The “Skirt Length Theory” of economics says that when the economy is performing well, women’s skirts will be shorter, and in turn, skirts will be longer during downturns. Looking back at 2020, it is difficult to assess fashion trends as Go-To-Meeting and Zoom captured us only from the waist-up. (Amid economic uncertainty and workplace transition, it’s probable we have worn leggings and Birkenstocks (with socks?!) since March.) However, we can speak definitively to the trends we are seeing in Third Party Risk.
Shared Assessments is launching a series of blogposts on trends in TPRM. To identify trends in TPRM, we asked experts in risk for their views focusing on the following questions:
- What has been the biggest challenge to third-party risk managers in 2020?
- What is the one metric that is essential for TPRM programs?
- What one piece of advice would you give to third-party risk managers presenting to the C-suite and boards?
- What one new technology or development in TPRM are you most excited about?
The results of our lines of questioning offer sound advice from a myriad of perspectives. We hope that in these answers you find an approach to apply within your career or your program – or maybe you find solidarity in the challenges mentioned below that you have faced in an incredibly dynamic year for risk management. Read on for reflections on the greatest challenges in TPRM in 2020.
What have been the biggest challenges in TPRM in 2020?
Most of the challenges identified can be grouped into three themes: cybersecurity risks introduced by work-from-home, moving on-site processes into the virtual workflow, and the heightened risk of vendor Business Continuity.
Nassar Fattah, Executive Advisor at RiskLogix LLC, reflects that the greatest challenge in TPRM is accountability, a factor present in all three themes: “Still being accountable for identify vendor risk (either with new onboarding vendors or with the existing vendor portfolio), and looking at operational day-to-day activities, including due diligence and ongoing vendor meetings, to determine what we need to refine, modify and/or add to still achieve the goals of the program. For example, being able to continue to get visibility into vendor activities and associated risks do not go away. In fact, they become more important. But now we have to look at our existing processes to see what we need to tweak to still get vendor visibility, particularly vendor risk. Perhaps rely more on Continuous Monitoring – if we are subscribing to such a solution, and/or laser focus in on the key risks we are concerned with. Like vendor financial stability, securing staff working from home, ensuring privacy while folks are working from home, etc.”
Similarly, Catherine Allen, Founder and Chairman of The Santa Fe Group and Shared Assessments, identifies the greatest challenge in TPRM as “Covid-19 and not being able to do onsite assessments as well as deal with suppliers as the moved to work-from-home.”
Moving From On-Site to Virtual Assessments
Linnea Solem, CEO and Founder of Solem Risk Partners, LLC, adds that “The impact of Covid-19 required third party risk manager to adapt their TPRM programs and security controls to address both virtual workers and virtual vendors.”
Phil Bennett, Manager, Information Security Governance, Navy Federal Credit Union states “The biggest challenge to third-party risk managers in 2020 has been our need to adjust mature TPRM processes in a thoughtful way that balances our need for risk-based oversight in an environment where traditional on-site validation processes are not possible. ”
Clayton Carpenter, Senior Analyst Compliance, Trane Technologies, agrees that “The biggest challenge has been the COVID-19 pandemic which created an obstacle to performing on-site or face-to-face assessments. This fact necessitates TPRM managers and programs understand the risk perpetuated by the new “work from home” paradigm. Also, TPRM programs must ensure their due-diligence and information gathering processes can adjust to cope with the new reality – e.g. the art conducting a remote assessment.”
Gary Roboff, Senior Advisor, Shared Assessments, echoes the same sentiment with his succinct addition: “Disruption to normal TPRM process flows across the board.”
New or Heightened Risks
Angela Dogan, MBATM, CTPRP, CTPRA, Davis Dogan Advisory Services, identifies the biggest challenge “for TPR Managers is the need for maintaining a truly risk-based approach to assessing vendors and service providers with the reality of the world and the state that most organizations are in. They all seem to be searching for how to keep their programs afloat and running while trying to determine how to adapt with current changes and maintain a ‘true’ view of the risks of the organizations they do business with pose in light of the ‘new’ risks that are developing.”
Charlie Miller, Senior Advisor, Shared Assessments, sees the greatest challenge as “Ensuring adequacy of business resilience capabilities across their third parties”