Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Revamping Third-Party Risk Management in 2021: Part I

If 2020 could be described in one word, “unpredictable” might be it. This was certainly the case with third-party risk management, where many tried-and-true strategies suddenly became obsolete. Here’s how you can use lessons from the past year to chart a better course in 2021.
December 11, 2020
Blog revamping tprm 2021 1220

When we compiled our 2020 third-party risk management predictions, there were no mentions of pandemics, business resilience, supply chain failures, or even social distancing. Our crystal ball failed us.

For sure, 2020 changed how third-party risk management practitioners went about their jobs. And we don’t need a crystal ball to know that the pandemic will continue to impact supply chains over the coming year. If your current TPRM playbook isn’t focused on supply chain resilience, then it may be time to throw it out and write a new one.

Our experts have gathered to make eight predictions to help you get a head start. We’ll start with the first four in this post and then round out the list with Part II next week.

#1. Third-Party Intelligence Will Reveal Risks Throughout the Vendor Lifecycle

2020 saw a litany of supply chain failures triggered by unpredictable events. These incidents shed light on the fact that companies need to understand risk at every stage of the vendor lifecycle – from sourcing to offboarding, and everything in between.

In 2021, third-party risk practitioners will need to expand their visibility by seeking risk intelligence at several key milestones throughout the vendor relationship:

  • Sourcing and Selection – Checking a prospective vendor’s reputational and credit histories can reveal whether they meet their financial and customer commitments. This information can also indicate whether they will be able handle sudden shifts in demand and have the financial resilience necessary to weather economic downturns.
  • Intake and Onboarding – Bringing on a vendor requires taking an even deeper look at their potential risk. That’s why strong TPRM programs build comprehensive risk profiles that include cybersecurity, legal, sanctions and/or compliance issues for each vendor. The key here is to be proactive and start measuring risk on day 1 of the vendor relationship.
  • Prioritization and Scoring – Different types of vendors bring different levels of risk, so effective vendor tiering and categorization can be the secret to building a sustainable TPRM program. Inherent risk metrics can help you not only gauge the likelihood and impact of security and compliance incidents, but also determine the level of due diligence required for each of your vendors.
  • Assessment and Monitoring – By conducting internal controls assessments, you can shed light on vendor cybersecurity and governance practices and activate remediations when necessary. But internal assessments tell only half the story. You still need to validate vendor responses, check remediations, and uncover risk between assessments. That’s where continuous risk monitoring can help. Solutions that combine public, private and dark web cyber monitoring with business and financial monitoring will deliver the most complete vendor risk intelligence.
  • Reporting and Management – Third-party intelligence is only valuable if you can understand and act on it to reduce risk and strengthen vendor relationships. Effective reporting enables multiple stakeholders to collaborate on reducing exposures and ensuring compliance. It can also provide insights on vendor performance and contract adherence to inform procurement and renewal negotiations. The best TPRM solutions deliver all of this through a single pane of glass.

#2. Vendor Risk Measurement Will Expand Beyond Cybersecurity

There is more to vendor risk than cybersecurity threats, and there are several other risk factors that impact a vendor’s ability to deliver its products and services.

For example, are your vendors financially stable? Do they pay their bills on time? How do they handle operational disruptions from natural disasters and health emergencies? How might their ethics or sustainability violations threaten your organization’s brand or reputation?

For more complete vendor risk analysis, you’ll want to add these classes of risk to your monitoring initiatives in 2021:

  • Operational Risk: Leadership changes, restructuring and M&A activity can indicate strategic shifts, while partner/OEM updates can signal price increases and other changes.
  • Brand Risk: Product recalls, data breaches, and other incidents can result in negative PR.
  • Regulatory and Legal Risk: International sanctions, class action lawsuits, and violations of regulatory standards can cause substantial delays in product and service delivery.
  • Financial Risk: Bankruptcy proceedings and missed earnings can lead to restructuring and discontinuation of specific vendor offerings.

A unified TPRM platform can help to normalize, correlate and analyze this monitoring data with results from cybersecurity assessments.

On-Demand Webinar: A 2021 Third-Party Risk Management Action Plan

Join Prevalent experts Brenda Ferraro, VP Third-Party Risk, and Alastair Parr, SVP Global Products and Delivery Operations, to learn how to prepare your third-party risk management (TPRM) program for 2021 and improve your business resilience.

#3. Machine Learning and Behavioral Analytics Will Finally Live Up to the Hype

More data to support decision-making is essential, but what do you do with all of that data? How do you prioritize it to gain meaningful insights? That’s where machine learning and behavioral analytics come in. Behavioral analytics combines machine learning with anomaly detection to predict, identify and manage low-probability/high-impact events such as unethical or fraudulent behavior.

In 2021, it will become the norm to consolidate vast swaths of data into single views. The result will be intelligence feeds that enable more meaningful and informed actions. One application will be to leverage behavioral analytics to spot outlier risks. For example, security and risk teams could use machine learning insights to associate vendor layoff announcements with increased insider risk – or correlate low financial scores with smaller cybersecurity investments. This kind of contextual analysis will enable organizations to more proactively anticipate and address threats.

#4. The Benefits of Third-Party Risk Management Will Spread Enterprise-Wide

There’s more to third-party risk management than cybersecurity assessments, and TPRM can benefit several teams outside of IT security. For example, according to the EY Global TPRM Survey 2019–20, 26% of respondents indicated that procurement has primary ownership over third-party risk management.

Here are a few of the roles that stand to benefit from third-party risk management in 2021:

  • Procurement managers can strengthen pre-contract due diligence with intelligence on vendor security, compliance, ethics and sustainability practices. They can also inform renewal discussions with SLA data and performance metrics. By centralizing all vendor data, TPRM platforms can also make it easier to manage, renew and terminate contracts.
  • IT security can determine whether suppliers maintain the controls and processes necessary to mitigate data breach risks.
  • Risk managers are able to correlate and analyze vendor risk data from a variety of sources, while coordinating risk reduction initiatives across internal departments.
  • Legal teams can review monitoring and performance data to inform contract terms, while getting the reports they need to demonstrate regulatory compliance.
  • Auditors can ensure that the business operates effectively and with integrity, including in its relationships with third parties.
  • Executives gain clear analysis and reporting to help them make better-informed, risk-based decisions for ensuring business continuity.

The right TPRM solution can bring these teams together by providing a central place for building and managing vendor profiles; accessing correlated cyber, business and financial risk intelligence; and collaborating with vendors on reducing risk at every stage.

Next Steps for 2021 TPRM Planning

Stay tuned for four more predictions coming next week. In the meantime, get a leg up on your 2021 TPRM plan with our best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or assess your program using our online risk assessment calculator.

Want to know how Prevalent can help you tackle your specific TPRM challenges? Request a personalized demo.


Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors and suppliers throughout the third-party lifecycle. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo