Last week, when we revealed our initial set of predictions for Third-Party Risk Management in 2021, we acknowledged the impact of Covid-19 on global supply chains. Unfortunately, 2020 isn’t done teaching us lessons about the importance of TPRM, as the fallout from the SolarWinds breach continues to come to light.
If one thing is clear for the coming year, it’s that your organization will likely be more focused on getting ahead of vendor risk than ever before. Here are our final four predictions to help you lean into the challenge.
The supply chain disruptions of 2020 emphasized not only the need for agility in sourcing new vendors, but also the importance of evaluating risk as part of the sourcing process. Unfortunately, many organizations have traditionally found these two things to be at odds. It’s no wonder the EY Global TPRM Survey 2019–20 revealed that half of respondents don’t have an expedited process for pre-contract risk assessments.
The need for speed will still be strong in 2021, so the TPRM market will accelerate toward the network marketplace model. Under the network model, members can quickly search libraries of prospective vendors, see risk scores, and view completed risk assessments. Other aspects of the network model include:
The best networks are backed by experienced managed services teams who handle vendor onboarding, assessment, management and reporting on behalf of their customers.
Consider this scenario: Your company outsources manufacturing to a vendor whose parts supplier is in a location with a stay-at-home order, and the supplier’s products aren’t considered to be “essential.” Your vendor needs to quickly find an alternative, or you won’t be able to deliver to your customers.
Just about all supply chains have more than one “link.” If your risk evaluations only consider your organization’s immediate circle of vendors, then your visibility into supply chain threats is foggy at best.
And you’re also not alone. Our 2020 study, The Third Rail of Security & Compliance, found that 79% of respondents didn’t consider 4th party risk. Furthermore, the EY study referenced above showed that 31% of respondents rely on contractual terms alone to enforce Nth party problems. If one domino falls, then they all go down.
This is all about visibility. Nth party mapping can discover potential deficiencies deep within the third-party landscape. This will become more prominent in 2021, as companies leverage operational resilience measures to predict potential disruptions before they become a reality.
Many organizations struggle with spreadsheet-driven vendor assessment processes that require dozens of manual steps to understand and act on the results. This approach just is not scalable in a time when speed and resilience are such valuable commodities.
In 2021, organizations will mature their TPRM programs by using rules to comb through streams of vendor intelligence and trigger risk response activities. These rules will automate, simplify and speed onboarding, assessment and review tasks, such as updating vendor profiles and risk attributes, sending notifications, and/or activating workflows.
Playbook-style automation will reduce the time required to do everything from onboarding vendors and issuing assessments, to correlating the findings and activating remediation workflows. In short, you will be able to automate TPRM processes, so you can find and fix problems faster.
There’s no shortage of regulatory requirements governing the use of third parties, but the United States still doesn’t have a unified data protection law akin to GDPR. Instead, the U.S. currently relies on a patchwork of state-level data breach notification laws and data protection requirements (e.g., CCPA and CPRA in California).
Next year will bring a new administration to the White House and leaner majorities in Congress—perhaps easing some legislative gridlock. These changes, combined with intensifying cybersecurity concerns at the national level, may mean that 2021 will be the year where the U.S. finally enacts a single law governing the use of personal data.
The implications for such a law are significant if your organization works with third parties that have access to your customer data. As the U.S. moves toward a single data privacy law, you should be prepared to answer three fundamental questions—and demonstrate the proof to auditors:
Of course, ensuring data privacy goes beyond third-party risk management. But if you can’t answer these basic questions, then your organization will likely fall short of any new mandates.
If you’ve skipped ahead, then be sure to check out our first four predictions for 2021. If you’re all caught up, then check out our best practices guide, Five Steps to Proactive Third-Party Risk Management, or assess your TPRM program using our online risk assessment calculator.
Want to know how Prevalent can help you tackle your specific TPRM challenges? Request a personalized demo.
We wish you a happy, safe and secure 2021!
Assess your organization's exposure with these essential questions for your vendors, suppliers and other third parties.
If 2020, many tried-and-true TPRM strategies suddenly became obsolete. Here’s how you can use lessons from...