As a chaotic and unpredictable 2022 winds down and planning for 2023 is in full swing, now is the perfect time to think about what the next year has in store for third-party vendor and supplier risk management. Using the lessons we learned from 2022’s third-party breaches; continuing supplier disruptions from Covid and the war in Ukraine; and new regulations
introduced to govern third-party relationships, Prevalent has assembled a few predictions of what we think will happen in the next year. Use these to guide your 2023 TPRM strategy.
A third-party vendor or supplier disruption can be caused by a number of risks, both logical and physical. Organizations would be wise to expand the scope of their assessments to accommodate more risk types in their analysis.
Prevalent’s annual third-party risk management report showed that only 40% of companies consider IT (e.g., logical) and non-IT (e.g., physical) risks together when evaluating vendors and suppliers. That number will grow in 2023 as more teams become involved in third-party vendor and supplier risk management, and the number of non-IT-related supplier breakdowns results in disruptions. After all, there’s more to a third party’s risk than their (lack of) IT controls – teams have to consider whether a supplier presents a reputational problem, if they can pay their bills on time, if their corporate values align, and if they are delivering against expectations.
Because procurement, IT security, and compliance teams all have different needs when evaluating new or existing third parties, providers will have to do a better job of centralizing disparate data sources to present a coherent and comprehensive view of a multitude of risks for these teams.
The 2022 Third-Party Risk Management Study
Get on the path to TPRM success with insightful data, analysis and recommendations from our survey of global third-party risk management practitioners
Threats change too quickly to rely on static assessments.
A third-party risk management “exchange” is a network of completed risk assessments that vendors agree to share with customers on demand. A common challenge faced by companies that subscribe to a vendor network is that it can take time for a supplier to share their assessment which can slow risk evaluation processes, such as at the time of onboarding and contract renewal.
As exchange networks become a more common source of stable and trusted suppliers in the face of constant disruption threats, organizations will want immediate access to supplier threat intelligence to make faster decisions. In 2023, we will see teams leverage continuously curated passive data such as cyber threats, business and financial risks, demographic profiles, recent breaches, reputational and ESG insights, fourth- and Nth-party ecosystems, and compliance findings in concert with the vendor’s shared risk assessments. This data will enable teams to immediately see how a third party fares against their peers in the network, across a broad dataset, without requiring approvals from the vendor.
This comparative analytics approach will greatly speed up, and provide much needed context to, supplier evaluations by adding near real-time data to the process. As well, this will necessarily evolve exchange networks into trusted supplier networks.
TPRM will help harmonize workflows and automations for varied SOC2 reporting.
Third party vendors and suppliers are increasingly providing SOC 2 type 1 and type 2 reports as evidence in lieu of, or supporting, assessments. These reports vary dramatically in scope and format, providing a relatively inconsistent evaluation for third party professionals to review. Although these independent audit reports are a step toward risk validation, they require manual interpretation which can be time consuming and prone to errors.
In 2023, organizations will seek automated analysis of SOC 2 reports to translate them into a standardized format so they can be treated like any other risk assessment.
The SOC 2 TPRM Toolkit
Get instant access to 3 essential resources, including a quick-reference eBook, an on-demand webinar on decoding SOC 2 reports, and a SOC 2 compliance checklist!
A critical success factor for any TPRM program is its ability to integrate into business processes and adjacent technologies.
It truly does take a village to manage risks – and third-party vendor and supplier risks are no exception. However, limiting the enterprise value that TPRM solutions deliver is a noted lack of meaningful integrations.
In 2023 organizations will pursue a single source of truth when managing third-party vendor and supplier risks, with more complete integrations filling gaps by injecting data from other systems (for example inventory, GRC, RFx, contract lifecycle management, and events) into the central TPRM platform. Although each adjacent system will perform a specific function where the technology excels, TPRM platforms will become the system of record for managing risk, and integration for the sake of integration will become increasingly irrelevant.
Several leading industry publications have sought out Prevalent’s perspective on where third-party risk management is heading in 2023, including:
Be sure to read our commentary on ESG; shifting away from an “annual and manual” approach to TPRM; how TPRM will evolve into a lifecycle-based approach; and why geopolitical insights will become increasingly accessible in TPRM solutions.
The coming year is shaping up to be an exciting one for third-party vendor and supplier risk management professionals. Consider these trends as you prepare your 2023 plans.
For more on how Prevalent can help automate and add intelligence to third-party risk management processes, contact us or schedule a demo today.