Despite the unexpected timing, nature and magnitude of the pandemic and its many challenges, a crucial line of risk management appears to have been prepared to provide assurance of organizational resilience capabilities before the coronavirus (COVID-19) struck. Business continuity management (BCM) and organizational resilience rate as a top-5 2020 risk, according to a fall 2019 survey of more than 500 internal audit executives conducted by the European Confederation of Institutes of Internal Auditing (ECIIA).
For the past four years, the ECIIA — a consortium of national internal auditor institutes and associations (including those in Belgium, France, Germany, Italy, the Netherlands, Spain, Sweden and the UK and Ireland) — has published a hefty Risk in Focus report that analyzes the top risk priorities of internal audit functions. Most if not all of those national associations are closely aligned with the U.S. Institute of Internal Auditors (IIA).
The 2020 report is especially helpful to third party risk managers, cybersecurity professionals, senior executive teams and boards of directors for a number of reasons:
The “fact remains that business activities are spread far and wide outside of an organization’s own borders,” the report’s authors note in a chapter devoted to third party risk. “Recent protectionist, nationalist trade developments notwithstanding, supply chains have lengthened as the world has become more globalized over the long term, meaning that third-party risk may not even apply to third parties at all, but fourth, fifth, sixth etc. parties, also known as nth parties.”
The report indicates that internal auditors are clearly concerned about nth party risk: “It is important to keep in mind that fourth parties may not be subjected to the level of scrutiny and oversight that the organization has over the legally contracted third party. This calls for businesses to take even greater care in managing supplier risk.”
Here are the current top risks internal audit executives identified most frequently:
And here are the top risks that survey respondents expect their companies will need to address in 2025:
It is noteworthy that each item in both of those risk rankings relates, directly or indirectly, to third party risk management. Effective organizational cybersecurity increasingly depends on the cybersecurity capabilities of key vendors, and the same can hold for business continuity/resilience. Plus, a growing number of regulatory guidelines and requirements address third party risks, as the Risk in Focus 2020 report notes in a quick rundown of financial services industry rules-making.
Finally, here are some of the questions that the report poses to internal audit leaders regarding their function’s ability to assess their company’s third party risk management programs:
Amid all of the difficult unknowns related to the pandemic, it is helpful to have some certainty concerning the types of questions third party risk management teams can expect to field from their internal audit colleagues in the months ahead.