Dive Brief:
- Operational risk is the most common concern when it comes to third-party risk management (TPRM), according to a recent EY survey of 500 executives at major companies. According to the study, today’s TPRM is “is fundamentally misaligned with this new risk environment.”
- Financial, cybersecurity, privacy, and regulatory risks rounded out the top five concerns about third parties that executives cited.
- The data reflect growing corporate worries about the consequences of hiring subcontractors with negligent security or privacy practices. These worries have been heightened in the wake of many high-profile cyberattacks that involved supply chain or third-party compromises.
Dive Insight:
Most of the biggest recent cyberattacks, from the SolarWinds and Kaseya incidents to China’s breaches of the U.S. Department of the Treasury and American telecom companies, have involved third-party compromises. As a result, businesses have been devoting more attention to analyzing and managing third-party risk. The recent EY report captures sentiments among corporate leaders in a diverse array of industries and countries as they attempt to grapple with these threats.
The survey reveals that companies are changing the way they define a critical third party, an important consideration when mapping out dependencies. “While ‘financial impact’ remains the most important criterion used to define a critical third party (43%),” the report said, “this is closely followed by ‘criticality of the business process/function,’ at 39%.” Corporate efforts to prioritize the criticality of business functions mirror a similar project by the Cybersecurity and Infrastructure Security Agency (CISA) for national infrastructure.
This function-focused approach to risk management has only grown more important as companies have outsourced more of their operations to subcontractors. “Across sectors, companies are turning to third-party service providers for everything from human resources to business intelligence and supply chain logistics,” the EY report said. As a result, “the number of business functions relying on third parties and that are exposed to third-party risks has greatly increased.”
Artificial intelligence could help automate some TPRM activities, according to the report. Such activities include compiling lists of vendors, conducting document review for due diligence, performing risk assessments based on past incidents, and analyzing contract language for potential risks.
To properly manage third-party risk, the EY report concluded, companies should elevate the issue to a high level inside their organization, understand the benefits and limitations of AI, and prepare for technological “tipping points” that change how risk analysis is done.
