Reassessing Risk: The Move to Third-Party Management

As global regulations evolve and reliance on third parties grows, today’s organizations find themselves navigating a complex risk environment. The rise in outsourcing goods and services has introduced heightened privacy, security, and compliance challenges, underscoring the need for robust third-party oversight to stay ahead of risk.

Traditionally, external organizational relationships and activities have been analyzed through third-party risk management (TPRM) and cybersecurity assessments. However, gaps in these workflows are becoming apparent, as are missed opportunities for risk mitigation. According to a 2022 KPMG outlook,¹ 73% of leaders reported experiencing at least one major disruption caused by a third party in recent years.

Recognizing this, risk teams now see the importance of bridging the gaps between risk, privacy, and security domains, paving the way for more holistic third-party management (TPM).

The Move Toward Third-Party Management Explained

Today, relying solely on one-time cybersecurity assessments is no longer sufficient to protect organizations from outside risk. Though useful for identifying potential threats, security questionnaires often fall short as the primary method for evaluating third-party risk as they tend to:

• Only represent a single point in time and include many irrelevant or unnecessary questions
• Depend on the timeliness and accuracy of the third party’s responses
• Encumber both the third party and the risk assessment teams

It is time to rethink our evaluation processes.

Effective third-party management allows risk leaders to adopt a data-driven, risk-based approach to identifying and mitigating risk, monitoring changes in risk posture, and ensuring compliance with legal and regulatory requirements. By customizing assessments to the specific needs of each engagement, risk teams can foster trust across the supply chain and assess a third party’s potential impact on resilience.

Additionally, third-party management promotes alignment among internal teams by providing cross-domain insights, guiding risk-aware decision making, and creating a more resilient, secure, and scalable third-party ecosystem.

Maneuvering Through the Regulatory Maze

Perhaps the greatest advantage of adopting TPM is the role it plays in helping risk teams exceed regulatory compliance.

Organizations operating in highly regulated industries face a significant dilemma: they rely on critical third-party solutions to achieve digital transformation and meet consumer demand. Meanwhile, they must also protect their organization and reputation and secure the sensitive data at the core of their operations. Each new third party introduces potential privacy, security, ethics, and ESG risk, making compliance and organizational growth a balancing act.

For instance, the manufacturing industry alone has approximately 217,000 regulatory restrictions guiding its numerous moving parts and components. In other sectors, such as FinServ, regulatory frameworks like DORA² constantly emerge and evolve. This requires organizations to continuously monitor and adapt to a global regulatory landscape, regardless of location or industry.

TPM plays a pivotal role in the seamless operation of organizations. It goes beyond regulatory compliance, ensuring that vendors, partners, and suppliers adhere to regulations and meet consumer expectations for sustainability and ethics throughout the supply chain.

What to Consider Before Implementing Third-Party Management

Regardless of your industry, these five considerations are essential for any successful TPM program. Here is what to consider before bringing this approach to your organization:

1. Define your risk appetite. Identify the level of risk your organization is willing to accept in its vendor relationships. This requires assessing potential impacts on operations, finances, and reputation, and establishing clear thresholds and guidelines to manage and mitigate this risk effectively.
2. Tier your third parties. You can tier third parties by risk level and criticality by looking at several different factors:
   
   • Are you sharing proprietary or confidential organization information with the vendor?
   • Are you sharing personal data with the third party?
   • Are you sharing sensitive personal data with the third party?
   • Are you sharing personal data across borders?
   • Is the vendor serving critical organizational functions?
   • What is the potential effect on your organization in the event of unauthorized disclosure of information?
   • What is the potential effect on your organization in the event of unauthorized modification or destruction of information?
   • What is the potential effect on your organization in the event of disruption of access to or use of the third party?
   • What potential ESG, ethical, or reputational impacts are involved with working with the third party?
   Use these tiers to help triage your third parties to focus on the highest-risk groups and guide appropriate next steps.
3. Leverage risk data early and often. Integrating external risk intelligence and scoring can provide real-time insights into a third party’s risk posture and help guide appropriate assessment workflows. Feeding this data into onboarding and monitoring workflows can help proactively identify issues and steer risk-aware decision making across the third-party lifecycle.
4. Vary your assessment depth. Ensuring variation in your assessment depth is key to implementing a comprehensive TPM strategy. One-size-fits-all questionnaires are resource-intensive and miss key information when applied across domains. Building dynamic assessments that fit the unique needs of each engagement is critical to maintaining risk visibility across your extended enterprise.
5. Establish cyclical and automated processes. TPM is no longer a point-in-time process. Building automated and cyclical workflows that respond to changes in a third party’s hrisk posture ensures you always have an up-to-date view of your organization’s external threats.

The Road Ahead for Managing Risk

Embracing third-party management is not just a strategic shift; it is a necessity in today’s complex risk environment. As global regulations evolve and reliance on third parties increases, adopting TPM is crucial for preventing disruptions and building organizational resilience.

By doing so, leaders and risk teams can better understand external threats to protect their brand reputation, minimize losses, and enhance collaboration. Now is the time to move beyond traditional risk management and adopt a more unified, proactive approach.

Endnotes

¹ KPMG, “Third-Pary Risk Management Outlook 2022”
² Dalao, K.; “Navigating the Digital Operational Resilience Act (DORA) With OneTrust,” Onetrust, 29 Apr 2024