If the people who keep you in business go under, what happens to you?
This is the single most important question that risk management leaders must answer with regard to their third parties and supply chain partners considering today’s COVID-19 pandemic crisis. And yet, only 10% of leaders and decision-makers are extremely confident in their third-party risk management programs and only 50% are satisfied with their current solutions. What does this add up to? Insufficient programs and a lack of preparedness to handle the unknown.
In partnership with Shared Assessments, Prevalent conducted a survey of senior risk decision-makers in February 2020 to study current third-party risk trends, challenges and initiatives impacting organizations today. The goal of the study was to provide a state-of-the-market on third-party risk with actionable recommendations that organizations can take to grow and mature their programs. This post summarizes what we learned from the study and what you can do to better equip your third-party risk management program for resiliency.
Findings from the study suggest that:
Compliance (particularly meeting data protection requirements such as GDPR) dominates project drivers, yet organizations lack the resources (budget) and processes to assess even their top-tier vendors with most assessments taking more than a month to complete. Considering the state of your supply chain, can you afford this kind of lag?
Compliance and cybersecurity teams aren’t the only ones necessary to contribute to a mature program; you also need contributors who can assess and interpret business and financial risks – especially in today’s climate. With resourcing a challenge and continuing lack of confidence in programs, it will be difficult to operate in a silo.
76% of respondents said that they experienced one or more issues that impacted vendor performance, 74% indicated operational issues, and 55% indicated a compliance violation in the last two years. Considering how resource-drained the average TPRM program is, how would you be able to recover?
When asked if they were planning to implement a new, or augment/replace an existing, third-party risk management solution in the next 12 months, nearly half of respondents said “yes.” When half the market is looking to change their solution, it must mean needs aren’t being met. And it’s no wonder, considering that the satisfaction levels among existing tools hovers in the 50% range, and weighted average of satisfaction for GRC tools caps out at 3.4/5.0. Standardized Assessment Content Providers buck this trend – clearly, organizations are relying on standardized assessment content to help clear the path.
42% of respondents indicate that they will invest in IRM in the next year, yet they’re concerned about limited resources/staffing/expertise, no real-time awareness of changes, and no integration with other tools used for vendor management or risk management. Since Digital Transformation is also a driver, it’s important for organizations to determine if a general-purpose IRM has the flexibility to meet needs, compared to a purpose-built TPRM assessment platform.
The third-party risk management market is at an inflection point. Users aren’t assessing enough of their top their vendors. They lack resources and budget to fund it correctly. Third-party risk is broken, and supply chains are at risk.
What is the path forward? Read the recommendations below.
Growing and maturing an adaptable and agile third-party risk management program doesn’t have to be a complex and time-consuming process. Here are five (5) recommendations to jump start your vendor risk activities:
A programmatic process should help your team progressively:
The outcomes of such a standardized and repeatable methodology? Download the full report to find out.
Given the complexity, no one person can likely figure all that out, so internal and external collaboration is key to not just identifying risk but mitigating it too.
There are solutions available on the market that offer a library of pre-defined questions that map back to any number of regulatory or industry frameworks. This lets you avoid the duplication of effort and patchwork of requirements you would get if you tried to assess against each framework individually. It’s also much easier to prove compliance when it’s one question that covers many requirements at once.
Don’t pigeon-hole yourself into a single rigid option for collecting and analyzing surveys from your third parties. There are multiple ways to assess all of your top-tier vendors (and thereby overcome a major challenge cited in this survey).
Making decisions in silos with a limited dataset will not enable your team to be effective vendor risk managers. Instead, seek out solutions that are built on an open platform with integrations to multiple business and risk solutions. A solid solution will offer:
Existing tools and IRM solutions aren’t enough to overcome third-party risk management challenges. Only a comprehensive model that offers a programmatic process to maturity with options to manage costs and reporting for compliance will provide a solid foundation for risk management teams to adapt over time.
For more on how Prevalent can help address third-party risk management challenges, request a demo of our platform today.