In retrospect, 2022 has been a busy year for third-party risk management (TPRM) professionals. While cyberattacks on organizations of all sizes have skyrocketed, a high degree of geopolitical risk has also emerged, leading to new government sanctions and strict regulations to prevent human rights abuses, such as the Uyghur Forced Labor Prevention Act. Businesses everywhere must handle other challenges including prolonged supply chain interruptions, labor shortages, and the work-from-home debate. As if that wasn’t enough, business continuity and vendor financial health continue to be major third-party risk management concerns.
Still, seasoned third-party risk management professionals recognize that the only thing that never changes is that risk is ever-present and evolving. So, taking time to analyze and synthesize the previous year's risk landscape and events is always a valuable exercise.
Let’s look at several key takeaways from 2022 and pinpoint some third-party risk management best practices for 2023.
Key Third-Party Risk Management Takeaways from 2022
The following are big takeaways from the last year:
- Cybersecurity is a top threat. 2022 has proved that no organization is safe from cyberattacks, many of which occur because of third parties. Unfortunately, it's no longer a question of if your organization will suffer a cyberattack, but when. Sobering as this should be, many organizations are still failing to ensure their third parties have comprehensive cybersecurity protections and controls.
- Regulatory compliance matters. In terms of TPRM regulations, 2022 wasn’t a particularly active year. Still, there were some major changes, such as the SEC’s Amended Safeguards Rule which requires covered financial institutions (such as auto dealerships, mortgage brokers, collection agencies, and tax preparation firms) to develop, implement, and maintain compliant, comprehensive information security programs for the first time.
Even in years where there are no significant changes to regulations governing TPRM, organizations still have plenty of work to do. A third-party risk management framework should always place regulatory compliance at the top of its priority list, which means everything from your policy to vendor risk assessments, due diligence, and monitoring should reflect and meet regulatory requirements.
- Monitoring the supply chain is important. We’ve all felt the strain of supply chain disruption during the last year. Whether it was high gas prices, long production times, or a major hurricane, there have been countless examples to learn from. Understanding how your vendors plan to respond to business disrupting events and how they monitor their vendors is essential. When assessing your third-party vendors, ensure they disclose any fourth or nth parties (your vendor’s vendors) that are considered critical in providing products and services to you or that pose risks that could threaten your organization’s operations, regulatory compliance, or reputation.
8 Third-Party Risk Management Recommendations for 2023
As we move forward to 2023, here are eight best practices for your third-party risk management program:
- Follow the third-party risk management lifecycle. Mastering the basics of third-party risk management is much easier when you have the right roadmap. The lifecycle is the perfect guide to help you effectively identify, assess, manage, and monitor vendor risk from the beginning of a vendor relationship until it ends and everything in-between.
- Know your regulations. Take time in 2023 to learn (or review) and understand the regulations governing third-party risk management for your industry. After all, it’s hard to meet expectations when they are unknown or unclear.
- Review your third-party risk management program. Think like an auditor or regulator to determine if your policies and frameworks reflect regulatory requirements and best practices. Does your program follow the third-party risk lifecycle? Are processes executed consistently? Is there evidence of those processes? Do stakeholders understand and execute their roles properly? Does the program effectively identify, assess, and manage risk? Take time to objectively review the TPRM program (in advance of an audit or exam) is time well spent. Once gaps or weaknesses are identified, it’s easier to begin correcting them.
- Review and update risk questionnaires and due diligence documentation standards. Vendor risks are constantly changing, so the tools used to identify and assess those risks must keep pace. Establish an annual process to collaborate with your SMEs to review and update questionnaires to target new, evolving, or changing risks. As risk changes, appropriate vendor controls should be implemented. Don’t forget to review your due diligence documentation standards to determine if any new or different documents should be required from vendors in the future.
- When it comes to business continuity, don’t forget about fourth parties. It’s important to understand how your vendors (and their vendors) plan to act in the face of major business-interrupting events. When reviewing your vendor’s business continuity and resiliency plans, verify that they considered their critical vendors (your fourth parties) and that plans have been tested.
- Establish third-party risk management program metrics. Use data to measure the program’s effectiveness and how well risk is managed across your vendor portfolio. Create metrics that can help management make decisions and drive action. The right metrics will also enable your organization to support the program more meaningfully, such as by increasing the budget or adding resources.
- Commit to communication and collaboration. Let’s face it, providing information and communicating aren’t the same thing. This year, focus on communicating the importance of third-party risk management to your organization and ensure your stakeholders understand their role in its effective execution. Knowing the "why" of TPRM makes teaching the "how" of its associated processes easier and more effective. Engage stakeholders in active collaboration to resolve problems or improve processes. Keep in mind that feedback is important and so is acting on it.
- Maximize your resources. If you find that your TPRM team struggles to manage the ever-increasing workload, it’s time to think strategically about how you can maximize your resources. Manual processes are not only error-prone, but they’re also productivity killers. It might be time to ditch the spreadsheets and implement third-party risk management software to help you automate your processes, consolidate documentation, reduce errors, and enhance your bandwidth. If you’re already using technology but are still drowning in due diligence document collection or assessments, consider outsourcing these tasks to a qualified professional third-party risk management services company.
2022 reinforced a long-standing need for solid third-party risk management practices in all industries. By now, most of us have come to expect (and hopefully plan for) the challenges associated with ever increasing vendor risk. The best approach for handling these risks is to understand them and strive for constant improvement in your third-party risk management program. By mastering the basics, checking your work, and prioritizing communication and collaboration, you’ll be well on the way to successful third-party risk management in 2023!