Third-Party Risk Still a Shaggy Mess

We have an intriguing survey on third-party risk management to study today, one that suggests many companies are still struggling with siloed approaches and manual processes to manage their vendors — which, consequently, leaves lots of companies managing only a small fraction of the vendors they have.

The survey comes from Prevalent, a vendor of third-party risk management software. The company polled risk management executives at 156 companies, asking about the vendor risks those companies manage and the technology they use to manage it. Prevalent released the resulting report last week, and its findings are worth some contemplation.

On one hand the findings are somewhat obvious. For example, Prevalent found that cybersecurity and data privacy teams are now more involved in third-party risk management (TPRM) than they were a year ago. Well, that makes sense, given that third parties are now a more common avenue for cyber attacks or privacy breaches. Of course those teams should be more involved. 

It’s also no surprise that multiple business functions are somehow involved in TPRM, since third-party risks can come in all sorts of flavors and sizes. Figure 1, below, shows the teams typically involved in TPRM, and what each of those teams typically worries about.

Source: Prevalent

My question is more about how large enterprises are coordinating all that TPRM activity — the risk assessments, due diligence, monitoring, reporting, and so on. Because if your TPRM effort lacks that coordination, do you really have a TPRM program at all? Or do you simply have a hodgepodge of risk and control functions, each one addressing third-party risk in its own way?

Programs, but Also Manual Processes

It looks like the respondents to Prevalent’s survey tried to split the difference: a solid majority (86 percent) said they do have a TPRM program at their enterprise, but half of them also said they depend on spreadsheets and multiple tools to assess and manage their third parties.

Umm, I don’t get that.

Or rather, I do get how such an arrangement comes to pass; risk management teams operate under tight budgets and with bureaucratic inertia and legacy IT infrastructure forced upon you. I just don’t believe that approach is going to be sustainable for much longer. 

Figure 2 shows the various ways that companies assess their third parties. The red line at the top represents spreadsheets, cited by 50 percent of all respondents. That’s problematic enough, but notice that lots of respondents also said they use dedicated TPRM platforms (39 percent), GRC tools (30 percent), and an assortment of other specialty software (all those single dots in the 10 to 25 percent range, since Prevalent had not polled this question before). 

Source: Prevalent

This means that lots of companies are using many TPRM tools. So are they using those tools in a coordinated way, or are different teams using different tools and not talking to each other as well as they should? 

Prevalent had a few other stats that give a mixed answer to that question. Sixty-four percent of respondents did say their current method of assessing third parties met the needs of all departments involved. Then again, if multiple departments are using multiple tools, wouldn’t you expect that? Everybody is saying yes, the tool they use for their specific slice of third-party risk is just peachy. No kidding.

At the same time, however, only 51 percent say they are able to assess risk at every stage of the vendor lifecycle (think a vendor not disposing of equipment or data as promised when a contract is terminated, or your own failure to disable their user access). Only 49 percent say their TPRM program has the automation and reporting necessary to demonstrate compliance.

That tells me that perhaps TPRM programs aren’t as good as they need to be. Different teams might be using different tools to address their own specific pain points, but that’s not the same as every team acting in concert to assure that all vendor risk is managed. 

And yet, that concerted effort is ultimately what boards, regulators, and business partners want to hear about — ideally from a single chief risk officer of some kind.

Cracks in the System

Here’s why all that stuff matters: because this piecemeal approach to TPRM leaves the average company with too many TPs not RM’ed. 

Specifically, respondents to the Prevalent survey said they manage only about one-third of the vendors their companies actually have. Since the average respondent had roughly 3,200 vendors, that means the average respondent managed 1,074 while the other 2,157 vendors went unaddressed. See Figure 3, below. 

Source: Prevalent

That is all sorts of not good. With that many vendors unmanaged, your corporate rear end is hanging in a ferocious breeze, waiting for the slings and arrows of misfortune to approach from any direction. 

For example, you might be spending all your time assessing cybersecurity and corruption risk, while missing product quality or supply availability disasters that could blow a hole in your financial forecasts. Or your enterprise might be great at due diligence and onboarding, but terrible at latter stages of vendor lifecycle risk management such as monitoring or termination. Only 51 percent of respondents said there is at least some coordination among various functions for TPRM, which suggests that lots of companies still need improvement. 

Leave a Comment

You must be logged in to post a comment.