a chance to lessen assessment fatigue. In fact, 35% of respondents continue to perform annual control assessments on their lower-risk third-party segments (i.e., second-highest, third-highest and remaining risk third-party segments), and 21% of companies surveyed are not using these technologies at all in their programs. In addition, 45% of respondents do not use any external data providers at all to assess the financial health and reputation of their third parties, indicating a substantial opportunity to reduce manually intensive and point-in-time assessment activities.
The acceleration of automation and technology enablement will provide better clarity into real issues and threats, such as enterprise-wide exposure and concentrations of risk. With 64% of respondents seeing value in using risk and threat intelligence tools, companies have a chance to mature their TPRM programs to gain efficiencies while improving real-time risk oversight. There is also a significant opportunity to leverage automation to improve continuous monitoring capabilities as 34% of organizations surveyed find these market tools extremely useful or very useful.
Investment in activities
Even with this wider use of intelligence tools, just one in five organizations surveyed are using advanced analytics, and even fewer are using artificial intelligence (AI), RPA or blockchain. However, many more organizations recognize the benefits that such technologies can provide. More than one in three respondents expect to start using advanced analytics in the next two to three years, and almost one in three plan to use AI.
Assessment cycle times and types
When considering the impact of the pandemic, organizations have reduced their on-site assessments in favor of remote and virtual on-site assessments. Virtual on-site — screen sharing of artifacts and materials normally reviewed on site — provides similar coverage and comfort as a typical on-site assessment, which can also help reduce the assessment cycle time. As organizations find new, innovative ways to reach a similar outcome, this trend is likely to continue as it reduces both cost and cycle time.
As the third-party risk universe grows, organizations try to manage by working smarter, not harder.
Keeping pace requires a third-party risk management foundation of smart governance and program execution, complete with enhanced employee training, optimized inventory scope tiering based on criticality, and updated operating models that incorporate external support to close gaps in skills and capabilities. As organizations work to transform their TPRM programs, they should consider improving functional integration and alignment, leveraging externally available data sources and intelligence tools, and taking advantage of new ways of working such as virtual on-site assessments.
The third-party risk universe continues to grow, and organizations are trying to manage that expansion by working smarter, not harder. Keeping pace requires a third-party risk management foundation of smart governance and program execution – complete with enhanced employee training, optimized inventory scope tiering based on criticality, and updated operating models that incorporate external support to close gaps in skills and capabilities. As organizations work to transform their TPRM programs, there are multiple trends and opportunities to consider.