If the people who keep you in business go under, what happens to you?
This is the single most important question that risk management leaders must answer with regard to their third parties and supply chain partners considering today’s COVID-19 pandemic crisis. And yet, only 10% of leaders and decision-makers are extremely confident in their third-party risk management programs and only 50% are satisfied with their current solution. What does this add up to? Insufficient programs and a lack of preparedness to handle the unknown.
In partnership with Prevalent, Shared Assessments conducted a survey of senior risk decision-makers in February 2020 to study current third-party risk trends, challenges and initiatives impacting organizations today. The goal of the study was to provide a state-of-the-market on third-party risk with actionable recommendations that organizations can take to grow and mature their programs. This blog summarizes what we learned from the study and what you can do to better equip your third-party risk management program for resiliency.
Findings from the study suggest that:
- Lack of process is damaging third-party program effectiveness: Compliance (particularly meeting data protection requirements such as GDPR) dominate project drivers, yet organizations lack the resources (budget) and processes to assess even their top-tier vendors with most assessments taking more than a month to complete. Considering the state of your supply chain, can you afford this kind of lag?
- Third-party risk management is a team sport : Compliance and cybersecurity teams aren’t the only ones necessary to contribute to a mature program; awareness of vendor financial health are important too – especially in today’s climate. With resourcing a challenge and continuing lack of confidence in programs, it will be difficult to operate in a silo.
- Significant consequences exist for organizations that don’t get third party right: 76% of respondents said that they experienced one or more issues that impacted vendor performance, 74% indicated operational issues, and 55% indicated a compliance violation in the last two years. Considering how resource-drained the average TPRM program is, how would you be able to recover?
- Few organizations are happy with their existing toolset: When asked if they were planning to implement a new, or augment/replace an existing, third-party risk management solution in the next 12 months, nearly half of respondents said yes. When half the market is looking to change their solution, it must mean needs aren’t being met. And it’s no wonder, considering that the satisfaction levels among existing tools hovers in the 50% range, and weighted average of satisfaction for GRC tools caps out at a whopping 3.4/5.0. Standardized Assessment Content Providers buck this trend – clearly, organizations are relying on standardized assessment content to help clear the path.
- IRM – a way out? 42% of respondents indicate that they will invest in IRM in the next year, yet they’re concerned about limited resources/staffing/expertise, no real-time awareness of changes, and no integration with other tools used for vendor management or risk management. Since Digital Transformation is also a driver, it’s important for organizations to determine if a general-purpose IRM has the flexibility to meet needs, compared to a purpose-designed TPRM assessment platform.
The third-party risk management market is at an inflection point. Users aren’t assessing enough of their top their vendors. They lack resources and budget to fund it correctly. Third-party risk is broken, and supply chains are at risk. What is the path forward? Read the recommendations below.
Recommendations
Growing and maturing an adaptable and agile third-party risk management program doesn’t have to be a complex and time-consuming process. Here are five (5) recommendations to jump start your vendor risk activities:
#1 – Develop a Programmatic Process
A programmatic process should help your team progressively:
- Define who your vendors are and what inherent risks they present to your business
- Assess the right strategy to collect the right insights from the right third parties
- Analyze results from assessments and score risk levels based on a broad ecosystem of inputs
- Remediate risks raised from analysis of completed assessments
- Report against industry and regulatory requirements, and for the board
- Optimize the program to adapt to ongoing changing requirements and resource levels
The outcomes of such a standardized and repeatable methodology? Download the full report to find out.
#2 – Build a Cross-Functional Team
Given the complexity, no one person can likely figure all that out, so internal and external collaboration is key to not just identifying risk but mitigating it too.
#3 – Be Comprehensive without Being Complex
There are solutions available on the market that offer a library of pre-defined questions that map back to any number of regulatory or industry frameworks. This lets you avoid the duplication of effort and patchwork of requirements you would get if you tried to assess against each framework individually. It’s also much easier to prove compliance when it’s one question that covers many requirements at once.
#4 – Maintain Options for Assessment Collection and Analysis for Agility
Don’t pigeon-hole yourself into a single rigid option for collecting and analyzing surveys from your third parties. You can assess all of your top-tier vendors (and therefore overcome the challenge that respondents to this survey had) in one of multiple ways:
- Self-service: Collect just the basics to inform your profiling and tiering logic. At the very least, centralize the management of all your vendors into a single place so you maintain visibility.
- Managed service: Outsource top-tier third parties to a vendor that specializes in the collection, analysis and identification of risks so your team is freed up to work with third parties on long-term residual risk management.
- Shared service: Leverage a network of completed vendor questionnaires and supporting evidence for your lower-tier vendors so you can focus your team’s efforts (and the correct amount of resources) on higher-tier vendors.
#5 – Complement Your Decision-Making with Risk-Based Intelligence
Making decisions in silos with a limited dataset will not enable your team to be effective vendor risk managers. Instead, seek out solutions that are founded on an open platform with integrations to multiple business and risk solutions. A solid solution will offer:
- Comprehensive risk profile that informs assessment tiering, frequency of assessments and SLAs to measure
- A quantified and contextualized risk model inclusive of cyber risks, business risks, plus ISO and FAIR calculations
- Response management with enabled workflow and automation to ensure that vendor intelligence is routed to the right people on your team
- Risk reporting and prioritization, including context and guidance for prioritization
- Automated dissemination of reports both within the organization and to third parties to ensure transparency
How Do You Stack Up?
Existing tools and IRM solutions aren’t enough to overcome third-party risk management challenges. Only a comprehensive model that offers a programmatic process to maturity with options to manage costs and reporting for compliance will provide a solid foundation for risk management teams to adapt over time.
How does your third-party risk management program stack up compared to the respondents to our survey?