TPRM Benchmarking Survey Highlights: Insights into Third-Party Risk Trends

May 5th, 2022 Hannah Tichansky Reading Time: 5 minutes
Blog - Black binocular on round device 63901 - FI

Last week we released our annual Aravo TPRM benchmarking survey! Our 2021 survey, Gaining Clarity: A Better Line of Sight Into Third-Party Risk, takes the latest in third-party risk management (TPRM) practitioner insights to help organizations better understand the state of TPRM programs today, top risks, internal program challenges, and more.

About the TPRM Benchmarking Survey

This is the fourth year of our TPRM Benchmarking Survey. This survey, based on responses from over 100 risk and compliance professionals, analyzes TPRM trends, providing important data points that will help firms benchmark their programs. It’s a great resource to help identify emerging best practices and further mature TPRM programs.

White Paper - Gaining Clarity: A Better Line of Sight into Third-Party Risk - Cover

This survey is Aravo’s first to be fully conducted during the COVID-19 pandemic, and this played a key role in questions and responses seen throughout the study. Related increases in incidents like cybersecurity breaches were also noted, more-so than others conducted in past years. We encourage you to download and read the full survey to get a better line of sight into third-party risk!

Incidents and Maturity: The TPRM Connection

The alarming volume of third-party incidents that cause reputational damage should be a major concern for TPRM programs and business leaders.

An overwhelming 90% of respondents reported that their organization had experienced at least one incident related to a third party that either did or could have caused business disruption and/or reputational damage.

90% of companies experienced an incident associated with a third party in the last 12 months.

Program maturity plays a huge role in the ability to prevent incidents. Mature programs take a holistic, integrated approach across multiple risk domains and have developed the agility to respond effectively when new risks and requirements emerge. It is telling that none of the respondents who had experienced business disruption or reputational damage were at the highest (Agile) level of program maturity.

Conversely, 80% of organizations that experienced an incident that resulted in a significant disruption or loss were low maturity (Ad Hoc or Fragmented).

TPRM benchmarking survey- TPRM maturity results
80% of organizations that experienced an incident that resulted in a significant disruption or loss were at low TPRM program maturity (Ad Hoc or Fragmented).

The survey results also tell us that there are still significant opportunities for TPRM programs to invest in improvements in their due diligence and hopefully experience fewer incidents. Only a handful of key risk areas were managed by more than half of the respondents.

The Risky Business of Cyber Risk

Overall, our survey found that TPRM programs are not adequately managing the cybersecurity risk in their third-party ecosystems, despite an increase in incidents.

In 2020 and 2021, many high-profile cybersecurity incidents threatened company operations. These included SolarWinds, potentially exposing thousands of organizations, including the US federal government, as well as a ransomware attack on Colonial Pipelines, which created fuel shortages on the US East Coast.

Survey respondents saw a significant increase in cybersecurity-related incidents involving third parties that did or had the potential to cause business disruption and/or reputational damage. This increase in incidents isn’t entirely surprising. What is alarming, however, is how poorly prepared organizations are to prevent these incidents.

  • 46% of organizations are not managing cyber/information security risks within their programs.
  • Only about 15% plan to add cyber risk to their programs in the next 12 months (a lower rate than any other risk included in the survey).
46% of organizations do not manage their cyber/information security risks.

The majority of organizations are also not taking advantage of cybersecurity ratings, a powerful risk intelligence tool for obtaining an objective assessment of a third party’s cybersecurity risk profile. This risk intelligence can be used in conjunction with TPRM tools to validate data captured as part of the onboarding process.

The Resourcing Challenge

Lack of talent is one of the biggest challenges facing TPRM programs, making it difficult to operate effective programs.

One of the most important elements of any TPRM program is having the right people in place to plan and execute assessment, mitigation, and management strategies. Unfortunately, programs may be feeling the effects of the Great Resignation that has occurred since the onset of the pandemic.

When asked what respondents felt their biggest challenge would be over the next 12 months, respondents cited an overall lack of time and people to complete their tasks, specifically highlighting:

  • Attrition of SMEs
  • Staffing
  • A need to improve skills

The numbers, explored in detail within the survey, support the perception that teams are not adequately staffed, and small programs are being asked to punch above their weight.

In addition, 36% of respondents did not feel that they had the right level of funding for people (skillset and coverage) to run their programs. While this is pretty consistent with past years, it is still notable because nearly all other indications of program prioritization improved year-over-year.

The Pandemic Impact

This was the first time our TPRM Benchmarking Survey reflected a full year of dealing with pandemic impacts. The increased potential for disruptions, security incidents, and regulatory non-compliance associated with the pandemic have accelerated the scope and maturity of TPRM programs.

It’s no surprise that the pandemic was one of the top concerns cited in an open-ended question about the biggest challenges facing programs. Additionally, numerous respondents felt that the end of the pandemic was one of the biggest opportunities over the next 12 months.

Many respondents stated that the pandemic raised the profile of TPRM within their organizations, which likely explains the increase in maturity indicators reflected in this survey compared to past years. Significantly more organizations reported that they had centralized all of their third parties in a single repository, and much fewer relied on manual processes.

Over 50% of respondents assess operational risk and financial viability risks in their programs. 76% assess business continuity.

The pandemic also seems to have impacted key risk areas organizations are focusing on:

  • Compared to past years, there were increases in the percentage of programs that are addressing operational risk (56%) and financial viability (55%).
  • There has also been a sharp uptick in the number of organizations factoring business continuity into their programs with 76% having at least partially incorporated it into their programs.

If you are interested in learning more about these insights, and additional TPRM and risk trends, our TPRM Benchmarking Survey dives deep into practitioner findings. We invite you to gain further insights in the full TPRM Benchmarking Survey!

Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management