How To Build a Business Case for Better Third-Party Risk Management

October 2nd, 2020 posted by Aravo Reading Time: 5 minutes
Blog - How To Build a Business Case for Better Third-Party Risk Management - FI

Third-party risk management (TPRM) teams are often challenged by the business to come up with the ROI for program improvements, such as additional resources, tools, and technology.

Often ROI may be presented in the framework of overall efficiencies gained (for instance using an automated platform like Aravo can reduce onboarding time by more than 81% or accelerate assessment cycles by more than 70%). But that’s not the complete picture. And if your senior management and boards are focused on efficiencies and ‘cost-cutting’ alone, they are missing one of the most important and compelling value-cases for TPRM – which is the protection and resilience it delivers to the business.

And here’s the case: recent research[1] has suggested that TPRM program maturity appears to play an important role in protecting the organization against the damage associated with incidents caused by third parties. Markedly so.

Incidents are more likely to result in business and/or reputational damage in immature programs

While third-party related incidents are fairly equally spread across mature and immature programs, the impact (or consequences) of incidents are not.

Third-party related incidents that could damage the business and/or its reputation are common. More than half (59%) of respondents who had insight said that they had experienced incidents associated with a third party that caused, or had the potential to cause, business disruption and/or reputational damage in the prior 12 months.

third party related incidents risk statistic

This differentiation between ‘caused’ and ‘had the potential to cause’ is important.

The research showed that a much larger proportion of incidents that caused damage among those with immature programs. Incidents were more likely to cause significant business disruption or reputational damage in immature (Ad-hoc – Fragmented) programs. 71% of responses that noted that they had experienced an incident that caused significant damage were from respondees who reported that their programs were immature, compared to just 18% occurring in mature (Integrated – Agile) programs

Incidents were also more likely to cause some business disruption or reputational damage in less mature programs (63%) than in mature programs (15%).

immature vs mature tprm stats

This suggests that mature programs help protect the business against incidents actually translating into damage.  This could be through recognizing the incident sooner together with a faster ability to action remediation plans.

Now let’s take a look at the types of events. The most common forms of third-party incidents were related to performance (45%), data breaches (22%), regulatory compliance (21%), and cybersecurity incidents (18%), such as hacking or malware.

This is also interesting in that there is a wide range of incidents in which third party failures have impacted the business – not just those that tend to catch the headlines like data breaches.

common tprm incidents stats

These are all important data points for third-party risk managers looking to build an internal business case for the value of a robust and mature program.  Considering the average cost of a data breach is $3.92 million and the average size of a FCPA enforcement action in 2019 was $208 million (just in fines alone), this should provide companies with an incentive to invest in maturing their programs.

But it’s not just the ability to respond to incidents and remediate them in a more effective manner internally that’s important. There’s also the view of the regulators to take into account. Regulators are going to look at your programs, their effectiveness, and the measures you have taken to respond to and manage risk. If you have an ad-hoc approach and poor controls in place, they are going to take a much more punitive approach than if you have done everything within your control to ensure you and your third parties were compliant.

Third-party risk management is like a good insurance policy

So, with this in mind, it is useful to think about third party risk management as a good insurance policy.

Companies that operate their businesses without proper third-party risk management and compliance practices are held to account by the regulators, and you need only to read the DOJ FCPA enforcement press releases to see the evidence of this. Those organizations that do not have proof of any program can expect regulators to come down harder and apply a greater magnitude of fine. These organizations are held up as public examples of what not to do. This is embarrassing and financially brutal to these businesses and their executives.

So, efficiency improvements are great and, yes, they are measurable.  However, the real benefits lie in the avoidance of the damaging impact of third-party incidents and the far-reaching consequences that are associated with companies that don’t have holistic programs in place to effectively identify, manage, and mitigate their risk.

Read the full 64-page survey report – designed to help you benchmark and build a business case for a mature third-party risk management program.

White Paper - Mind the Gap - Where Third Party Risk Management Programs Fall Short - Cover

[1] ‘Mind the Gap – Where Third-Party Risk Management Programs Fall Short. Results of the 2020 Benchmarking Survey’. Published by Aravo and Compliance Week.

Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management