6 State of Third-Party Risk Management Highlights for 2023
State of Third-Party Risk Management Highlights.
After conducting our State of Third-Party Risk Management Survey in November of last year, we've analyzed the results and found six highlights that you should pay close attention to this year.
You may also be interested in:
Hi - this is Aaron Kirkpatrick with Venminder.
In this podcast, you'll learn six highlights from the Venminder State of Third-Party Risk Management 2023 survey.
Here at Venminder, our team of certified industry experts specialize in building effective third-party risk management programs to help your organization meet the rising challenges of today's third-party risks.
The Venminder State of Third-Party Risk Management survey was released in 2022 to a variety of industries and organizations, including financial services, fintech, retail, healthcare, and more. Our survey also surveyed organizations of different sizes, ranging from less than $1 billion in assets or less than 100 employees to more than $10 billion in assets or more than 5,000 employees. The goal of this study was to keep you informed about current practices, challenges, compliance incentives, and third-party risk management benefits of the industry.
2022 highlighted the importance of third-party risk management domestically and abroad. Cyberattacks increased in record numbers, and the healthcare and financial services industries were particularly hard. Supply chains were disrupted by labor shortages and high fuel prices, while geopolitical events such as the Russian-Ukrainian war led to increased sanctions and new laws designed to protect human rights.
Despite an already troubled economy, inflation rose to its highest level in 30 years. Due to these conditions and events, almost every industry and organization has been under increased pressure to identify, manage, and monitor new and emerging third-party risks. So, what does this mean for third-party risk management?
Here are six highlights learned from the results of the Venminder State of Third-Party Risk Management 2023 Survey:
- First, when it comes to third-party risk management, 70% of respondents ranked cybersecurity as their top concern – which is hardly surprising. No industry is immune from cyberattacks and data breaches related to third-party vendors. So, organizations of all sizes must ensure that their third party's security controls and policies are strong enough to protect against malicious actors. According to our survey, cybersecurity awareness training, multi-factor authentication tools, and anti-malware solutions are being implemented in many organizations to mitigate cyber risks.
- Second, vendor business continuity planning remains a priority. We learned that vendor business continuity planning rose to second place for new or emerging vendor risk concerns. Cyberattacks and breaches are often responsible for business disruption, which is likely why vendor business continuity planning concerns are rising. To help address this concern, review your vendors' business continuity plans and testing results to ensure they’re prepared to handle business disrupting events, including natural disasters, geopolitical conflicts, cyberattacks, and other potential business impacting events.
- Third, third-party risk management program metrics are gaining traction, with 20% of respondents stating they have operational metrics and 16% stating they are developing metrics. Understanding your program's effectiveness is essential and confirming that third-party risk management’s foundational objectives are being met is equally important. Establishing third-party risk management program metrics is the best way to holistically evaluate and measure your program's health, stability, and effectiveness.
- Fourth, many respondents agree third-party risk management activities helped their organizations overcome supply chain disruptions. Almost half of those surveyed have begun to realize the benefits of third-party risk management, whether it reduces supply chain disruptions or lessens the impact of cyberattacks and data breaches.
- Fifth, manual processes are out, and specialized third-party risk management software is in. Sixty-four percent (64%) of respondents reported using dedicated third-party risk management software or platforms. The shift to these specialized vendor risk management platforms makes sense as they have been specifically designed to address the various processes and complexities under the third-party risk management umbrella.
- Lastly, outsourcing is another viable but underutilized option to support third-party risk management teams. The lack of resources and bandwidth is a major problem for many third-party risk management programs. Yet, outsourcing remains an underutilized solution in these circumstances. Organizations can use outsourcing for various purposes, including conducting vendor risk reviews, collecting and organizing due diligence documentation, or supplementing their third-party risk management teams with contractors. While outsourcing makes sense for many organizations, be cautious about outsourcing your whole program. Auditors and examiners will hold your organization accountable for its third-party risk management practices whether you outsource or not, so maintaining some internal program management is essential.
So. what did we learn in 2022? As cybersecurity attacks and supply chain interruptions become more frequent and severe, third-party risk management appears to reduce the occurrence and severity of those threats. However, this requires organizations to stay vigilant, whether that is by implementing new cybersecurity controls or carefully reviewing vendor business continuity plans. Still, the high expectations for third-party risk management may not be realized if there aren't adequate resources for managing the risks. This is why third-party risk management software and services can help organizations drive efficiencies and effectiveness while creating bandwidth.
I hope you found this podcast insightful. Thanks for tuning in; catch you next time!
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources, and more to your inbox.