Third-Party Risk Management: You Can’t Outsource Your Way Out Of Accountability
Firms have been outsourcing systems, business processes, and data processing activities to third-party service providers (TSPs) for years, but they are only one category of relationships that introduce risk into the enterprise. Now, firms are more dependent than ever on the vast network of third-party relationships, from vendors and suppliers to digital marketing agencies and customer engagement technology providers. As a result, we must change the way we define and approach third-party risk management (TPRM). Consider that TPRM is more complex than other risk management disciplines because:
- Third-party risk doesn’t have just one owner and often relies on coordination across risk, compliance, security, procurement, finance, and other areas of the business.
- There’s no common definition of what constitutes a third-party relationship, and firms are left guessing as to which ones are “in scope” for risk management efforts.
- The number of third parties requiring vetting, monitoring, and mitigation far exceed the capacity of most TPRM teams, so they only focus on those considered “critical.”
Unfortunately, an inconsistent approach to TPRM doesn’t cut it when firms have little or no control over how third parties interact with their infrastructure, applications, and data but are still fully responsible for risks that arise during the course of the relationship. Those risks can vary from slight inconvenience to regulatory penalty, loss of customer and revenue, and reputation damage.
With so much at stake, a TPRM platform isn’t a nice-to-have anymore. Visibility in your third-party relationships, not just at onboarding but throughout all stages of the third-party lifecycle, is critical for every proactive TPRM program. A variety of TPRM platforms exist on the market today, and it is necessary to select the one that will work best for your firm. In our “Now Tech: Third-Party Risk Management Technology, Q3 2020” report, I look at 23 different technologies broken out by four functionality segments, revenue bucket, geography, vertical market focus, and industry.
Use this report to understand the expected value you would gain from the main providers in the TPRM platform market. Here are three things to keep in mind when selecting TPRM technology:
- Consider all stages of the third-party relationship lifecycle. A good TPRM program will help you manage your relationships from sourcing to offboarding. The challenges you face with your third parties may not be the same as tomorrow, and a mature TPRM program will help you mitigate risks at all stages of the lifecycle, including after contract termination.
- Third-party risk management tools are not one-size-fits-all. Whether or not your firm is a multinational corporation, functions in a heavily regulated industry, or is drowning in a high number of third-party relationships are all considerations when deciding the type of platform your firm needs.
- Evaluate your TPRM maturity before investing in technology. If you already have a strong TPRM program, you may be able to invest in a platform with more advanced capabilities. If your program is new or if you’re moving from spreadsheets, you may need a platform with more out-of-the-box capability and guidance to help build one from scratch. Be mindful of what features you’ll be able to use right away and which ones will be valuable over time.
For an even deeper dive into the major players in this market, look out for my upcoming Forrester Wave™ evaluation on third-party risk management technology coming later this year.
(written with Kate Pesa, senior research associate at Forrester)