Blogpost

2020 Perspectives: Change, Fortune and Frame(works)

In 1964, the average tenure of companies on the S&P 500 was 33 years. In 2016, that average tenure decreased to 24 years. By 2027, according to the consulting firm Innosight, companies will remain on the S&P 500 for an average of only 12 years. This “corporate longevity” research frames the accelerating rate of S&P 500 churn as a “barometer for marketplace change.” It also draws attention the accelerating churn rate of strategic, operational and technological risks — and to the inability of many outsourcers and third parties to keep pace with these new threats and disruptions.

 

“Even within broad risk categories, specific areas requiring due diligence can change quickly,” explains Santa Fe Group Senior Advisor Gary Roboff, who notes that environmental issues did not rate as a top-5 risk in C-suites and boardrooms as recently as 2009, but now pervades discussions of strategic risks. Emerging risks around the world, Roboff emphasizes, “require consistent monitoring and can vary significantly over time, both in terms of likelihood and impact.”

 

A range of rapidly changing risks figure prominently in the third party risk management developments Roboff is monitoring in 2020; these include:

  • New regulatory takes on resilience: Roboff expects more regulatory bodies, especially those that oversee financial institutions, to issue new guidance on resilience this year. He also notes that resilience is increasingly being applied to third party assessments. For example, the U.K.’s Prudential Regulatory Authority (PRA) views “operational resilience as “a vital part of firms’ safety and soundness.” Resilience, Roboff continues, describes the set of controls, processes, steps and technologies that are in place to help companies and vendors prevent and respond to unexpected threats with the least possible disruption and quickest return to normal operations.
  • More scrutiny of cloud services: While emerging technologies such as artificial intelligence (AI), blockchain, Internet of Things (IoT)  and 5G will necessarily attract more attention from third party risk management professionals, cloud technology also warrants careful consideration as the use of cloud-based third party services becomes ubiquitous. “Just because you’ve moved software or a service to the cloud doesn’t mean that you’ve abdicated your responsibilities to perform due diligence of those cloud vendors or to monitor those activities,” Roboff notes. Regulators, like the international Financial Stability Board (FSB), want to make sure business leaders understand and fulfill these risk management responsibilities. Late last year, the FSB published a report that examines third-party dependencies in cloud services as well as the financial stability implications of those relationships.
  • New geopolitical and climate risks: “This year, I think we’ll see an increased regulatory focus on environmental issues,” notes Roboff. Last fall, for example, the Federal Reserve Bank of San Francisco started exploring how to quantify the climate risk faced by households, companies and the financial system. Regulators, he notes “are now actively considering factors related to the emergence of increasingly severe environmental events that may impact organizational resilience.” Geopolitical risks also continue to morph from year to year, and these issues can compromise operations and supply chains. “Many organizations do not have appropriate resources or expertise to properly monitor geopolitical risks related to vendor operations,” Roboff reports.

 

Those changes, along with many others that Roboff keeps tabs on, also require TPRM  processes and tools to be updated to better address fluctuating risks. This never-ending requirement explains why the latest section of the Shared Assessments Third Party Risk Management (TPRM) Framework, released earlier this month, provides a deep dive into a wide range of due diligence processes — including those related to cyber security, numerous emerging technologies, climate change and more — across the TPRM lifecycle.

 

TPRM frameworks “aren’t static,” asserts Roboff (who highlights the Framework changes here). “They need to be continually updated and revised.” The longevity of third party relationships, companies and even careers increasingly depends keep those risk management frameworks and tools current.