Despite Growing Maturity, Organizations Struggle with Third-Party Risks

Second annual global survey finds that third-party failures are a problem for most organizations, yet many boards are still not perceived to be providing adequate oversight

(San Francisco) July 11, 2019 – A global benchmarking survey published today indicates that despite growing third-party risk management maturity, many organizations are struggling to keep pace with potential compliance, financial, and reputation risks posed by suppliers, vendors, affiliates, and other business relationships.

For the second year in a row, Aravo Solutions and the Center for Financial Professionals (CeFPro) conducted this broad survey of risk management professionals, the results of which were presented to leading practitioners across the financial services industry at two recent international events in New York and London. The report is available at: Third Party Risk: Chasing Maturity in a Dynamic Landscape.

Compared to the previous year, the survey indicated modest gains in third-party risk management maturity. Fewer organizations reported heavy reliance on spreadsheets and manual processes (50% vs. 66% in 2018) and greater adoption of centralized, automated solutions. Despite these advances, however, 75% of respondents had experienced an incident associated with a third party in the past 12 months and a significant number feel ill-prepared to deal with the pace of change, including cybersecurity threats and identifying and managing fourth- and nth-party risk.

“The growing maturity and adoption of technology are helping organizations decrease risk and uphold the ethical standards in their third-party ecosystem,” says Kimberley Allan, CMO at Aravo. “But the survey suggests that as they begin to peel back the onion of third-party risk and understand their ecosystems better, organizations are uncovering additional dimensions and underlying threats associated with third-party relationships. The third-party threats are very real, as can be seen in the level of incidents organizations are experiencing – and it’s important that tone from the top, resourcing, and investment support the advancement of third-party risk management programs.”

Andreas Simou, Director, Center for Financial Professionals said, “Industry benchmarking data, such as that captured in this survey, is essential to help a young discipline better understand itself. We hope the findings of the survey will help organizations further refine their roadmap to maturity and support the many decisions teams will have to take along that journey.”

Key results from this year’s survey include:

Third-party failures a problem for most organizations
Of those respondents who had insight into incident reports, 75% reported that their organization had had an incident associated with a third party over the past 12 months. Of these, 13% experienced an incident that caused significant business disruption and/or significant reputational damage, and a further 29% had experienced an incident that had the potential to cause significant harm.

Risks threaten to out-pace maturity
Third-party risk management programs go through identifiable stages that reflect the maturity of their framework, people, processes and technology. The stages are in order from least to most advanced, are: Ad-Hoc, Fragmented, Defined, Integrated and Agile. The study found a modest uplift in self-reported maturity levels year-over-year. However, whether the pace of program maturation can keep pace with emerging threats and mitigate actual incidents is still in question.

A young discipline – seeking to mature in a landscape of change
The discipline is young – 80% of programs are six years old, or younger. The length of time a third-party risk program has been in place doesn’t necessarily equate to program maturity, but it does take time for a program to reach maturity. Generally, it took four or more years for programs to achieve the more Integrated or Agile states, in which they have a comprehensive governance structure and the resources required to be successful.

Board oversight lacking in many programs
There is a lack of board oversight in many programs. Over a quarter of respondents (27%) reported that third-party risk is not considered a high priority by their board. When it comes to board communication, most organizations (86%) report third-party risk to the board quarterly or less frequently. Board engagement is important – as this was a key driver for the level of maturity. Organizations which had a high level of board oversight were much more likely to have programs in the Agile and Integrated stages (48%) than those with low oversight (13%).

Budgets static in spite of increased risk
Teams and budgets are growing slightly compared to last year, but this growth may not be fast enough given the range of risks and regulatory demands facing TPRM teams. Despite new regulatory demands and challenges, more than half (53%) expect their budgets to stay the same. Around a third of respondents did not feel that they had the adequate resources for their programs to be successful.

Cyber risk
Cyber risk is the most prominent board concern, reported nearly twice as often as the second-highest concern: reputational risk. Of respondents who identified a specific risk domain as the greatest challenge for their third-party risk management program in the next 12 months, 64% cited cyber risk.

Opportunity for better alignment between the business and the second line of defense
While the board is concerned with cybersecurity (35%), reputational risk (18%) and operational risk (16%), respondents said TPRM teams are driven by regulatory compliance (52%). Compliance risk is a driver for just 12% of boards, suggesting there is an opportunity to improve communication and align priorities.

The average salary across all job-levels this year, globally, was $159,600, which is slightly higher than last year’s average of $155,106. The average salary for each level of seniority were: Board $450,000, C-Suite $275,000, SVP/VP/Director $207,929, Manager $107,525, Analyst $197,257.

To help organizations benchmark what stage of the third-party risk management maturity they’ve achieved, Aravo offers a Maturity Calculator, which generates a personalized report outlining next steps for advancing maturity.

About the survey
The research for this second annual survey was conducted during February and April 2019 and was constructed by Aravo Solutions and distributed online by the Center for Financial Professionals, an impartial and independent financial research and event organizer. The survey had 234 responses from third-party risk management professionals around the globe. Some 56% of responses were from US-based companies, with another 6% based in Canada. The United Kingdom was the location for the headquarters of 23%, while the rest of Europe was the home for 10% of organizations. The remaining 5% of responses were from the Middle East, Africa, and Asia Pacific. While a broad range of industries were represented, the majority of responses for this survey were from the financial services industry – about 75%. A total of 41% of respondents were at the Senior Vice President (SVP), Vice President (VP), or Director level within their organizations. Another 14% were either from the C-suite or were sitting on the board of directors. Nearly one-third of respondents were managers, while 10% were analysts within the TPRM discipline.

About the Center for Financial Professionals (CeFPro)
The Center for Financial Professionals (CeFPro) is an international research organization and the focal point for financial risk professionals to advance through renowned thought-leadership, unparalleled networking, industry solutions and lead generation. CeFPro is driven by and dedicated to high quality and reliable primary market research; helping us provide our audience with invaluable peer-to-peer conferences such as our flagship Risk EMEA and Risk Americas series. CeFPro also boasts knowledge sharing platforms, such as: Risk Webinars, Research Reports, and Risk Insights. Risk Insights are written by the industry for the industry and now covers online articles, a quarterly Risk Insights Magazine, and Risk Insights TV.

About Aravo
Aravo delivers the market’s leading third-party risk and performance management solutions.

For almost 20 years now, Aravo’s combination of award-winning technology and unrivaled domain expertise has helped the world’s most respected brands accelerate and optimize their third-party management programs, delivering better business outcomes faster and ensuring the agility to adapt as programs evolve.

With solutions built on technology designed for usability, agility, and scale, even the most complex organizations can keep pace with the high velocity of regulatory change. As a centralized system of record for all data related to third-party risk, Aravo helps organizations achieve a complete view of their third-party ecosystem throughout the lifecycle of the relationship, from intake through off-boarding and all stages in between and across all risk domains.

Aravo is trusted by the world’s leading brands, helping them manage the risk and improve the performance of more than 4.5 million third parties, suppliers and vendors across the globe.