I speak with TPRM professionals every day, and one of the things I enjoy the most is the knowledge sharing. While new, evolving risks are always on agendas, some of the most frequent discussions I have with people are around TPRM fundamentals: how to build best practices, how to break down silos, and how programmes benchmark against their peers.
These foundations are critically important as third-party risks become more complex. Without a strong base, it’s difficult to react quickly, and difficult to mature programmes.
This June, I was thrilled to host an exciting TPRM by Design conference with Aravo and GRC 20/20’s Michael Rasmussen. This workshop, attended by some of the largest financial, automotive, and industry organisations, explored how to build a blueprint for effective TPRM, making a business case to senior leadership, how to deliver effective third-party governance, and how technology can further enable programmes.
In addition to the workshop activities led by Michael Rasmussen, myself, participants, and my Aravo colleagues were able to discuss TPRM topics that are on teams’ agendas for the immediate future. I’m highlighting several of them here for you.
Some of the biggest discussions we had during the sessions were around TPRM fragmentation, and the need for centralised processes and solutions. And this fragmentation appeared through a variety of factors:
We’re finding one of the hallmarks of TPRM fragmentation is data inconsistency, reflecting a lack of unification in data collection and rationalisation. Many organisations lack a single version of truth regarding the information, risk scores, and usage of their third parties.
This can look like duplicate information being stored on different software platforms, inconsistent information, information that has not been updated or communicated across team members, or data being rolled out at different stages.
The consequences of data inconsistencies are not just siloed internal departments; it means that the data is corrupt and can’t be trusted when it comes to incorporating it into TPRM activities. In an ideal world, third-party data is consolidated and uploaded onto a single holistic TPRM platform, where all related functions (risk, procurement, compliance, etc.) views and manages it in the single place, ensuring consistency.
Proper management of third parties, while still needing improvements within programs, is expected. What we’re seeing across industries is increasing risks and expectations around indirect suppliers- fourth and nth parties.
A recent SecurityScorecard study found that 50% of organisations have had indirect relationships with at least 200 breached fourth-party vendors in the last two years. Organisations are expected to not only be aware of these relationships and effectively manage them, and they will be held accountable for them.
Of particular note with fourth parties, is the risk that cyber and IT-related disruptions can bring to an engagement. The need for digital resilience within fourth and nth-party relationships is paramount, as incidents like the recent CrowdStrike IT outage increase in frequency and severity.
You may have a good understanding of who your direct suppliers are, but what about the software vendors they themselves use? An outage at your third party (even if it’s caused by an indirect supplier) can, and usually will disrupt your operations, financials, and brand.
Some best practices organisations can take to understand and manage their fourth-party risks include:
In Aravo and CeFPro’s recent TPRM benchmarking survey, the primary driver for third-party risk management within organisations among most respondents (50.6%) is “liability avoidance- audits, enforcement, regulatory alignment”. And considering the active regulatory landscape ahead, this is not a surprise for us.
The EU Corporate Sustainability Reporting Directive (CSRD) went into effect January 2023 and introduced more detailed reporting requirements for climate and environmental impacts. In January 2025 the adoption of this expands to companies with more than 250 employees or €40 million in turnover and/or €20 million in total assets.
The disclosures will span a wide range of environmental, social, and governance (ESG) factors, including sustainability impacts, risks, strategy, products and services, business relationships, incentive programmes, as well as targets and progress made around these topics. Organisations need to act now to determine what applies to them and ensure they are ready to meet these requirements.
Quite a few of our attendees for the TPRM by Design Workshop were in the Financial Services industry, and the EU’s Digital Operational Resilience Act (DORA) is also top of mind for them.
Also implementing in 2025, this legislation requires adoption of additional cybersecurity policies for this industry. Specific highlighted areas include IT risk management and governance, intelligence sharing, incident reporting, audit access, and more. As DORA looms on the horison, impacted organisations and their third parties will need to ensure that they can identify, manage and recover from information and communication technology (ICT)-related incidents.
And further proof that early readiness will serve organisations well is the EU Corporate Sustainability Due Diligence Directive (CSDDD) following in 2026. Proactively planning a few years in advance will help mitigate business disruption in an already evolving regulatory landscape. The Aravo team and I will be exploring these regulatory activities further in the upcoming months to help organisations better meet the expectations.
Traditionally, gathering initial TPRM information and data is a long, arduous, and often passive approach, where organisations rely on the third party to send the information in their own time. This information is often (and in many cases still) gathered in extremely long risk questionnaires. It’s difficult to fill out, and long to fill out, which means companies are waiting on their third parties for quite a while.
By incorporating more automated risk intelligence integrations into centralised TPRM platforms, organisations are seeing faster onboarding time, and less supplier survey fatigue. This allows organisations to take a more proactive approach to TPRM, reducing dependence on third-party questionnaires and increasing customer ownership of risk intelligence and due diligence processes across risk domains.
Share with Your Friends:
