An important consideration for businesses is with developing robust third-party risk management (TPRM) strategies. These relate to the ongoing evaluation process for organizations that want to manage the risks that occurs with using vendors and outsourcing services and products.
From lessons learned in 2022’s third-party breaches, to supplier disruptions and new regulations, Alastair Parr, SVP of Global Products & Delivery, and Brad Hibbert, COO and CSO, at Prevalent, Inc. have presented three predictions to guide organizations in their 2023 third-party risk management (TPRM) strategies.
The Old “Annual and Manual” Approach to TPRM Will Become an Exception Rather Than the Norm
According to Parr: “Given the continual onslaught of third-party vendor and supplier-originated security incidents (for example, the ransomware attack at Kojima Industries that stopped production at Toyota), organizations are trying to better predict disruptions and mitigate them when they do happen. As if this wasn’t challenging enough, increasing regulatory pressures in the areas of data protection and supplier due diligence are requiring these same organizations to more regularly assess the business resilience of their vendors and suppliers.”
What does this mean?
Parr adds: “Organizations have to be more proactive, continuous, and agile in assessing their third-party vendor and supplier resilience, ditching manual methods once and for all. Threats, regulatory requirements and legislation won’t allow the bare minimum third-party vendor and supplier due diligence reviews anymore.”
Parr continues: “Simply put, TPRM can’t be an annual, manual check-the-box exercise.
To accommodate this shift, expect TPRM offerings to deliver better machine learning (ML)-based automations and analytics and stronger correlation against prior assessment findings. This evolution will help organizations more easily spot and respond to incidents and more efficiently gauge vendor and supplier resilience on an ongoing basis.”
Prediction #2: Third-Party Risk Management Will Evolve Into Third-Party Lifecycle Management
With the lifecycle approach, Hibbert explains: “It’s all about supplier resilience now, and that means looking at risks from the beginning to the end of the vendor relationship.”
In terms of how to approach this, Hibbert recommends: “Looking at risks at a single point in the supplier relationship, for example only at the time of onboarding, is the wrong approach. Risks continually present themselves throughout a supplier relationship long after the contract is signed. Yet, according to a recent TPRM trends report, fewer than half of companies are tracking third-party risks as the relationship progresses through maturity.”
Drawing on example, Hibbert explains: “In 2023, organizations will begin to look at third-party risks as a lifecycle with uniquely-tracked and managed risks during sourcing and selection, onboarding and contracting, ongoing management, and offboarding. This evolution will be driven by the need for better program oversight as professionals seek to capture information from colleagues adjacent to them in areas such as procurement, legal, compliance, audit, and risk. To facilitate this, data must become more accessible across teams and processes consolidated around a consistent set of workflows.”
Prediction #3: Geographic and Political Insights Will Become Increasingly Accessible in TPRM Solutions
In terms of the global situation, Parr finds: “If there was anything that the Russian invasion of Ukraine taught us, it’s the need to consider geo-political concerns in making supplier decisions. This is inherently a non-IT risk.”
This makes the task of accurately assessing the global situation more challenging. Parr indicates: “It is notoriously difficult to identify the regional sites of a third party supplier that may be impacted by a geographic event such as adverse weather or geo-political issues. While the head office is commonly identified during the contracting phase, the regional sites such as manufacturing plants are often not readily available.”
Further with the Russian situation, Parr considers: “Considering the ramifications of the Russian invasion of Ukraine, in 2023 organizations will seek to capture more geographic information so they can report immediately to executives once a major event hits the media, identify potential challenges in the supply chain quickly and efficiently, and adjust accordingly. Supplier risk management solutions will help facilitate the collection and analysis of this information through passive scanning and the creation of a comprehensive supplier profile.”