Increasingly, society has evolved into one where automation and technology rule the day. In this digital society, IT and cybersecurity risk management must be elevated to the same level as market risk, compliance risk, operational risk, and so on. Another area undergoing considerable change is third party risk management.
What does the next year have in store for third party risk management? Considering this for Digital Journal is Brad Hibbert, Chief Strategy Officer & Chief Operating Officer at the company Prevalent.
Hibbert divides his assessment into two key areas: the maturity of third party risk management and the necessity of transforming the process into ‘third party lifecycle management’ (and with this achieving greater stability).
Third party risk management matures from experiment to expectation
According to Hibbert, the year has been a record one “for third-party security incidents, with breaches such as MOVEit dominating the headlines.”
In response there has been “regulatory pressure from the Securities and Exchange Commission (SEC) and several European entities to improve the governance over third-party outsourcing arrangements is also driving the evolution of third party risk management from a project that aims to manage risks to a program that addresses risks across a third-party lifecycle.”
In other words, explains Hibbert, “third party risk managementis no longer an experiment; it’s an expectation. This maturation has solidified its position as a table stakes element in organizational risk management decision making.”
So what does this mean for an enterprise? Hibbert suspects “despite economic uncertainty, inflation, and labor shortages, investment in third party risk management is expected to remain consistent into 2024. Board-level and executive-level engagement in third party risk management will persist due to continued third-party security incidents and regulatory pressure. While challenges in finding skilled third party risk management practitioners may continue, efficiency and effectiveness in third party risk management programs will improve thanks to generative AI, machine learning, data analysis, enhanced automation, and program outsourcing.”
Engagement from multiple internal teams will transform third-party risk management into third-party lifecycle management
For the second area of inquiry, Hibberts predicts a transformation in third party risk management. He considers: “It’s not enough to manage risks, you have to manage the lifecycle of a vendor relationship to understand the context of the risks your organization is exposed to. Otherwise, third party risk management devolves into a check-the-box exercise. This will require third party risk management program owners to expand the scope of their efforts to include all parties that interact with third-party vendors and suppliers.”
Why a lifecycle-based approach? According to Hibbert: “The third-party lifecycle encompasses all activities related to a vendor from cradle to grave – including vendor onboarding, ongoing monitoring, compliance, risk management, and offboarding. This evolution is driven by different personas and departments, each with their specific needs and interests.”
As to internal firm dynamics, Hibbert predicts: “procurement is expected to play a more prominent role in driving third-party lifecycle management. Legal departments will automate clause detection and comparative analysis. Risk management will continue to be a core player, while operations will use data sets from various sources to enhance operational resilience and ensure quality. Audits will persist, as compliance and regulatory mandates become more complex. The involvement of various business areas in third-party lifecycle management is a trend that is set to continue.”
