2023 EY Global Third-Party Risk Management Survey highlights growing demand for data-driven third-party risk assessment across sectors.
- Organizations with centralized third-party risk management report business benefits, including faster control assessments and better understanding of risk.
- Organizations are integrating environmental, social and governance criteria into third-party risk programs, but this is an evolving area.
- All organizations can gain additional resiliency by implementing available technology and tried-and-true practices to their third-party risk management.
The value of third-party risk management (TPRM) is underscored by the results of the EY 2023 Global Third-Party Risk Management Survey. Nine in 10 respondents say their organization has directly invested in their TPRM program. Those that have report a better understanding of risk and optimized capabilities and effectiveness.
Companies recognize that each third-party relationship brings potential risk, said Joseph Kelly, EY Oceania Third-party Risk Leader. “The only way to completely zero out your third-party risk is to not work with third-parties, but that’s not going to happen. So it’s more about, ‘How do you identify, manage and mitigate?’ We’re moving from the era of just identification into management and mitigation.”
While some organizations rely on email questionnaires, manually updated spreadsheets and sample data to track third-parties, many organizations are turning toward a centralized and data-driven approach to support strategic risk management decisions. They want to capture a sophisticated picture of overall risk and use additional capabilities, such as automation and external reports, that deliver real-time information.
Using this approach, leading organizations are now able to test thousands of third-parties, rank them across risk domains for criticality, and then develop a focused response, said Scott McCowan, EY Americas Risk Management Leader. “As companies continue to lean into their third-party network, a data-driven approach to screening allows for better coverage, real-time data, continuous monitoring and targeted assessment activities.”
While TPRM programs have traditionally been driven by regulatory pressures, other forces — such as data breaches, supply chain disruptions and board pressures — have emerged as additional drivers for TPRM program investment in recent years, said Kanika Seth, EY Global Financial Services Third-Party Risk Leader. Survey respondents ranked cybersecurity and digital risk as the top risk domains included in their risk inventory reporting, followed by strategic risk, financial viability risk and environmental, social and governance (ESG) and sustainability risk. Organizations are also re-examining risk governance and integrating ESG commitments into third-party risk assessments.
The next opportunity is to turn TPRM into a strategic enabler, Kelly added. “Organizations have been sitting on a rich bed of data.”
The only way to completely zero out third-party risk is to not work with third-parties. So it’s more about, ‘How do you identify, manage and mitigate?
Joseph Kelly – EY Oceania Third-Party Risk Leader
In collaboration with Oxford Economics, EY teams interviewed more than 500 institutions to understand how organizations manage third-party risks embedded in their network of suppliers, external business relationships and other types of third-party interactions.
The survey covers a range of topics, including organization, non-traditional third parties, due diligence and ongoing monitoring, data and technology, costs and investments, risk tiering, TPRM maturity, customer response and resiliency.
The 50-question survey was answered anonymously, and the EY organization was not identified as the sponsor.
Participants were split representatively across various sectors, including banking and capital markets, consumer products and retail, financial services, government and public health care, insurance, power and utilities, professional services, technology and wealth and asset management.
The organizations have more than US$250 million in revenue.
- Seventeen percent of organizations are listed in the Fortune 500.
- Companies are headquartered in Australia, Canada, China, France, Germany, India, Italy, Japan, the Nordics, Singapore, Spain, the UK and the US.
- Less than one-third of survey participants have run a TPRM program for longer than five years.
Chapter 1: Centralize TPRM has Clear Advantages
Centralization, risk tiering, technology and external support are attempts to strengthen TPRM.
A centralized risk management approach provides complete, more accurate data and improved program communications. In all, 90% of organizations are moving toward centralized risk management, up from 85% in our survey from the prior year. Among those surveyed, 54% of organizations use centralized risk management (down 6% from 2021), 36% use a hybrid approach (up 11% from 2021), and 10% use a decentralized program (compared with 12% in 2021). Financial services are a step ahead. Financial services organizations are more likely to use a centralized TPRM program structure (62% compared with 46% of non-financial services and 54% of respondents overall).
Organizations with centralized TPRM structures manage almost twice as many third-parties effectively as their counterparts with hybrid TPRM structures. They have a better understanding of the correlating risks and mitigating measures. They are also able to perform control assessments faster than those with decentralized models: 64% of those with centralized risk structures can perform control assessments in 31 to 60 days. Only 43% of organizations with hybrid structures are able to say the same. For organizations with a hybrid model, about half say they are completing their assessments in 61 to 90 days.
Chapter 2: ESG Risks Conversations are Evolving
Environmental, social and governance commitments and risk management extend to third-parties.
ESG commitments are a developing area of third-party risk management.
