Last week we released our annual Aravo TPRM benchmarking survey! Our 2021 survey, Gaining Clarity: A Better Line of Sight Into Third-Party Risk, takes the latest in third-party risk management (TPRM) practitioner insights to help organizations better understand the state of TPRM programs today, top risks, internal program challenges, and more.
This is the fourth year of our TPRM Benchmarking Survey. This survey, based on responses from over 100 risk and compliance professionals, analyzes TPRM trends, providing important data points that will help firms benchmark their programs. It’s a great resource to help identify emerging best practices and further mature TPRM programs.
This survey is Aravo’s first to be fully conducted during the COVID-19 pandemic, and this played a key role in questions and responses seen throughout the study. Related increases in incidents like cybersecurity breaches were also noted, more-so than others conducted in past years. We encourage you to download and read the full survey to get a better line of sight into third-party risk!
The alarming volume of third-party incidents that cause reputational damage should be a major concern for TPRM programs and business leaders.
An overwhelming 90% of respondents reported that their organization had experienced at least one incident related to a third party that either did or could have caused business disruption and/or reputational damage.
Program maturity plays a huge role in the ability to prevent incidents. Mature programs take a holistic, integrated approach across multiple risk domains and have developed the agility to respond effectively when new risks and requirements emerge. It is telling that none of the respondents who had experienced business disruption or reputational damage were at the highest (Agile) level of program maturity.
Conversely, 80% of organizations that experienced an incident that resulted in a significant disruption or loss were low maturity (Ad Hoc or Fragmented).
The survey results also tell us that there are still significant opportunities for TPRM programs to invest in improvements in their due diligence and hopefully experience fewer incidents. Only a handful of key risk areas were managed by more than half of the respondents.
Overall, our survey found that TPRM programs are not adequately managing the cybersecurity risk in their third-party ecosystems, despite an increase in incidents.
In 2020 and 2021, many high-profile cybersecurity incidents threatened company operations. These included SolarWinds, potentially exposing thousands of organizations, including the US federal government, as well as a ransomware attack on Colonial Pipelines, which created fuel shortages on the US East Coast.
Survey respondents saw a significant increase in cybersecurity-related incidents involving third parties that did or had the potential to cause business disruption and/or reputational damage. This increase in incidents isn’t entirely surprising. What is alarming, however, is how poorly prepared organizations are to prevent these incidents.
The majority of organizations are also not taking advantage of cybersecurity ratings, a powerful risk intelligence tool for obtaining an objective assessment of a third party’s cybersecurity risk profile. This risk intelligence can be used in conjunction with TPRM tools to validate data captured as part of the onboarding process.
Lack of talent is one of the biggest challenges facing TPRM programs, making it difficult to operate effective programs.
One of the most important elements of any TPRM program is having the right people in place to plan and execute assessment, mitigation, and management strategies. Unfortunately, programs may be feeling the effects of the Great Resignation that has occurred since the onset of the pandemic.
When asked what respondents felt their biggest challenge would be over the next 12 months, respondents cited an overall lack of time and people to complete their tasks, specifically highlighting:
The numbers, explored in detail within the survey, support the perception that teams are not adequately staffed, and small programs are being asked to punch above their weight.
In addition, 36% of respondents did not feel that they had the right level of funding for people (skillset and coverage) to run their programs. While this is pretty consistent with past years, it is still notable because nearly all other indications of program prioritization improved year-over-year.
This was the first time our TPRM Benchmarking Survey reflected a full year of dealing with pandemic impacts. The increased potential for disruptions, security incidents, and regulatory non-compliance associated with the pandemic have accelerated the scope and maturity of TPRM programs.
It’s no surprise that the pandemic was one of the top concerns cited in an open-ended question about the biggest challenges facing programs. Additionally, numerous respondents felt that the end of the pandemic was one of the biggest opportunities over the next 12 months.
Many respondents stated that the pandemic raised the profile of TPRM within their organizations, which likely explains the increase in maturity indicators reflected in this survey compared to past years. Significantly more organizations reported that they had centralized all of their third parties in a single repository, and much fewer relied on manual processes.
The pandemic also seems to have impacted key risk areas organizations are focusing on:
Share with Your Friends:
