44% Fail To Track Supply Chain Risks

April 16, 2021

A new report, 2021 Third Party Risk Management Study: Looking Beneath the Cyber Risk Surface provided deep insights into current trends, challenges and initiatives impacting third-party risk management practitioners worldwide. The findings clearly illustrate that most companies are missing key risks at more than one stage of the vendor risk lifecycle, yet few are expanding their TPRM programs to address these risks.

Key Findings from the 2021 Third-Party Risk Management Study include:

83% of companies report increased focus on third-party risk due to COVID-19, yet only 40% are expanding their programs
COVID-19 was the biggest event of 2020, increasing organizational focus on third-party risk management for 83% of companies. Yet, only 40% of study respondents report expanding their TPRM programs as a result. More concerning is that 44% of companies report not actively tracking supply chain risks, which were the primary pandemic-related third-party risk management impact.

Fewer than half of companies are actively tracking non-cybersecurity reputational risks
Because IT and security teams own third-party risk management in 50% of companies, and likely due to increasing numbers of damaging third-party data breaches, the study illustrates that cybersecurity risks are getting the most attention. However, study respondents admit they should be tracking risks such as SLAs and performance (47%), geo-political (47%), labor standards (45%), environmental (45%), human rights, trafficking and slavery risks (40%), and ABAC (39%). Not tracking these types of risks can open an organization up to reputational damage.

50% of companies don't have the pre-contract due diligence necessary to effectively evaluate potential vendors
More than 50% of respondents indicated the biggest challenge they face in third-party risk management is not having enough pre-contract due diligence to identify potential vendor risks. More alarming is that 59% indicate they are not actively assessing third-party risks during the offboarding stage of the vendor lifecycle. Organizations are missing critical risks at multiple stages of the third-party lifecycle.

Only 22% of companies involve procurement teams in third-party risk management
55% of organizations saw an increase in third-party risk management ownership by security over the past year, yet only 22% of companies are seeing an increase in ownership by procurement teams, meaning that important ESG, ABAC and vendor financial risks typically required by these teams to properly assess vendors may not getting the attention they require.

65% of companies are not satisfied with spreadsheets
42% of respondents said they assess their third parties using spreadsheet-based questionnaires and 65% of these respondents are either unsatisfied or neutral with this approach.

"The past year has brought even more attention to the risks associated with third-party vendors and partners, specifically to the supply chain," stated Brenda Ferraro, vice president of third-party risk management for Prevalent. "And the threats that these vendors and partners bring into an organization go well beyond cybersecurity and data privacy. Companies need to start thinking about the underlying risks below the surface such as environmental, social and governance (ESG), anti-bribery and corruption (ABAC) and SLA performance. A successful TPRM program must expand beyond traditional cybersecurity risks and involve several departments across the organization. Together these teams will keep customers, employees and partners safe."

The results of this study demonstrate that IT security and business teams need to collaborate more closely to identify and mitigate more types of risks at all stages of the third-party lifecycle. The report concludes with the following recommendations for unifying IT security and business for better outcomes from onboarding to offboarding:

Expand assessments beyond cybersecurity to include reputational and vendor financial information, helping to create a more holistic vendor risk profile

Bridge the gap between Business and IT with a unified strategy for addressing risks spanning the organization

Manage risk at every step of the third-party lifecycle, starting with more complete pre-contract due diligence and ending with secure vendor offboarding

Outsource the time-consuming work to the experts, leaving your team to focus on risk remediation and management

Terms of Use | Copyright 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement