In a recent Aravo benchmarking survey, approximately 90% of respondents reported that their organization had experienced at least one incident related to third parties that either did or could have led to business disruption or reputational damage. This is up from 59% in 2020, and 75% in 2019. This is compounded by the fact that a greater number of organizations are working with more than 500 third parties, and a quarter work with more than 10,000 third parties, increasing the threat landscape.
The need for true third-party risk intelligence, data that provides companies with important insights into risks, is accelerating. As the third-party risk management (TPRM) discipline evolves, regulators, investors, and other stakeholders want to know that organizations are managing risks and are resilient in the face of change. Organizations need the ability to quickly detect and respond to changes in the risk profiles of their third parties.
In the past, third-party risk data was usually accessed and managed manually through spreadsheets and emails. Even just a decade ago, the kinds of vendor information that could be examined would have been fairly limited, such as just financial information or a quick online search to confirm a few data points.
Today, all that has been changing. There is a new understanding of the potential sources of risk that third-party relationships can pose and the ways a loss event can happen. In addition, new kinds of risks have emerged, such as increased cyberattacks and ESG-related penalties.
As a result of evolving risks, the kinds and timeliness of data that are available for TPRM programs have grown, giving organizations the intelligence to agilely manage these risks. Utilizing TPRM risk intelligence and screening techniques help organizations ensure they are partnering with companies that align with their goals and values, as well as better manage operational, financial, regulatory, reputational, and cyber risks associated with doing business with third parties.
In addition to detecting threats early, risk intelligence can also help organizations stay up to date on changing regulations related to third parties so they can remain compliant with legislation. This data helps organizations stay on top of this changing compliance landscape, while also providing transparency into their processes and extended enterprise. This visibility is becoming a requirement from regulators and external stakeholders, and having this data housed in an easy-to-navigate platform makes this process more efficient and accessible via audit trails.
A critical component of a good TPRM program is also your risk assessments. A risk assessment is a short questionnaire that helps you understand an area of risk associated with your third-party engagement. These can cover anything from ABAC or ESG risks, data privacy concerns, financial health, concentration or reputation risk, and more. Yet, just as vendors and their risks are constantly changing, so too should your risk assessment as its data is only accurate for so long. TPRM risk intelligence helps manage your frequency and status of your third parties’ risk assessments, allowing them to be updated to incorporate real-time risk data.
So, what kinds of third-party risk intelligence can be integrated into a TPRM program’s technology platform today? Understanding the types of data is an important first step in seeing the possibilities of this approach. Key data types include:
Understanding how well, financially speaking, a third party is managed is essential information. For example, signs of financial difficulties, such as late payments, can signal increased risk in the relationship. The sooner this is flagged, the more quickly the issues can be examined and managed.
Environmental, Social, Governance data is relatively new to many third-party risk programs. However, ESG investing is gaining ground fast, and some jurisdictions are implementing explicit ESG reporting. Working with ethical vendors is very important – monitoring for ESG issues is becoming a new essential, and these types of risk intelligence companies provide real-time ESG ratings.
95% of organizations rely on risk intelligence for at least one risk domain, but, alarmingly, only 38% of respondents leverage cybersecurity ratings.
Intelligence about the information security performance of third parties is available through risk intelligence technology and is critical to avoiding major breaches that have plagued industries in the last several years. These companies continuously update cyber ratings on the companies they follow using externally observable data to assess cyber risk.
Alterations in geography, ownership, and board membership, all information that can be gleaned from corporate filings, can signal a change in risk profile or risk ratings. This type of TPRM risk intelligence helps you prioritize what vendors have risks or issues that need to be addressed first, and which vendors (or potential vendors) do not pose a threat to your TPRM program.
Today, there is a wide range of different kinds of financial crime that must be evaluated as part of any third-party relationship. These include anti-money laundering (AML), anti-bribery and corruption (ABAC), and economic sanctions. The cost of getting these wrong can be significant financial and reputational damage.
In today’s fast-paced world, reputational damage can be inflicted overnight. So, it’s important to keep on top of what’s being said about third parties, but this is very difficult to achieve manually. Companies like this provide reputational risk information, derived from social media sentiment, on third parties.
Risk intelligence providers can help you detect and manage a variety of risks, but the “secret sauce” to TPRM intelligence is how this data is embedded into your third-party relationship lifecycle within your TPRM platform so that the information is flowing in real-time into the right places. This includes workflows, dashboards, and reports. This intelligence is useful in many stages of the third-party relationship, including:
TPRM intelligence, through automated data feeds, can enable risk professionals to complete research and analysis of potential vendors much more quickly than through manual methods. Automated lists of vendors that the organization has decided not to engage with can also be created and kept current through automated feeds.
Only 4% of organizations conduct ongoing monitoring/due diligence of their third parties… this lack of oversight could expose organizations to serious risks. Commonly monitored risk domains like cybersecurity, financial viability, and adverse media can change quickly. Without ongoing monitoring, these organizations could be blindsided by business disruption, regulatory findings, and/or reputational damage.
TPRM risk intelligence feeds can be set up to detect changes in a vendor’s risk status, triggering workflow actions. For example, an alert can be sent out to specific individuals in the organization if a vendor’s information security score drops below a certain threshold.
Keeping track of risks within fourth parties, fifth parties, and so on, is nearly impossible to achieve manually and risks can stay hidden until they bite back. The scope of the work required is just too great without an automated platform. TPRM intelligence can make fourth parties more discoverable and also flag fourth-party risks.
Manual approaches to TPRM are no longer cutting it. Automated data feeds can power a whole new approach to TPRM intelligence, enabling organizations to recognize risk sooner and respond with increased operational resilience.
Aravo has embraced the need for better management of the extended enterprise that is TPRM and has aligned with a diverse range of consulting, outsourcing, and third-party risk intelligence providers that can help support the success and growth of programs. Featured TPRM risk intelligence partners include:
Share with Your Friends:
