Digital Transformation – What It Means for Third-Party Risk and Compliance
October 22nd, 2020 •
Kimberley Allan • Reading Time: 5minutes
As companies begin to engage in digital transformation programs at pace, as a result of the Covid-19 pandemic, third-party risk management (TPRM) teams are considering how this will impact their organizations’ third-party relationships, and how their current approaches to TPRM may have to evolve.
Covid-19 has pressed the “fast forward” button on digital transformation within many organizations, as they seek to adopt technology solutions to the challenges the pandemic has created. Some 69% of board directors responding to one survey said that they are accelerating digital business initiatives in the wake of Covid-19. The same survey also says that 86% of respondents agree that technology as having a transformational role in addressing strategic business priorities, and so most organizations are expecting to put in place a new “Chief Digital Officer” role to respond to the Covid-19 pandemic over the long term.
We have all experienced this move to the ‘virtual’ personally. More Zoom or Webex meetings, more working with collaborative tools such as Microsoft Teams and Slack and even a complete shift to online industry conferences that traditionally would have been attended in person. It has some ‘digital transformation’ impact on us all.
The impact of this acceleration of digital transformation on TPRM teams is multi-dimensional. These teams need to adapt their TPRM programs to the changes that Covid-19 and digital transformation are creating in their organizations, as well as in their third parties.
As a result, many TPRM teams are speeding up their own digital transformation programs. This blog looks at some important current trends in digital transformation for TPRM teams.
Relationships are going digital
Person-to-person engagement is going digital across the entire TPRM life cycle at an accelerated rate as a result of the Covid-19 pandemic. For example, a recent survey showed that almost 90% of B2B sales activities have moved to a videoconferencing(VC)/phone/web sales model. Going forward, B2B companies now see digital interactions as two to three times more important to their customers than traditional sales interactions. TPRM teams that may have used site visits in the past as part of their due diligence requirements, risk assessment process, or relationship audit procedures, will need to consider alternative ways to gather the intelligence they need to properly evaluate the risk and control framework of the third parties they work with.
Digital transformation is boosting third party numbers
Within many organizations, the changes wrought by digital transformation are expanding the number of third parties they are engaging with. A recent Ponemon Institute study showed that, since beginning the digital transformation process, organizations have seen, on average, a 15% increase in the number of third parties they are working with. This trend is set to continue as organizations increase their reliance on the cloud, outsourced IT platforms, cybersecurity specialists, and technology companies with specific skills or offerings that complement their own. Today, Aravo’s own annual benchmarking survey of TPRM shows that about a quarter of companies already work with between 500-4,999 third parties, and just under 20% work with more than 10,000. These larger numbers of third parties will bring more complexity to TPRM programs. For example, third parties helping deliver digital transformation for a company are likely to be focused on technology, and so they will require significant engagement around information security, cyber risk, and data privacy compliance.
Digital transformation increases certain risks
So, it’s little surprise that the pivot to digital transformation will change an organization’s risk profile. According to the Ponemon Institute study, “digital transformation increases the likelihood of a data breach or cyberattack.” The survey shows that 71% of C-level respondents and 67% of IT security respondents believe their organizations are much more vulnerable or somewhat vulnerable to a security incident following digital transformation. In the next two years, the top three threats organizations will be most concerned about as a result of digital transformation are system downtime, cybersecurity attacks, and data breaches caused by third parties. The survey also says that 82% of respondents believe they had a data breach because of digital transformation and 55% say that at least one data breach was caused by a third party. Aravo’s own survey shows that 22% of respondents that had experienced an incident caused by a third-party, had experienced a data breach in the past 12 months. The need for robust TPRM programs that cover information security is greater than ever, but the Aravo survey shows that at least one-third of the companies surveyed are not actively managing cyber risk/information security risk, or data privacy risk.
Automation is accelerating
While digital transformation is propelling certain kinds of changes, Covid-19 is continuing to shape others. For example, the pandemic forced many employees to work from home for the first time, and surveys of C-suites are showing that for some the shift to remote working will become permanent. As a result, manual governance, risk and compliance (GRC) processes once conducted in an office, which perhaps relied on physical proximity to colleagues, now need to be transformed into digital ones. For TPRM teams, having a technology platform that can automate important TPRM processes in a collaborative way is now essential. Activities across the whole TPRM lifecycle – such as risk assessments, controls management and reporting – need to be digital so that everyone who needs to have access, has that access, no matter what their geographical location is.
Continuous controls monitoring is growing in importance
In light of the trends towards more technology-based relationships and the need for automation, some organizations are adopting continuous controls monitoring, to complement risk assessments, due diligence activities, and on-site reviews, for example. Continuous controls monitoring can also be used to identify, monitor and manage the risks posed by remote-working employees of third parties – an emerging risk area that has developed as a result of Covid-19. Proactively monitoring third-party risks and controls can help identify which vendors are adapting to developments in their risk and control ecosystem, and which are not – potentially flagging third parties which may have difficulty over the medium-to-longer term. However, today ongoing monitoring of third parties remains the exception rather than the rule – 83% of respondents to Aravo’s survey are not conducting ongoing monitoring or due diligence of all their third parties at the moment.
AI and ML is providing early warnings
Artificial intelligence (AI) and machine learning (ML) are of growing importance for most organizations. In one survey, 74% of respondents agreed that AI will be integrated into all enterprise applications within three years, and 64% said that AI technologies enable them to establish a lead over their competitors. The same is true for TPRM, where AI and ML are being applied in a number of ways. For example, AI can provide the intelligence needed to augment human decision-making. The technology can help detect changes in a third party’s status, by combing through the significant volume of data out there on companies and flagging an alteration – such as being added to an anti-money laundering, bribery and corruption (ABAC) list, or experiencing a downtick in measures of financial viability. TPRM teams can then look at the information and make a decision about how the organization should respond. AI can even give a recommendation of the action to take (based on learning the decisions made by risk experts in the past), with an associated level of confidence. Similarly, AI and ML can be applied to continuous monitoring programs, to help flag to TPRM teams when controls are breached, and potentially provide additional data-driven insight about the breach. These kinds of TPRM use cases for AI and ML can help support greater agility and operational resilience within an organization.
Digital transformation is an opportunity for TPRM Teams
Importantly, digital transformation also creates opportunities for those in TPRM, compliance and risk. Remember your functions should also be the beneficiaries of transformation investments. If you are relying on manual processes, bound to spreadsheets and lacking business process automation and critical risk intelligence data (such as ABAC, cyber health, financial health as so on), now is a good time to be making the investment case for technology and tools.
In summary, the 34% of TPRM teams that still rely on spreadsheets or manual process to manage their programs are going to struggle in this new third party ecosystem that is being shaped by digital transformation and Covid-19 simultaneously. It’s also worth noting that a third of respondents reported that they did not consider that their program had adequate funding for the people, tools, or innovation and continuous improvement necessary for the success of their programs. TPRM teams need to engage with their boards, their senior management teams, and their new Chief Digital Officers to explain the importance of a robust TPRM program for the success of both the organization’s response to Covid-19, and its own digital transformation journey.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.