Did the big 4s TPRM prediction of 2022 come true?
As supply chain networks become increasingly complex and global events continue to cause disruption, organisations are facing a rapidly growing spectrum of risks. The COVID-19 pandemic exposed significant weaknesses in existing Third Party Risk Management (TPRM) systems, and more recently, attacks on large companies including TikTok, Uber and Rockstar Gaming have only emphasised the extent of these vulnerabilities. The need for effective TPRM systems is more important than ever.
We’ve looked back at what the Big 4 consultancy firms’ TPRM predictions were for 2022, and analysed if they actually came true or not.\
The complexity of supply chain networks is going to increase
One of the greatest emerging challenges in Third Party Risk Management is the increasing complexity of businesses’ supply chain networks. Organisations are working with more third parties than ever before – each with their own suppliers and clients - making it increasingly difficult to identify and tackle security risks across the supply chain. Gartner reports that 60% of organisations are working with over 1000 third parties, a figure expected to continue rising in the coming years. With the majority of security breaches stemming directly from issues with suppliers and other external parties, highlighted by incidents such as the high-profile SolarWinds attack in 2020, there is a clear need for revised TPRM solutions to enable organisations to keep track of third-party security risks.
In order to protect your organisation from third party risks going forward, ensure that you have clear plans in place to deal with security breaches quickly and effectively, and consider further investment in TPRM technologies.\
2022 will see a greater focus on Environmental, Social and Governance (ESG) risks
Increased awareness of environmental, social and governance (ESG) concerns continues to change the landscape of TPRM. According to Deloitte, almost half of all businesses say that maintaining a responsible reputation and transparency as an organisation is now a key motivation for TPRM investment, as social and environmental issues increasingly take higher priority, both for businesses and stakeholders. Equally TPRM programs must adapt to new regulations, as sustainability and social policies are introduced around the world. EY reports that over 90% of investors focused on nonfinancial performance in their recent investment decisions, with other factors gaining priority. A similar trend can equally be seen among consumers, outlined in EY’s Future Consumer Index - a growing number of consumers say their choices are influenced by a company’s values and commitment to social and environmental concerns.
Key ESG concerns include corporate ethics and responsible behaviour, product liability and labor risks, as well as climate change and sustainability, human rights concerns and equality of opportunity. As supply chains and third party networks become larger and more complex, managing ESG related risks from Nth parties is essential in maintaining responsible business practices and reputation.
However, despite an increased emphasis on ESG concerns, Deloitte reports that a majority of businesses do not believe they currently have mature or qualitative methods in place to properly assess and tackle these risks. Disruption caused by recent global events, from the COVID-19 pandemic to the current conflict in Ukraine, have equally highlighted a lack of provision for ESG-related risks, as organisations have struggled to adapt amid issues such as supply shortages and sanctions. There is a clear need for more mature, focused solutions assessing ESG and geopolitical risks in order to mitigate similar incidents in the future.
Is your organisation effectively managing ESG concerns? Get informed about the tools available and best practices that you can adopt to keep on top of shifting social and environmental risks.\
The need for greater investment and improvement in TPRM systems will become unavoidable
The COVID-19 pandemic highlighted the need for third-party risks to be realized quickly and effectively, revealing that many current TPRM programs are unfit for purpose. In fact, according to a report by KPMG, 77% of organisations admit that an overhaul of the TPRM operating model is long overdue.
One of the key challenges for TPRM is a tendency for businesses to operate in isolated silos and focus on individual areas, rather than taking a broader, integrated view – a more holistic approach which connects related departments and systems is needed to improve efficiency and cost-effectiveness. Technology will be a crucial part of development in TPRM to adopt this integrated approach, from cloud technologies to artificial intelligence (AI). KPMG reports that a majority of businesses aim to use technology for TPRM tasks in the coming years, and whilst almost half of all TPRM tasks are supported by technology, many find that existing tools are insufficient.
Prevalent’s 2022 Third Party Risk Management Study reports that awareness of TPRM among executives continues to grow and take higher priority, with systems becoming more strategic in order to prevent security incidents. However, the issue of organisations using multiple, non-integrated tools persists, potentially leaving vulnerabilities.
Consider how you can optimise your approach to TPRM going forward, whether it’s investing in new technologies or even outsourcing to managed service solutions.\
We will see an increase in managed Service Tools/ Outsourcing TPRM operations to external parties
Outsourcing TPRM operations appears to be the way forward, as the use of external parties grows increasingly popular. As the landscape of TPRM continues to rapidly change and become more complex, managed service solutions can help take the burden off of companies struggling to maintain their programs due to underfunding, and outdated technology and skillsets. With the aid of technology, as well as specific and up-to-date expertise, organisations can assess their third-party risks more efficiently and with a more holistic approach. According to Deloitte, over 80% of businesses believe managed service solutions will become more popular in the near future, whilst many aim to outsource TPRM operations alongside improved in-house programs.
Managed service providers may be a useful addition if in-house staff are overburdened and need to work on other priorities, or simply do not have the experience that a specialist team would. However whilst there are many external tools on offer to help you manage third party risks, it can be challenging to work out which one fits your needs.
There are three main types of TPRM tools, each with their own advantages and disadvantages:\
If you’re looking for a quick and often cheap way to check your suppliers' security credentials - use a security questionnaire. However, whilst they give good efficiency savings in comparison to manual spreadsheets, they serve mostly to give you a one-off, quick compliance view, not to help you prevent supply chain breaches.\
Scanning tools allow you to quickly gain a light understanding of an external attacker’s view of your supply chain, and many of these currently integrate both questionnaires and scanners to check the internal security posture of an organisation. However, these tools can often return false positives, and may only take into account surface level information, overlooking vulnerabilities. Vulnerability scanners are also a more expensive option.\
Shared assurance providers
Shared assurance providers compile supplier assessments into a single pool, which clients can then purchase. These are good if you don’t want to do the evaluation yourself, but have the same point-in-time approach as questionnaires which can pose issues. They are usually expensive, and depend heavily on the number of suppliers already on the platform.\
At Risk Ledger we offer an alternative approach, bringing suppliers and clients together on an online platform to get a comprehensive overview of their entire supply chain. Click here if you would like to know more.
According to Prevalent’s 2022 Third-Party Risk Management Study, the use of dedicated TPRM solutions has grown by 14% since 2021. However, even more companies are using manual processes such as spreadsheets to assess third parties in 2022 compared to 2021, with organisations waiting on average over two weeks for third-party incident resolution. The study also highlights the risk of organisations using multiple separate tools to assess and resolve third-party incidents, rather than taking a more integrated approach.
For a more detailed overview of the different managed service solutions available and how they can improve your TPRM system, check out our previous post on how to know which tool is right for you.\\
Recent years have seen Third Party Risk Management growing in scale and complexity, with growing supply chains, widespread disruption and the rise of ESG concerns, revealing that many existing systems are unfit for purpose. Whilst awareness of third party risk has reportedly increased since last year, with greater emphasis on ESG risks in particular, programs continue to struggle in many organisations. Whilst Prevalent reports that the use of dedicated TPRM solutions has risen, many organisations are still using multiple separate tools rather than an integrated approach, and almost half of businesses are still using manual spreadsheets to assess their third parties. Although it seems that awareness of these issues is continuing to grow, there is still a clear need for greater investment and a shift to new approaches in practice. External service providers and risk management tools offer a way forward to addressing these issues as we head into 2023.
Did the Big 4’s predictions align with the trends in your organisation this year, and will these be influencing your approach to Third Party Risk Management going forward?