Third-Party Risk Management Efforts Remain Lackluster

Despite calls to re-shore and streamline supply chains during the great availability disruptions caused by the COVID-19 pandemic, enterprises are still increasing their reliance on third parties. They’re doing so to optimize productivity or, at the very least, remain competitive. While third-party suppliers often provide cost-effectiveness, speed and help increase business agility, they also increase risk.

Last week at Forrester’s Security & Risk Forum, the research firm released a survey-based report called The State of Third-Party Risk Management, 2022. That report found that while respondents appreciated the business benefits associated with third-party products and services, they didn’t always appreciate the risks associated with third parties. And that there’s considerable work that needs to be done to get third-party risk management programs to where experts say they should be.

For instance, Forrester’s survey of 800 decision-makers within North America and Europe found that better decision-making through data is a high business priority for 72% of respondents, 71% said embracing digital business processes was a high priority and improving organizational response to business and market changes was high-priority for 69% of respondents.

In the 12 months prior to the survey, the risk levels within enterprises increased for 40% of survey respondents and, of those, 38% said the increased use of third parties was the reason for that rise in risk. There was considerable variance by region, with 44% of U.S.-based organizations, 39% of German organizations, 34% of French organizations and 32% of UK-based organizations saying increased reliance on third parties was the primary driver of increased risk.

Alla Valente, senior analyst at Forrester, said the prioritization of third-party risk when compared to program maturity struck her as the most interesting finding from the survey. “I had fully expected that, given the number of breaches, attacks and disruption caused by or stemming from the third-party ecosystem in the past 24 months, that 40% to 50% of enterprise risk management decision-makers surveyed would say the third-party risk is a primary concern for their organization. Surprisingly, only 20% pointed to third-party risk management as a primary risk concern,” Valente said.

Interestingly, of those survey respondents who experienced a breach in the past 12 months, 55% reported the incident involved a supply chain or third party. About one-fifth of respondents said that the risk of cybersecurity threat was the primary driver of increased risk, and that also varied greatly by region. Consider that Forrester found only 9% of U.S. respondents attributed cyberattack risk, while 25% located in Europe did so. “When factoring that the U.S. has experienced significantly more (3.3x) cyberattacks between 2006 and 2020 than any other country, this appears to be a gross underestimation of the impact cybersecurity has on third-party risk,” the report stated.

Not so surprisingly, two verticals that have experienced their share of cybersecurity incidents in recent years–telecommunications and utilities–at 31% were among the respondents most anxious about third-party risk.

What was most surprising was the lack of concern in the manufacturing and retail verticals. “Despite sustaining significant impact from market dynamics and systemic risks such as the global semiconductor chip shortage that cost the auto industry in 2021 $210 billion in revenues and lost production of 7.7 million vehicles, and the ongoing global supply chain crisis that continues to plague retailers, only 21% of respondents in manufacturing and 19% in retail and wholesale considered third-party risk a top concern,” Forrester concluded.

Effective third-party risk management requires enterprises to move away from manual, often spreadsheet-driven processes and toward an effective technology stack. According to Forrester, that stack typically includes a third-party risk management program, GRC platform, third-party cybersecurity risk ratings, sustainability ratings and supply chain mapping solutions.

Finally, while self-reported third-party risk management maturity levels are high, their actual practices don’t match those beliefs. “Among the 20% of ERM decision-makers that identified third-party risk as a primary concern, 45% described TPRM efforts at the highest levels of maturity of a level 4 (measured) to level 5 (optimized). However, within this cohort that self-reported their maturity at level 4 and 5, 75% revealed that their third-party risk program is manual,” Forrester wrote.

“Also, they don’t do a better job at assessing more third parties, although they are better at ongoing monitoring of the third-party ecosystem,” added Valente.

When it comes to improving the maturity of third-party risk management programs, Valente advised organizations to think about the long term rather than purchasing technology and believing that the rest takes care of itself.

“Maturity is a journey that takes time,” Valente said. “It’s vital that organizations realize that purchasing a technology doesn’t automatically make you more mature.  If your processes, workflows or the approach was disjointed or too narrow then automating it will make it more efficient but still insufficient,” Valente advised.

“The good news is that today, most, if not all, TPRM tech vendors do more than just provide technology, they also work with customers to help them on their maturity journey. A decade ago, we would have seen firms buy the technologies and look for the vendor to replicate their existing workflows in the tool,” she said.

That attitude is changing, she continued. “Many believed their business was so unique they needed something bespoke. What we’re seeing now is the collective realization that there are best practices for managing third-party risk. Vendors work with hundreds of organizations; they know what works and what doesn’t. Selecting a vendor based on their experience and ability to guide you along the journey is just as important as selecting them just for their technology. Don’t underestimate the power of customer and vendor partnership.”