Governance and Oversight Trends: Third-Party Risk Management for the Future
Only 12% of organizations rate their third-party risk management (TPRM) program as highly mature. While organizations have drastically increased their use of third parties, TPRM maturity hasn’t kept pace. AuditBoard and RSM’s new ebook, Third-Party Risk Management: Trends and Strategies to Help You Stay Ahead of the Curve, translates current TPRM trends and lessons learned into actionable ideas to help your organization identify, reduce, and monitor of third-party risk. Download the full guide here, and continue reading below for an overview of TPRM governance and oversight trends.
TPRM Governance and Oversight Trends
Elevated Focus From Leadership
Given the continued escalation of third-party cybersecurity breaches and enforcement and supervisory authority scrutiny, boards, audit committees, and C-Suite leaders are asking more questions about TPRM than ever before. They’re also interested in using TPRM data to benefit the organization and improve how it manages third-party risk. As leadership focus increases, so does the need for timely, accurate, and meaningful TPRM information.
Heightened third-party risk, coupled with an elevated focus from leadership, is transforming how companies think about TPRM. Instead of contemplating it as a simple inventory or a point-in-time assessment, the shifting mindset requires viewing TPRM through a lens of how companies rely on third parties for key business processes that are critical to operations and continuous monitoring throughout the third-party lifecycle. What is procured from each third party, and how do the goods or services impact critical business processes? How resilient is the organization around any critical processes supported by third parties?
This shift in mindset is positioning companies to use TPRM data in new ways. For example, they may use TPRM data as an evaluating factor to make business decisions relative to who they’re engaging with on critical functions. It can also reveal opportunities to consolidate service providers or get more favorable terms and conditions (T&Cs) based on utilization.
Increased Centralization, Integration, and Consistency
Historically, supply chain risk sat with logistics and operations, with decentralized risk management conducted by departments or other internal silos performing their own due diligence. However, in decentralized models, the left hand doesn’t always know what the right hand is doing, leading to inefficient, inconsistent practices for identifying and assessing risk. In addition, many organizations may not have workflows to create or respond to questionnaires focused on vetting third parties, performing these duties on an ad hoc basis that lacks efficiency or consistency. Lastly, third-party contract T&Cs tend to vary widely, creating disparities in how departments interact with third parties across the organization and at times can create bottlenecks as legal departments review varying T&Cs.
Current trends show organizations working toward centralization and integration that supports more standardized processes and workflows. Specifically:
- We’re seeing a push toward more integrated TPRM models, where everyone is involved in one enterprise-wide process, and a central group oversees procurement and/or sourcing. Hybrid models — in which a central procurement function oversees TPRM but may give groups leeway to procure as they need to — can be a fit for some organizations.
- Many organizations’ baseline due diligence reviews rely on standardized questionnaires based on vendor type, in addition to any SOC reports or industry-specific certifications.
- Organizations are moving toward more consistency in the T&Cs used in third-party contracts.
- Distributed TPRM responsibilities (e.g., legal, compliance, internal audit, procurement, IT) are creating the need for workflow tools to help organizations standardize and streamline processes.
Download AuditBoard and RSM’s new ebook, Third-Party Risk Management: Trends and Strategies to Help You Stay Ahead of the Curve, to help your organization identify, reduce, and monitor of third-party risk.