Revamping Third-Party Risk Management in 2021: Part II

Vendor risk continues to be in the spotlight as 2020 comes to an end. Here’s the second half of our predictions for 2021.
By:
Prevalent
December 17, 2020
Share:
Blog revamping tprm 2021 part2 1220

Last week, when we revealed our initial set of predictions for Third-Party Risk Management in 2021, we acknowledged the impact of Covid-19 on global supply chains. Unfortunately, 2020 isn’t done teaching us lessons about the importance of TPRM, as the fallout from the SolarWinds breach continues to come to light.

If one thing is clear for the coming year, it’s that your organization will likely be more focused on getting ahead of vendor risk than ever before. Here are our final four predictions to help you lean into the challenge.

#5. Vendor Risk Evaluations Will Get Faster

The supply chain disruptions of 2020 emphasized not only the need for agility in sourcing new vendors, but also the importance of evaluating risk as part of the sourcing process. Unfortunately, many organizations have traditionally found these two things to be at odds. It’s no wonder the EY Global TPRM Survey 2019–20 revealed that half of respondents don’t have an expedited process for pre-contract risk assessments.

The need for speed will still be strong in 2021, so the TPRM market will accelerate toward the network marketplace model. Under the network model, members can quickly search libraries of prospective vendors, see risk scores, and view completed risk assessments. Other aspects of the network model include:

  • A standards-based approach that compares all vendors against the same criteria
  • Real-time cyber, business and financial monitoring insights that augment results from periodic vendor assessments
  • Flexibility to request assessments for specialized risk concerns
  • Clear reporting and analytics to measure risk and compliance
  • Workflow management to tie everything together

The best networks are backed by experienced managed services teams who handle vendor onboarding, assessment, management and reporting on behalf of their customers.

#6. TPRM Programs Will Extend Beyond the Third Party

Consider this scenario: Your company outsources manufacturing to a vendor whose parts supplier is in a location with a stay-at-home order, and the supplier’s products aren’t considered to be “essential.” Your vendor needs to quickly find an alternative, or you won’t be able to deliver to your customers.

Just about all supply chains have more than one “link.” If your risk evaluations only consider your organization’s immediate circle of vendors, then your visibility into supply chain threats is foggy at best.

And you’re also not alone. Our 2020 study, The Third Rail of Security & Compliance, found that 79% of respondents didn’t consider 4th party risk. Furthermore, the EY study referenced above showed that 31% of respondents rely on contractual terms alone to enforce Nth party problems. If one domino falls, then they all go down.

This is all about visibility. Nth party mapping can discover potential deficiencies deep within the third-party landscape. This will become more prominent in 2021, as companies leverage operational resilience measures to predict potential disruptions before they become a reality.

#7. Risk Response Will Become Increasingly Automated

Many organizations struggle with spreadsheet-driven vendor assessment processes that require dozens of manual steps to understand and act on the results. This approach just is not scalable in a time when speed and resilience are such valuable commodities.

In 2021, organizations will mature their TPRM programs by using rules to comb through streams of vendor intelligence and trigger risk response activities. These rules will automate, simplify and speed onboarding, assessment and review tasks, such as updating vendor profiles and risk attributes, sending notifications, and/or activating workflows.

Playbook-style automation will reduce the time required to do everything from onboarding vendors and issuing assessments, to correlating the findings and activating remediation workflows. In short, you will be able to automate TPRM processes, so you can find and fix problems faster.

#8. The United States Will Enact a Federal Data Protection Law

There’s no shortage of regulatory requirements governing the use of third parties, but the United States still doesn’t have a unified data protection law akin to GDPR. Instead, the U.S. currently relies on a patchwork of state-level data breach notification laws and data protection requirements (e.g., CCPA and CPRA in California).

Next year will bring a new administration to the White House and leaner majorities in Congress—perhaps easing some legislative gridlock. These changes, combined with intensifying cybersecurity concerns at the national level, may mean that 2021 will be the year where the U.S. finally enacts a single law governing the use of personal data.

The implications for such a law are significant if your organization works with third parties that have access to your customer data. As the U.S. moves toward a single data privacy law, you should be prepared to answer three fundamental questions—and demonstrate the proof to auditors:

  1. Where is sensitive data stored, who has access to it, and how is it shared?
  2. What controls are in place to protect sensitive data residing in-house or with third parties?
  3. How does your privacy program relate to your third-party risk management program?

Of course, ensuring data privacy goes beyond third-party risk management. But if you can’t answer these basic questions, then your organization will likely fall short of any new mandates.

Next Steps for 2021 TPRM Planning

If you’ve skipped ahead, then be sure to check out our first four predictions for 2021. If you’re all caught up, then check out our best practices guide, Five Steps to Proactive Third-Party Risk Management, or assess your TPRM program using our online risk assessment calculator.

Want to know how Prevalent can help you tackle your specific TPRM challenges? Request a personalized demo.

We wish you a happy, safe and secure 2021!

Tags:
Prevalent
Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors, suppliers and other third parties. Our customers benefit from a flexible, hybrid approach to TPRM, working closely with each customer to tailor a solution that not only fits their unique needs, but also delivers a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo