TPRM by Design: 5 Key Takeaways

August 13th, 2024 Adelani Adesida Reading Time: 5 minutes
Tprm By Design Blogfeaturedimg1200x628

I speak with TPRM professionals every day, and one of the things I enjoy the most is the knowledge sharing. While new, evolving risks are always on agendas, some of the most frequent discussions I have with people are around TPRM fundamentals: how to build best practices, how to break down silos, and how programmes benchmark against their peers.

These foundations are critically important as third-party risks become more complex. Without a strong base, it’s difficult to react quickly, and difficult to mature programmes.

This June, I was thrilled to host an exciting TPRM by Design conference with Aravo and GRC 20/20’s Michael Rasmussen. This workshop, attended by some of the largest financial, automotive, and industry organisations, explored how to build a blueprint for effective TPRM, making a business case to senior leadership, how to deliver effective third-party governance, and how technology can further enable programmes.

In addition to the workshop activities led by Michael Rasmussen, myself, participants, and my Aravo colleagues were able to discuss TPRM topics that are on teams’ agendas for the immediate future. I’m highlighting several of them here for you.

1. TPRM Fragmentation Keeps Practitioners Up at Night

Some of the biggest discussions we had during the sessions were around TPRM fragmentation, and the need for centralised processes and solutions. And this fragmentation appeared through a variety of factors:

  • Tools: Many organisations present, and ones I’ve spoken with recently, utilise a variety of tools for managing third-party risks, or functions related to TPRM.

    In Aravo’s TPRM benchmarking survey with CeFPro, we’re seeing there is fragmentation in the types and numbers of tools that are managing TPRM functions. Less than half of respondents are using “a purpose-built TPRM solution built to manage TPRM.” Approximately 75% are still using Office productivity solutions and internal communication hubs. These manual, decentralised programs hinder overall TPRM maturity.

  • Processes: Another area of fragmentation appears in managing the entire third-party lifecycle. In some cases, tools or processes are used for each stage, from onboarding to offboarding. Without proper documentation consolidation, and consistency across all internal stakeholders involved in interacting with third parties, organisations are finding it impossible to get a proper handle on risks and programme gaps.

  • People: Tools and software are only as good as the people who use them, and there can be many different functions managing third-party risks. Risk, compliance, procurement, legal, and other areas may still be silo-ed from each other, making it difficult to ensure processes remain consistent, duplicate work is not being performed, and risks are not slipping through the cracks. Objections can also be misaligned if teams are not organised and working towards the same goals, utilising the same data.

2. Data Clarity and Consistency: Building Blocks to Good TPRM

We’re finding one of the hallmarks of TPRM fragmentation is data inconsistency, reflecting a lack of unification in data collection and rationalisation. Many organisations lack a single version of truth regarding the information, risk scores, and usage of their third parties.

This can look like duplicate information being stored on different software platforms, inconsistent information, information that has not been updated or communicated across team members, or data being rolled out at different stages.

The consequences of data inconsistencies are not just siloed internal departments; it means that the data is corrupt and can’t be trusted when it comes to incorporating it into TPRM activities. In an ideal world, third-party data is consolidated and uploaded onto a single holistic TPRM platform, where all related functions (risk, procurement, compliance, etc.) views and manages it in the single place, ensuring consistency.

3. Fourth and Nth Parties: Hidden Risks That Bite Back

Proper management of third parties, while still needing improvements within programs, is expected. What we’re seeing across industries is increasing risks and expectations around indirect suppliers- fourth and nth parties.

A recent SecurityScorecard study found that 50% of organisations have had indirect relationships with at least 200 breached fourth-party vendors in the last two years. Organisations are expected to not only be aware of these relationships and effectively manage them, and they will be held accountable for them.

Of particular note with fourth parties, is the risk that cyber and IT-related disruptions can bring to an engagement. The need for digital resilience within fourth and nth-party relationships is paramount, as incidents like the recent CrowdStrike IT outage increase in frequency and severity.

You may have a good understanding of who your direct suppliers are, but what about the software vendors they themselves use? An outage at your third party (even if it’s caused by an indirect supplier) can, and usually will disrupt your operations, financials, and brand. 

Some best practices organisations can take to understand and manage their fourth-party risks include:

  • Identify these indirect relationships
  • Incorporate them into due diligence process
  • Ensure data consistency
  • Manage contractual relationships
  • Perform continuous monitoring on fourth and nth parties

4. An Active Regulatory Season is Upon Us

In Aravo and CeFPro’s recent TPRM benchmarking survey, the primary driver for third-party risk management within organisations among most respondents (50.6%) is “liability avoidance- audits, enforcement, regulatory alignment”. And considering the active regulatory landscape ahead, this is not a surprise for us.

The EU Corporate Sustainability Reporting Directive (CSRD) went into effect January 2023 and introduced more detailed reporting requirements for climate and environmental impacts. In January 2025 the adoption of this expands to companies with more than 250 employees or €40 million in turnover and/or €20 million in total assets.

The disclosures will span a wide range of environmental, social, and governance (ESG) factors, including sustainability impacts, risks, strategy, products and services, business relationships, incentive programmes, as well as targets and progress made around these topics. Organisations need to act now to determine what applies to them and ensure they are ready to meet these requirements.

Quite a few of our attendees for the TPRM by Design Workshop were in the Financial Services industry, and the EU’s Digital Operational Resilience Act (DORA) is also top of mind for them.

Also implementing in 2025, this legislation requires adoption of additional cybersecurity policies for this industry. Specific highlighted areas include IT risk management and governance, intelligence sharing, incident reporting, audit access, and more.  As DORA looms on the horison, impacted organisations and their third parties will need to ensure that they can identify, manage and recover from information and communication technology (ICT)-related incidents.

And further proof that early readiness will serve organisations well is the EU Corporate Sustainability Due Diligence Directive (CSDDD) following in 2026. Proactively planning a few years in advance will help mitigate business disruption in an already evolving regulatory landscape. The Aravo team and I will be exploring these regulatory activities further in the upcoming months to help organisations better meet the expectations.

5. Alternative Solutions are Needed to Fight TPRM Survey Fatigue

Traditionally, gathering initial TPRM information and data is a long, arduous, and often passive approach, where organisations rely on the third party to send the information in their own time. This information is often (and in many cases still) gathered in extremely long risk questionnaires. It’s difficult to fill out, and long to fill out, which means companies are waiting on their third parties for quite a while.

By incorporating more automated risk intelligence integrations into centralised TPRM platforms, organisations are seeing faster onboarding time, and less supplier survey fatigue. This allows organisations to take a more proactive approach to TPRM, reducing dependence on third-party questionnaires and increasing customer ownership of risk intelligence and due diligence processes across risk domains.

If any of these topics resonate with you, let’s have a conversation. Connect with me on LinkedIn, and request a demo with me here.

Adelani Adesida

Adelani is Aravo Solution’s Senior Sales Director coving EMEA.

Having invested a decade within the Integrated Risk Management industry, Adelani brings a wealth of experience with a strong track-record of sales, account management and project delivery across numerous risk domains.

Adelani has been a key member in numerous award-winning implementation projects and, in part part due to being an avid gamer, has a close interest in Information Security and CyberSecurity programs.

Charitable works including participation in the Aleto Foundation’s Future Leaders mentorship program and a Board Member of Dream Nation.

Adelani is Aravo Solution’s Senior Sales Director covering EMEA. Having invested a decade within the Integrated Risk Management industry, Adelani brings a wealth of experience with a strong track-record of sales, account management and project delivery across numerous risk domains.

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management