Less than Half of Organizations Report Tracking Non-Cyber Security Reputation Risks

Editor's note: This article was originally published on ContinuityCentral.com.

A new report from Prevalent, ‘2021 Third Party Risk Management Study: Looking Beneath the Cyber Risk Surface’, provides insights into current trends, challenges, and initiatives impacting third-party risk management practitioners worldwide. The findings clearly illustrate that most companies are missing key risks at more than one stage of the vendor risk lifecycle, yet few are expanding their third party risk management (TPRM) programs to address these risks.

Key findings from the study include:

83 percent of companies report increased focus on third-party risk due to COVID-19, yet only 40 percent are expanding their programs: COVID-19 was the biggest event of 2020, increasing organizational focus on third-party risk management for 83 percent of companies. Yet, only 40 percent of study respondents report expanding their TPRM programs as a result. More concerning is that 44 percent of companies report not actively tracking supply chain risks, which were the primary pandemic-related third-party risk management impact.

Fewer than half of companies are actively tracking non-cyber security reputational risks: because IT and security teams own third-party risk management in 50 percent of companies, and likely due to increasing numbers of damaging third-party data breaches, the study illustrates that cyber security risks are getting the most attention. However, study respondents admit they should be tracking risks such as SLAs and performance (47 percent), geo-political (47 percent), labor standards (45 percent), environmental (45 percent), human rights, trafficking and slavery risks (40 percent), and ABAC (39 percent). Not tracking these types of risks can open an organization up to reputational damage.

50 percent of companies don’t have the pre-contract due diligence necessary to effectively evaluate potential vendors: more than 50 percent of respondents indicated that the biggest challenge they face in third-party risk management is not having enough pre-contract due diligence to identify potential vendor risks. More alarming is that 59 percent indicate they are not actively assessing third-party risks during the offboarding stage of the vendor lifecycle. Organizations are missing critical risks at multiple stages of the third-party lifecycle.

Only 22 percent of companies involve procurement teams in third-party risk management: 55 percent of organizations saw an increase in third-party risk management ownership by security over the past year, yet only 22 percent of companies are seeing an increase in ownership by procurement teams, meaning that important ESG, ABAC, and vendor financial risks typically required by these teams to properly assess vendors may not getting the attention they require.

65 percent of companies are not satisfied with spreadsheets: 42 percent of respondents said they assess their third parties using spreadsheet-based questionnaires and 65 percent of these respondents are either unsatisfied or neutral with this approach.

The results of the study demonstrate that IT security and business teams need to collaborate more closely to identify and mitigate more types of risks at all stages of the third-party lifecycle. The report concludes with the following recommendations for unifying IT security and business for better outcomes from onboarding to offboarding:

• Expand assessments beyond cyber security to include reputational and vendor financial information, helping to create a more holistic vendor risk profile.
• Bridge the gap between Business and IT with a unified strategy for addressing risks spanning the organization.
• Manage risk at every step of the third-party lifecycle, starting with more complete pre-contract due diligence and ending with secure vendor offboarding.
• Outsource the time-consuming work to the experts, leaving your team to focus on risk remediation and management.