Cybersecurity only the tip of the iceberg for third-party risk management
Most companies are missing key risks at more than one stage of the vendor risk lifecycle, yet few are expanding their TPRM programs to address these risks, according to Prevalent.
Increased focus on third-party risk due to COVID-19
COVID-19 was the biggest event of 2020, increasing organizational focus on third-party risk management for 83% of companies. Yet, only 40% of study respondents report expanding their TPRM programs as a result.
More concerning is that 44% of companies report not actively tracking supply chain risks, which were the primary pandemic-related third-party risk management impact.
Few companies actively tracking non-cybersecurity reputational risks
Because IT and security teams own third-party risk management in 50% of companies, and likely due to increasing numbers of damaging third-party data breaches, the study illustrates that cybersecurity risks are getting the most attention.
However, study respondents admit they should be tracking risks such as SLAs and performance (47%), geo-political (47%), labor standards (45%), environmental (45%), human rights, trafficking and slavery risks (40%), and ABAC (39%). Not tracking these types of risks can open an organization up to reputational damage.
Not enough pre-contract due diligence to identify potential vendor risks
More than 50% of respondents indicated the biggest challenge they face in third-party risk management is not having enough pre-contract due diligence to identify potential vendor risks.
More alarming is that 59% indicate they are not actively assessing third-party risks during the offboarding stage of the vendor lifecycle. Organizations are missing critical risks at multiple stages of the third-party lifecycle.
Procurement teams and TPRM programs
55% of organizations saw an increase in third-party risk management ownership by security over the past year, yet only 22% of companies are seeing an increase in ownership by procurement teams, meaning that important ESG, ABAC and vendor financial risks typically required by these teams to properly assess vendors may not getting the attention they require.
Companies not satisfied with spreadsheets
42% of respondents said they assess their third parties using spreadsheet-based questionnaires and 65% of these respondents are either unsatisfied or neutral with this approach.
“The past year has brought even more attention to the risks associated with third-party vendors and partners, specifically to the supply chain, stated Brenda Ferraro, VP of third-party risk management for Prevalent.
“And the threats that these vendors and partners bring into an organization go well beyond cybersecurity and data privacy. Companies need to start thinking about the underlying risks below the surface such as environmental, social and governance (ESG), anti-bribery and corruption (ABAC) and SLA performance. A successful TPRM program must expand beyond traditional cybersecurity risks and involve several departments across the organization. Together these teams will keep customers, employees and partners safe.”
IT security and business teams need to collaborate
The results of this study demonstrate that IT security and business teams need to collaborate more closely to identify and mitigate more types of risks at all stages of the third-party lifecycle. The report concludes with the following recommendations for unifying IT security and business for better outcomes from onboarding to offboarding:
- Expand assessments beyond cybersecurity to include reputational and vendor financial information, helping to create a more holistic vendor risk profile
- Bridge the gap between business and IT with a unified strategy for addressing risks spanning the organization
- Manage risk at every step of the third-party lifecycle, starting with more complete pre-contract due diligence and ending with secure vendor offboarding
- Outsource the time-consuming work to the experts, leaving your team to focus on risk remediation and management