Third-Party Risk Management: Is 2023 The Perfect Time to Overhaul Your TPRM Program?
By Alex Klinger, Pre-Sales Engineer at SureCloud
Published on 26th January 2023
Ensuring third parties do not pose a risk to your organization is becoming increasingly difficult. Every business outsources some aspects of its operations, and ensuring that these external entities are a strength, not a weakness, isn’t always a straightforward process.
In the coming years we’ll see organizations dedicate more time and resources to developing detailed standards and assessments for potential third-party vendors. Not only will this help to mitigate risk within their supply chain network, it will also provide better security.
As demand for Third-Party Risk Management software and services (TPRM) grows, here we discuss some of the key reasons we believe 2023 could be pivotal for the future of your organization’s TPRM program.
Focus on Environmental, Social and Governance (ESG) risks
In recent years we’ve seen an increased corporate focus on Environmental, Social and Governance (ESG) risks, not only within their own organization but also associated with any third parties or extended enterprises.
As a result, ESG has become about more than avoiding risk. It’s a strategic priority. Leadership teams understand the importance of working with third parties whose objectives align to their own business strategy.
Consumers and regulators are increasingly aware of their environmental and social responsibilities, so much so, ESG has become a requirement for key stakeholders too, particularly investors that want to be associated with companies that prioritize their ESG posture.
For example, recent research from Gartner suggests that by 2024 75% of vendor risk management programs will be tracking their IT vendors’ environmental, social and governance demands to guide their decision-making process.
ESG is no longer a straightforward tick-box exercise; there is much greater scrutiny of third-party practices as many businesses are incorporating ESG into their third-party risk management assessment and TPRM program.
Including ESG in your TPRM strategy is not just a way to protect your organization against regulatory action, fines and reputational damage, but should also be seen as a business opportunity.
- Help increase your customer base
- Attract investment
- Enhance brand reputation
On the other hand, if ESG is not included, there can be severe repercussions.
For example, according to analysis of ESG performance on firm market value conducted by Moody Analytics demonstrated that ESG controversies led to a significant, negative and abnormal equity return in the short-term, over an annual period. The analysis uncovered that moderate to severe ESG events generate abnormal stock market losses of -1.3% to -7.5% over twelve months, which represents a loss of approximately $400 million for a typical-sized firm in the study.
This effect can already be seen in 2023, as shares of Glencore, the mining company, fell after its main Shareholders recently filed a resolution calling for more clarity over how its plans for thermal coal production aligned with the Paris Objective agreement to limit global temperature increase to 1.5C.
The upside to an increased focus on ESG programs is that it’s pressuring organizations to rethink due diligence requirements.
The Impact of Nth Parties
Organizations are becoming increasingly dependent on third parties and sub-contractors. A study by Gartner found that 71% of companies report that their third-party network has grown over the last three years, and that they expect it to continue to grow over the next three years as business becomes more complex. As a result, many organizations are beginning to recognize that the risks of connecting with these outside entities is far greater than they first thought.
This is because any third party that a business chooses to work with will likely have hundreds, if not thousands, of its own sub-contractors. Meaning businesses become more dependent on fourth, fifth and Nth parties, all of which introduce risk into their business ecosystem.
For example, a business could rely on a manufacturer that experiences a transport failure or security vulnerability at a third-party cloud supplier, which presents a high-level of risk to their business, even though they are not directly connected.
The issue of Nth parties was evidenced during the SolarWinds hack in 2020 where the hackers were not only able to access data and networks of their customers, but also the data and networks of the clients and partners of SolarWinds’ customers.
The magnitude of the problem with Nth parties could be greater than that of third parties, as the third-party business environment continues to increase.
The level of risk Nth parties present to organizations supply chain management is becoming more apparent.
Increased frequency and sophistication of cyber attacks on third parties
Forrester predicted that 60% of security incidents in 2022 would stem from third parties. In 2021 there was a 300% increase in supply chain attacks – a trend that has continued to increase over the past 12 months also. For example, Japanese car manufacturer Toyota was forced to completely shut down its operations due to a security breach with a third-party plastics supplier.
It’s not only the frequency of third-party attacks that has increased, but also the sophistication of cybercriminals’ methods. For example, the SolarWinds cyber breach in 2020 was so advanced that Microsoft estimated it took over a thousand engineers to stop the impact of the attack.
As the sophistication and frequency of supply chain attacks increases, their impact on businesses’ reputations and valuations is also becoming apparent. Organizations must conduct thorough due diligence on the third parties they choose to work with; otherwise the consequences could be disastrous.
Cybersecurity should be a non-negotiable feature of all business transactions.
Increase in external assistance for TPRM programs
As the scope, complexity and importance of third-party management continues to increase, the need for companies to leverage external assistance with the TPRM process will also only increase.
Many businesses don’t have the capabilities required for TPRM, in terms of resources and technology. Some utilize in-house support and technologies as a cost-effective answer to the problem. However, this can be restrictive as organizations must be able to respond rapidly to an ever-changing and evolving regulatory environment.
The need for external help will be compounded further by the increasing remit TPRM teams need to cover:
- A wider range of risks, including ESG and nth parties
- A deeper understanding of how risk is managed by each third-party
For these reasons that the use of external assistance, such as adopting technology enabled solutions and managed services, will only increase in the future. The Deloitte Global Third-Party Risk Management Survey 2022 states that 82% of companies surveyed anticipate greater demand for a comprehensive TPRM end-to-end service solution – combining Third-Party Risk Management software and services.
Demand for a managed service and technological solution will become more popular than ever. Organizations are increasingly looking for a tool that provides a comprehensive, end-to-end insight-driven service that runs the day-to-day operational activities of a TPRM program.
A solution that provides cloud technology, automation, workflow systems and AI offers a more streamlined TPRM process.
The third-party risk management landscape is becoming more complex due to the rise in the number of external entities companies are working with. This means it’s now more important than ever for organizations to have a mature third-party risk management program in place.
Utilizing the expertise of an external TPRM managed services provider could be the first step in future-proofing your business, and preventing a large amount of potential financial and reputational damage.
SureCloud’s Third-Party Risk Management Software and Services
SureCloud can provide the combination of technological and service solutions that are becoming critical for businesses. Depending on your business network and objectives, we can build a TPRM program to suit you.
Interested in discovering more about the Third-Party Risk Management solutions SureCloud can offer? Start with our TPRM software.