Third-party risk programs are maturing, but risk professionals still face significant challenges, according to an analysis of the second annual Third Party Risk Management Benchmarking Survey. Once again this year, Aravo Solutions and CeFPRO partnered to conduct this research, and more than 230 risk professionals responded to a wide-ranging set of questions covering everything from risk reporting to staffing and salaries.
The survey found several indicators that third-party risk management practices are becoming more mature. An increasing number of respondents reported that they were moving away from manual or fragmented processes for managing third party risk and towards a more agile practice. Agility was defined as having a federated system for the entire organization with integrated information and technology environments, automation, reporting, and accountability monitoring.
In addition to processes, growing maturity was also reflected in the technologies used to manage third-party risk as well as the breadth of risk domains they are managing. To move toward agility, more people reported that they are reducing reliance on spreadsheets and manual processes and adopting solutions that enhance collaboration by managing third-party risk in a more centralized way.
But this growing maturity has uncovered new challenges and opportunities. It appears that organizations are finding improving their due diligence processes is like peeling an onion, exposing additional complexity and risk dimensions as their knowledge of third parties deepens. Respondents reported that despite better tools, they see room for improvement in multiple areas.
Not surprisingly, cyber risk was a common thread that ran throughout the survey. Given the growing occurrences and sophistication of cyber security threats and the financial and reputational damage associated with data breaches, organizations seem rightfully concerned about potential vulnerabilities resulting from third-party relationships. Concerns about cyber risk were reflected in responses about everything from board interactions to current practices to future risks and opportunities.
Concerns about managing fourth and nth party risk also jumped significantly this year. Nearly ten times more respondents cited fourth party risk as their greatest challenge in the coming months than in the previous year. However, responses to questions about current controls around fourth party due diligence demonstrate that there is still significant room for improvement.
Ironically, growing concern around fourth party risk may be another indicator of the growing maturity of third-party risk practices. As they begin to get a better grasp of their third-party ecosystems, organizations now have the capacity to focus on the next layer of the onion – the critical relationships their third parties rely on to provide products or services.
Two new areas of inquiry were added to this year’s survey: experience with third-party incidents and board participation. Respondents were asked to share whether they had an incident in the past 12 months and the impact (if any) that incident had on their businesses. The majority of respondents indicated that they had experienced an incident last year, but the impact of those incidents varies.
There has been a trend toward increased board interest in third party risk management, and the survey attempts to quantify the extent of board interaction and priorities. Respondents were asked about board reporting and oversight, with most indicating that third party risk management does, in fact, have at least some board engagement. Boards appear to associate third parties with a range of concerns, including cybersecurity, though these concerns may not always be aligned with what respondents saw as the primary drivers of third-party risk management.
The survey also revealed that there is an important correlation between board engagement and program maturity.
The objective of the survey was to shed light on how the discipline of third-party risk management (TPRM) is evolving and to provide important data points to help firms benchmark their programs and identify emerging best practices. The detailed report covers a broad of issues such as:
- What levels of maturity are programs at?
- Do third party risk programs have the appropriate funding for people, tools and innovation?
- How are boards of directors engaging with TPRM?
- What is the typical organizational structure?
- How are third party risk professionals remunerated?
- What are the greatest challenges and opportunities associated with third party risk management?
Survey responses were collected between February and April of 2019 and represent a broad range of industries and regions, with a large portion from the financial services industry. The 2019 edition of the Third Party Risk Management Benchmarking Survey – a comprehensive 36 page benchmarking report – will be available for download from both the CeFPRO and Aravo websites from mid-June 2019.