Most organizations (54%) report that they include ESG in risk inventory reporting. Their top priorities include compliance with local regulations, corporate responsibility and stakeholder expectations. Nearly one-third (32%) include clauses requiring third-parties to comply with their own ESG policies and regulations, and 23% said if a key supplier did not meet their ESG requirements, they would stop working with that supplier.
“In order for organizations to have a robust ESG program, their ESG commitments need to extend into their third-parties as well,” said Michael Giarrusso, EY Americas FSO Third-Party Risk Leader. “They need to make sure that they are performing proper due diligence of their third-parties to confirm that they are in line with their own strategic goals from a sustainability and social justice perspective.”
These commitments can cause conflicting views. In our EY Global Board Risk Survey 2021, although 33% of boards expected climate change to impact their businesses, survey respondents still only ranked it as their ninth most important risk. “Organizations are facing challenges with their identity — not only what they want to represent as a company, but also how they want to measure, monitor, track and report against that commitment,” said Chris Watson, EY Americas Risk and Supplier Services Leader.
In order for organizations to have a robust ESG program, their ESG commitments need to extend into their third-parties.
Michael Giarrusso – EY Americas FSO Third-Party Risk Leader
Chapter 3: Resiliency and TPRM
Organizations rely on risk tiering and technology to better understand third-party risk posture.
As companies focus on their own resilience, the resilience of their third-parties is a high priority. Companies are building resiliency by maintaining an integrated resiliency plan, conducting internal resiliency testing and performing scenario analysis, exit strategies, contingency plans and business continuity plans. Organizations also use risk tiering to zero in on critical third-parties and separate them for additional monitoring activities.
Most organizations surveyed ask more than 100 questions on their control assessments, and nearly half (48%) of organizations have exit strategies or contingency plans for high-risk third-parties. However, that means that more than half are unprepared.
“Having a strong third-party program can support resiliency, but it needs to be intentional,” Giarrusso said. “Make sure that you’re identifying those third-parties that are supporting critical business processes and then have plans in place — whether it’s contingency or exit strategies — for those third-parties in the event of a business disruption.”
Organizations are seeking smarter ways to understand risk by using external resources and embedding technology, automation and external data into their risk reporting process, Kelly said, noting that 63% of organizations plan to integrate external data providers and automation to better manage inherent risk assessments in the next two to three years.
Chapter 4: Seven Leading Practices for Third-Party Risk
Organizations need to put foundational TPRM components in place to build a robust program.
Here is what your organization can do to better prepare for third-party risks:
- Define objectives and scope – To build a successful TPRM program and operational resilience, organizations should consider aligning their plans to an existing operational resilience framework, such as the Digital Operational Resilience Act, NIS2 Directive and the UK Operational Resilience Framework. These frameworks set criteria and expectations for cybersecurity, information technology, third-party dependency management and business continuity planning and testing. Perform an impact assessment and gap analysis against the currently proposed drafts.
- Fully understand, document and maintain your third-party inventory
- Develop policies and procedures – Lack of coordination between internal stakeholders was cited as the biggest pain point for organizations.
- Enhance ongoing monitoring – While initial due diligence is vital, more robust ongoing monitoring of third-parties enables more dynamic risk reporting.
- Establish a governance structure – Regardless of ownership, TPRM requires input from multiple functions and teams, making well-defined governance crucial. It is recommended to have a consistent global policy with local addendum for multi-jurisdictional organizations.
- Implement technology and automation – TPRM programs that integrate automation and external data providers into the supplier lifecycle and embed cross-functional workflows, e.g., procurement, cyber risk, resiliency, are more effective in managing third-party risk and reporting to senior leadership.
- Streamline customer experience – More than half (54%) of organizations send one aggregated/centralized questionnaire, while 46% send multiple questionnaires from different risk domains.
Additional contributors include Harald deRopp, Asia-Pacific (Japan) Third-Party Risk Leader; Joseph Kelly, EY Oceania Third-Party Risk Leader; Scott McCowan, EY Americas Risk Management Leader; and Chris Watson, EY Americas Risk and Supplier Services Leader.
Summary
Third-party risk management increases resiliency and has the potential to become a strategic business tool. While organizations are aware of the advantages, establishing and developing an effective TPRM program presents difficulties.
Leading organizations are making efforts to advance their TPRM programs by attempting to get a better picture of overall third-party risk, tiering risk according to critical needs and adding more TPRM reporting and resourcing capabilities. To increase efficiency and enable more strategic risk management decisions, organizations are evaluating emerging risks and impacts on their third-party and risk governance and continuing to use centralized and hybrid risk-management programs.
The article was first published here.
Photo by Tamanna Rumee on Unsplash.
Related Stories
5.0 
9 Read
How Tax Governance Can Help Businesses Manage Risks Today and Beyond
10 November 2023
