Global survey reveals third party risk programs struggling to keep up with regulatory expectation

As regulators look to cyber, concentration, and fourth party risk, most third party risk programs still grapple with the foundations.

San Francisco, Calif. June 25, 2018. A global benchmarking survey published today, reveals that despite growing regulatory expectations about how companies manage the risks posed by their relationships with third parties, most companies are still struggling to achieve some of the most basic requirements.

Aravo Solutions and the Center for Financial Professionals (CeFPro) launched the results of the survey at two international events in New York and London this month, where they were discussed by leading practitioners across the financial services industry. The report is available at: Global Benchmarking Survey – Third Party Risk: A Journey Towards Maturity

The survey revealed that most third party risk management programs are in the early stages of maturity and are struggling to keep pace with the widening scope of regulatory expectation. In particular, increased regulatory focus on cyber-risk, concentration risk, and fourth parties, is not matched by most organizations’ ability to manage these emerging risks.

Kimberley Allan, CMO, Aravo Solutions said: “The results show that third party risk management teams recognize that they face significant program implementation challenges, and that they worry about their ability to keep up with the velocity of change and expanding regulatory expectation at the same time as they lay the foundations of their programs.”

Andreas Simou, Director, Center for Financial Professionals said: “This detailed benchmarking survey provides insight into the practical reality and challenges facing third party risk teams in this rapidly evolving discipline. The findings will help firms develop their road-map to maturity, and help with planning, resourcing and direction.”

Key results from the survey include:

  • Maturity
    Most organizations are at a relatively early stage of their program maturity – two-thirds of respondents report their programs were developing, defined, or in the initial stages of maturity. Just 5% reported that their programs were optimized, with the remaining 28% stating that their programs were established. Many organizations lack dedicated resources or have only small teams, for what is becoming an increasingly complex, dynamic, and scrutinized function.
  • Managing and maintaining a full inventory of third parties
    Regulators, including the Office of the Comptroller of the Currency (OCC), expect firms to have a complete inventory of all their third party relationships. Yet, what is seemingly the most basic of expectations – knowing who all your third parties are – can be a challenge. The survey found that 6% did not know how many third parties they had, and that 75% did not have all their third parties in a single inventory. Incomplete and multiple inventories make reporting on third parties difficult, with the vast majority at 72% of respondents indicating they would be unable to produce a complete report of all their third parties quickly.
  • Due diligence
    There is an expectation that banks should conduct due diligence on all potential third parties before selecting and entering into contracts or relationships, and that they perform ongoing monitoring once the contract is in place. The survey found that 73% of respondents had not conducted initial due diligence on all their third parties, with 32% having conducted initial due diligence on fewer than half of their third parties. Only 17% are conducting on-going due diligence on all their third parties. 4% are not conducting ongoing due diligence at all.
  • Salary
    The OCC has made it clear that banks should design compensation programs to attract and retain qualified personnel, align with strategy, and appropriately balance risk-taking and reward. The survey revealed a wide range of salaries across the profession and the globe. Average salaries for those in the industry were $75,119 for Managers, $118, 037 for Analysts and $199,648 for those at the SVP, VP, or Director level. The global range however was significant, ranging from $33,745 to $725,000.
    Funding and budgets
    Control functions are expected to have sufficient resources, yet the survey found around a third of respondents do not believe that they have an appropriate level of funding for the people (skillset and coverage), tools (technology and content sets), and innovation and continuous improvement required for their programs to be successful. However, four out of ten respondents are expecting to see increases in their budgets for the next 12 months, and half of respondents say that the budget will remain the same.
  • Concentration risk
    A growing concern among regulators is that consolidation among larger service providers has increased third party concentration risk, in which a limited number of providers service large segments of the banking industry for certain products and services. Despite this being an area of increased focus for regulators, the majority (69%) of respondents stated that their programs are not managing for concentration risk.
  • Fourth party risk (and beyond)
    There’s an expectation that organizations will know which of their third parties use subcontractors and that the same levels of controls for risk management are applied through the extended supply chain. The survey found that 20% of participants do not require third parties to disclose sub-contractors, 17% do not have controls in place for how third parties manage subcontractors, and 46% do not conduct due diligence on critical 4th parties.
  • Cyber-risk, information security, and data protection
    The survey found that 86% of respondents are managing for cyber-risk and information security risk in their programs, and 79% are managing for data privacy risk. Yet, only 27% would be able to produce a report of their third parties with cyber-risk exposure quickly and easily (11% would find this impossible).

In addition to these areas of exposure, the survey found that there was a clear need for better reporting, with the majority of respondents unable to produce standard third party risk reports completely and quickly. Contributing to this challenge was the lack a of a single inventory, the use of disparate systems across organizations, lack of integration between systems, and technology limitations.

An infographic detailing some of the survey’s key findings can be found here.

About the survey

The research for this new survey was conducted during March and April 2018 and was constructed by Aravo Solutions and distributed online by the Center for Financial Professionals, an impartial and independent financial research and event organizer. The survey had 211 responses from third party risk management professionals around the globe. Some 37% of responses were from US-based companies, with another 10% based in Canada. The United Kingdom was the location for the headquarters of 24%, while the rest of Europe was the home for 20% of organizations. While a broad range of industries were represented, the majority of responses for this survey were from the financial services industry – nearly 8 out of 10. Slightly more than one-third of respondents were at the Senior Vice President (SVP), Vice President (VP), or Director level within their organizations. Another 12% were either from the C-suite or were sitting on the board of directors. One third of respondents were managers, while 13% were analysts within the TPRM discipline.

About the Center for Financial Professionals (CeFPro)

The Center for Financial Professionals (CeFPro) is an international research organization and the focal point for financial risk professionals to advance through renowned thought-leadership, unparalleled networking, industry solutions and lead generation. CeFPro is driven by and dedicated to high quality and reliable primary market research; helping us provide our audience with invaluable peer-to-peer conferences such as our flagship Risk EMEA and Risk Americas series. CeFPro also boasts knowledge sharing platforms, such as: Risk Webinars, Research Reports, and Risk Insights. Risk Insights are written by the industry for the industry and now covers online articles, a quarterly Risk Insights Magazine, and Risk Insights TV. Learn more at and

About Aravo

Aravo Solutions delivers market-leading cloud-based solutions for managing third party governance, risk, and performance. We help companies protect their business value and reputation by managing the risks associated with third parties and suppliers, and to build business value by ensuring that their third-party relationships are optimized.

Since 2000, leading global brands across a diverse range of industries have counted on Aravo for their end-to-end enterprise supplier and third-party risk management. Aravo has also distilled this experience and best-in-class technology into rapid time-to-value applications that help companies manage a wide range of programs including: anti-bribery and anti-corruption, responsible sourcing, data privacy, information security, GDPR, financial services regulatory compliance, and know your third-party programs.

Providing unrivaled regulatory agility and ease-of-use, together with actionable executive reporting, Aravo supports a user base of 136,000 corporate users, managing more than 4.5 million third party users in 36 languages and 154 countries. Aravo is headquartered in San Francisco, with offices and partners across the US, Europe, and Asia.

Aravo has been recognized with GRC 20/20’s Value Award for Third Party Management for providing measurable value in GRC efficiency, effectiveness and agility, and with the GRC 20/20 Innovation Award for Aravo for GDPR. Aravo was named as a Category Leader with the highest “Completeness of Offering” of any provider in the Chartis RiskTech Quadrant® for Third Party Risk Management Solutions 2017 and was named a Challenger in the 2017 Gartner® Magic Quadrant for IT Vendor Risk Management.