The business impacts of TPRM technology in 2023
Brian Shaw, Director of Financial Services, Mirato
Below is an insight into what can be expected from Brian’s session at Vendor & Third Party Risk Europe 2023.
The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
What new technologies are we seeing within the TPRM space in 2023?
Traditionally TPRM solutions are categorized into four main categories:
- GRC, TPRM Workflow Platforms to guide and streamline process
- Subscription Data for focused views of risk by domains
- Consortiums, Exchanges for one-to-many efficiency
- Service Providers for due diligence reports as a service
- With advancements in computing power, Natural Language Processing (NLP)
- Natural Language Understanding (NLU), a new 5th category, is developing based on Artificial Intelligence. These new technologies focus on reducing manual review, analysis, and correlation of third-party risk documents and evidence. These are referred to as TPRM Intelligence platforms.
While traditional TPRM solutions automate workflows, curate data, or provide pre-completed assessments, these new TPRM Intelligence platforms automate the manual work still required by leveraging advanced Artificial intelligence.
TPRM intelligence platforms contextualize the information in your workflow, evidence, and data sources. They can pre-complete assessments and due diligence and expand continuous monitoring to continuous evaluation, all while validating and documenting your unique risk controls in the process.
How can technology be used to reduce processes within TPRM?
NLP and NLU-based AI platforms trained and optimized for TPRM can read structured and unstructured content in documents and data sources, then interpret that information to validate an organization’s TPRM controls using their specific criteria and unique risk model. When applied across onboarding, due diligence, contract review, continuous monitoring, concentration, and other risk management processes, this can reduce manual effort, cycle time, and assessment costs by up to 60% and cut more than 90% of the traditional questionnaire process. Additional benefits include surfacing hidden risk, higher accuracy, improved process integrity and strengthened effectiveness of even highly automated and sophisticated TPRM programs.
How can we maximize the value of data?
Most FinServs already collect volumes of third-party documents to validate controls as part of due diligence, ongoing monitoring, and relationship management.
Expiration dates vary greatly, and reviewing newly provided updated versions exceeds most programs’ resource capabilities. With purpose-built, trained, and optimized Artificial Intelligence, it is now possible to monitor all changes within new documents as they arrive, providing real-time alerts for any issue of concern.
Why does it matter? Reviewing updated information as it arrives is often not done at all, or only when there is an emergency or the scheduled 1-, 2- or 3-year intervals.
These documents often plainly disclose new and potentially meaningful changes in fourth parties, data centers, insurance, etc. – many attributes of risk elements that should be reassessed against the original requirements. Awareness of a material change could make a difference; the question is, when do you want to know about it, proactively to avoid a potential issue, or after it becomes an adverse event?
Many firms also subscribe to data providers focused on specific risk domains, including IT / Cyber, ESG, ABAC, Supply Chain, etc. Efficiency, cost reduction, and constantly changing regulatory requirements are driving a greater reliance on these subscription services. Most firms still can’t consume this data meaningfully due to time and bandwidth constraints of human review and correlation.
AI / NLP / NLU solutions can constantly digest not only the metadata from these services but also detailed information in the unstructured reports, increasing the value of these services significantly. This provides greater insight and value from data already subscribed to and the ability to add more data sources without additional headcount or training. The value is automating the understanding of large amounts of data. Not just collecting it.
What hidden risks can be commonly found within TPRM, and how can we reduce these?
Even mature and highly automated firms struggle to manage scale and complexity with limited resources and constantly changing risk and regulatory requirements. Most TPRM programs are limited to managing what they can, not what they want to or should.
Nontraditional third parties, 4th / Nth parties, or even entire groups of “low risk” third parties are often not assessed effectively or at all. This creates many “hidden” risks, not because they are actually obscured but because there is insufficient time or resources to see them.
Most firms unknowingly rely upon many 4th parties documented in evidence they don’t have time to read or cross-reference.
There is often no practical way to correlate 4th and 5th parties with a firm’s 3rd parties if an issue is detected that might cascade through their service lines, lines of business, or services and products delivered to their customers.
A variety of potentially devastating concentration risks and single points of failure are also readily available for exposure – with the right tools.
Lastly, when forced to, limited personnel resources almost always focus on critical, high-risk, critical relationships and services, forsaking less risky ones with two negative results.
The first is an undiscovered risk, which, if realized, can have negative reputation, regulatory or revenue impacts. The second is that even for the high-risk assessments still being done – the quality and depth are often compromised under pressure to complete more assessments faster, to avoid or reduce backlog.
All of these “hidden” risks (and more) are visible with AI / NLP / NLU, which unlike limited numbers of even the most very talented humans – CAN easily consume all available information, identify, and correlate all the risk elements within a firm’s policy, not just the ones people have time to look for.