After surveying a wide range of individuals across many different industries, Venminder compiled those results in our sixth annual State of Third-Party Risk Management 2022 Whitepaper. The survey revealed many key insights about third-party risk management including common challenges, pressures and emerging risks that many organizations are facing.
Top Emerging Risks
Let’s take a look at some of those top emerging risks along with some practical ways to respond to them:
- Cybersecurity: 2021 was a record year for cybersecurity incidents, with notable events like the Colonial Pipeline ransomware attack and the Log4J vulnerability. Unsurprisingly, nearly three-fourths (74%) of our survey respondents cited cybersecurity as a top concern for their organization.
How to respond: Cyber risks, like data breaches and ransomware attacks, will continue to evolve and increase in frequency, so it’s important to ensure that third-party due diligence processes are thoroughly reviewed. This practice will help confirm that your vendors are adhering to the highest information security standards required by your organization.
- Fourth-party risk: Not only do third-party vendors play an important role in an organization’s risk landscape, fourth parties do as well. Fourth-party risk was identified as the second most concerning threat, according to 54% of our survey respondents.
How to respond: Although you don’t have a contractual relationship with your fourth parties, it’s still important to understand how they can impact your organization. Make sure your third parties have their own vendor risk management program in place that meets your requirements and require your third parties to disclose which of their vendors (your fourth parties) are critical to their ability to provide products and services to you.
- Business continuity: The pandemic and other weather-related incidents highlighted the need for effective business continuity (BC) and disaster recover (DR) planning, especially for critical vendors . Vendor business continuity was the third biggest concern for 42% of our survey respondents.
How to respond: Your vendors’ BC/DR plans should be thoroughly reviewed to make sure it includes necessary components such as evidence of testing and results, regular review and maintenance, notification procedures and board of directors and/or senior management involvement.
- Other risks: Our survey respondents also identified pending or anticipated litigation, environmental, social and governance (ESG) issues and vendor financial health as matters of concern.
How to respond: Due to the lack of U.S. regulations concerning ESG, for many organizations the best course of action is to get educated about ESG reporting and transparency and collaborate internally to start formulating an ESG plan. For other emerging risks, consider subscribing to risk alert and monitoring services to get real time information about your vendor or their industry, which can help improve the effectiveness of your third-party risk management program.
Ongoing Monitoring Activities
While identifying and responding to new or emerging risks is critical, don’t forget the importance of monitoring your vendors throughout the lifecycle.
The following activities will play an important role in your ongoing monitoring routine:
- SLA tracking: Service level agreements (SLAs) should be tracked to measure vendor performance against your organization’s expectations. This allows you to quickly identify and address any performance issues that may arise.
- Periodic risk assessments: A vendor’s residual risk may fluctuate throughout the engagement, depending on many factors. Financial health can decline with the loss of a major customer. Information security practices may be insufficient if your vendor doesn’t stay current with critical maintenance such as pushing out necessary patches and the like. Other events like regulatory changes, industry trends or even mergers or acquisitions can affect your vendor’s risk profile. It’s therefore important to conduct periodic vendor risk assessments.
- Regular reporting: Keep senior management and the board informed by providing regular reports on vendor activity.
- Risk-based review schedules: Review your vendors based on the level of inherent risk, as this is based on the nature of the relationship without any controls in place.
Third-party risk management is more important than ever in today’s interconnected business environment. As organizations become more reliant on third parties, it’s critical to stay informed of new and emerging risks within the industry and implement best practices to strengthen your vendor management program.