2022 Trends – What’s Next in Third-Party Risk Management?Third-Party Risk Management | 5 Min Read |23 February 22|by Kaul Siddharth
It’s 2022 and third-party risk is no longer viewed as merely a ‘procurement department issue’. Today, events such as a security breach or a risk incident that affect your supply chain and the actions (including the lack of proactive steps) taken by your vendors can have direct and lasting consequences—financially, legally, reputationally, strategically, and more. Additionally, with vendor-related incidents increasing year on year, regulators are now making it mandatory for organizations to manage third-party risk.
So, what can we expect when it comes to third-party risk management in 2022. Here are 4 trends to help you prepare for what’s next.
1. Increased Focus on Cybersecurity Risk Continues
Since the onset of the pandemic in 2020 and the success of remote work, many organizations are looking to continue with their business operations remotely. But with the operations remaining online the cybersecurity risk has also increased. The number of data breaches in 2021 has already surpassed the total number of breaches in the previous year. As per reports from the Identity Theft Research Center, data breaches in 2021 have increased by 17% from 2020.
According to a study by Forrester, 60% of security incidents will result directly from issues with third parties. With cyberattacks targeting vendors and suppliers, third-party cyber incidents will increase and Log4j, SolarWinds-style headlines will impact firms that don’t invest in the proper risk management tools.
As cyber risk has emerged as one of the top risks that concern Chief Risk Officers, the cyber risk insurance premium has gone up significantly. An estimate by Moody's Investor Services points to an increase in the total premium paid for protection against cyber frauds and ransomware attacks —from $1.2 billion in 2019 to $1.6 billion in 2020. The loss ratio has also seen a significant escalation due to the increasing ransomware attacks from 44% in 2019 to 65% in 2020.
To understand the overall cyber risk exposure of a third party, various platforms such as BitSight, Security Scorecard, etc., provide cybersecurity ratings. Along with these external platforms, an organization can also use SOC 2 or SOC 3 reports to understand the controls that are in place within a third-party organization.
2. Assessing ESG Risks in TPRM Gains Greater Priority
Across the globe, we are now seeing more and more focus along with a decisive shift to handle Environmental, Social, and Governance (ESG) risks, not only within the organization but also ESG risk associated with third parties or the extended enterprise.
The European Union (EU) announced mandatory legislation on due diligence in its EU Directive on Mandatory Human Rights, Environmental and Good Governance Due Diligence in March 2021 to encourage companies to take action to ensure human rights and reduce environmental impacts in their supply chains.
Assessing the ESG risks of a third-party is no longer a simple tick box activity required by the Ethics and Compliance leadership. Incorporating ESG into your third-party risk management assessments doesn’t just avoid regulatory actions. It also helps protect your organization from various regulatory fines or damaging brand reputation.
Several factors have to be considered when incorporating ESG into your organization’s current workflows and processes. Risk assessments, due diligence, policy updates, questionnaires, contracts, etc., need to be included. Additionally, enterprises will need to examine the following:
- Are there documented policies and procedures that address the prevention of modern slavery and human trafficking?
- Is there an annual statement setting out the steps taken to address modern slavery and human trafficking within the company?
- Are there relevant metrics to track the compliance with and performance on ESG areas, like reducing carbon footprint, modern slavery, human trafficking, etc.?
3. TPRM Expands to Fourth or Nth Parties
The benefits that third-party suppliers and vendors bring have resulted in organizations becoming increasingly dependent on their extended network. According to a Gartner study, 60% of organizations work with over 1,000 third parties and this number is growing as business systems become more complex.
However, the extended enterprise of today does not depend on the network of consultants, vendors, and partners alone, but also on their suppliers as well—fourth and Nth parties. Every one of your partner’s or supplier’s vendors, subcontractors, or service providers poses a risk to your business. But the view gets hazier as the network expands, making it difficult to manage the inherent risks that your supplier ecosystem or supply chain poses.
This makes it important to:
- Identify and manage the products/services provided by fourth-parties
- Conduct due diligence on critical fourth parties as the same vendor may be part of different third-party ecosystems
- Assess the different risk areas that fourth parties bring including cyber risk, reputational risk, legal risk, etc.
- Review SOC 2/SOC 3 reports to understand the control effectiveness of your supply ecosystems
4. Regulations Continue to Keep Changing
The regulatory environment is rapidly changing and evolving, creating compliance risks and pressures leading to challenges in controlling operational efficiencies. MetricStream’s 2021 State of Compliance Report found that almost half -- 48% -- of organizations find it a huge challenge to track and manage third-party compliance.
Third-Party relationships are under constant scrutiny by regulators like OCC, FINRA, CFPB, etc., and regulators are taking interest in third-party risks. The regulators are holding organizations responsible not only for their actions but also for their third parties. A good TPRM program should include assessments to assess the compliance of the regulations for the activities performed by the third party.
Thrive on Risk in 2022 with MetricStream
Risks from supply chains, third parties, and cyber vendor risks will accelerate as enterprises continue to be driven by the many advantages of an extended ecosystem. Managing and mitigating emerging and evolving third-party risk requires a connected, integrated, and proactive approach.
MetricStream’s ConnectedGRC, designed to meet the evolving needs of the modern enterprise, enables you to power what’s next with an integrated approach to risk management. The collaborative approach enables organizations to better identify, assess, manage, and mitigate risk across the enterprise, including IT and cyber risks, third-party risks, compliance risks, and ESG risks. Empower your teams to effectively manage third-party risk and IT vendor risk with:
- Automated screening and onboarding processes for simplified vendor onboarding and due diligence
- Authoritative intelligence with the integration of trusted sources such a Dow Jones, D&B, BitSight, Security Scorecard, and more
- Enhanced fourth-party functionalities such as capturing of fourth-party information in a central repository, due diligence of fourth parties, viewing overall risk exposure of fourth parties, and more
Excited to learn more about how our software can help you? Request a demo now.
You may also want to read: