Report released by Compliance Week and Aravo reveals a lack of engagement by boards in third-party oversight, with good governance hampered by incomplete and inaccurate board reporting
(San Francisco) November 13, 2019 – While third-party relationships increasingly form a key part of business strategy, boards are failing to grasp the risks that third parties expose their organizations to, a new survey released today by Compliance Week and Aravo reveals.
In an environment of increased business risks, close to half (43 percent) of surveyed practitioners claimed that their board doesn’t have a good handle on third-party risk. Despite regulatory expectation for effective board oversight, 42 percent of respondents indicated that their board had not set the risk appetite for their organization, and another 19 percent revealed they did not know if their board had delivered this.
This could be due in part to a lack of engagement in third-party governance by many boards – 6 percent of respondents indicated that their boards were not engaged at all, and a further 29 percent said their boards were only infrequently engaged.
The survey also revealed that communicating the right information to the board was problematic. Over a quarter (27 percent) of practitioners say that they report to the board infrequently on third-party matters, and another 6 percent say that they never do.
Hampering efforts in board reporting were a number of challenges including: resource constraints (41 percent); “no golden source of truth” on all third parties (39 percent); a lack of standardization of processes (38 percent), data in disparate systems (37 percent), reporting capabilities in systems (35 percent), data quality (28 percent), and “not really knowing what the board expects” (24 percent).
As a consequence, compiling board reports was not an easy process. More than a third of survey respondents (36 percent) say it takes anywhere from one to two weeks to compile a board report on third-party issues. For some companies (18 percent) it takes more than three weeks.
Alarmingly, this means that boards are often presented with incomplete and inaccurate information about third party risk. Only 17 percent of respondents felt that the information in their board reports was wholly complete and accurate. Half (50 percent) thought that their reports were largely complete and accurate but contained minor information gaps, while 28 percent indicated that they moderately complete and accurate but held some major information gaps. Finally, almost 4 percent noted that their reports were “worryingly incomplete and inaccurate.”
The results also revealed that cybersecurity, data privacy, third-party performance, bribery, and regulatory change and expectations impacting third-party risk management were the five most common issues brought up at the board level.
Kimberley Allan, Chief Marketing Officer, Aravo Solutions said, “The results tell us that there’s a huge opportunity for better communication between the board, senior management, and third-party risk practitioners. Boards need to be more engaged and should be requiring management to set the right governance framework and to provide a clear line of sight to the organization’s most significant third-party risks, as well explanations of how they intend to manage these risks. They need to be asking the right questions about risk, but clearly the results show they need better data to do this.”
Dave Lefort, Editor in Chief, Compliance Week said: “Industry research such as this is valuable for practitioners and boards looking to benchmark best practice and improve communications and governance within their own organizations and across their extended enterprise. The results provide important discussion points that boards and senior management should be examining to help improve and mature their own third-party risk management programs.”
The full survey report can be downloaded here.
About the survey
The survey, conducted by Compliance Week and Aravo between July and August 2019, had 169 respondents from roles responsible for third-party risk management and governance in their organizations. Respondents were from a wide range of industries – with a concentration (26%) in Financial Services. Company size of respondents ranged from 1-250 employees (21 percent), 251-1,000 employees (22 percent), 1,001-5,000 employees (21 percent), to more than 5,000 (35 percent). The number of third-parties managed by respondent organizations ranged from less than 100 third parties (28 percent), between 100-1,000 (37 percent), between 1,000 to 5,000 (14 percent), between 5,000 to 10,000 (5 percent) to more than 10,000 (16 percent).
About Compliance Week
Compliance Week, published by Wilmington plc, is a business intelligence and information service on corporate governance, risk, and compliance that features a daily email newsletter, a bi-monthly print magazine, industry leading events, and a variety of interactive features and forums.
Founded in 2002, Compliance Week has become the go-to resource for chief compliance officers and audit executives; Compliance Week now reaches more than 60,000 financial, legal, audit, risk, and compliance practitioners.
Aravo delivers market-leading solutions for understanding, managing, and mitigating the risks posed by third-party vendors and their engagements. Using Aravo, customers maintain a single, auditable inventory of all third-party relationships and can automate risk assessments, scoring, due diligence, continuous monitoring, issue management, and corrective actions.
Built on technology designed for usability, agility, and scale, Aravo supports complex custom-configured solutions used by many of the world’s largest global brands as well as pre-configured applications that allow clients to stand up a best-practice program quickly and confidently.
Aravo’s combination of award-winning technology and unrivalled domain expertise is trusted by the world’s leading brands, helping them manage the risk and improve the performance of more than 5 million third parties, suppliers, and vendors across the globe.