83% of executives only identified third-party risks after initial onboarding had already occurred. While the third-party risk universe has expanded dramatically, risk management hasn’t kept up.
AuditBoard and RSM’s new ebook, Third-Party Risk Management: Trends and Strategies to Help You Stay Ahead of the Curve, translates current TPRM trends and lessons learned into actionable ideas to help your organization identify, reduce, and monitor third-party risk. Download the full guide here, and continue reading below for an overview of the major third-party risk categories, as shown in the image below.
Supply Chain and Nth-Party Risk Focus
Your company’s supply chain comprises the flow of goods and services made up of internal and external third parties, including any software supporting those goods and services. Today’s volatile risk landscape requires us to look beyond third-party vendors to include their vendors and beyond. This is called Nth-party diligence, and it involves understanding how data is transferred from your organization to each third party and their Nth parties.
Prior to the COVID-19 pandemic, supply chain risk was an afterthought for many companies. Now, supply chain issues often change how companies do business. The supply chain often leaves companies more vulnerable, and these vulnerabilities will not go away. The figure below depicts some of the most prominent supply chain risk trends and focus areas.
Regulatory and Compliance Risk Focus
Emerging regulatory guidance and considerations are a key driver behind the momentum for maturing TPRM programs. It’s worth noting, however, that the regulatory activities are in turn being driven by increasing risks and costs in all of these areas, as well as a cultural shift marked by greater focus on supplier transparency. In particular, the regulatory and compliance focus areas below are quickly growing in prominence.
Cybersecurity
The U.S. Securities and Exchange Commission (SEC) is continuing to release cybersecurity disclosure rules for public companies. The proposed rules require immediate disclosure of material cybersecurity incidents and annual disclosure of cybersecurity risk management policies and procedures (including management’s role in Third Party Risk Management), the board’s level of cybersecurity risk management oversight and experience, previously undisclosed immaterial incidents that have become material, and updates on previously reported incidents.
The U.S. Department of Labor (DOL) has announced new cybersecurity guidance for plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act (ERISA). The guidance offers a range of cybersecurity program best practices, notably including a “reliable annual third-party audit of security controls” and “appropriate security reviews and independent security assessments” of “assets or data stored in a cloud or managed by a third-party service provider.”
Personal Data Privacy
The General Data Protection Regulation (GDPR), which went into effect in 2018, was a bellwether moment for privacy requirements. Worldwide, United Nations survey data shows that 71% of countries have already enacted privacy and personal data protection laws and regulations; another 9% are in the process of drafting it. In other words, if your third parties have access to your personal data holdings, then you need to ensure they have controls in place along with operational practices to manage the extent to which that personal data is meeting with your compliance obligations.
Environmental, Social, and Governance (ESG)
Regulatory activity and investor pressure focused on ESG reporting continues to escalate both nationally and globally. The UK and EU have already adopted proposals mandating ESG reporting, and the SEC’s mandatory climate disclosure rule and the IFRS Foundation’s International Sustainability Standards Board’s (ISSB) voluntary standards are pending.
Many companies lack preparedness and maturity around ESG metrics, initiatives, and reporting, especially as it relates to climate and environmental considerations. Nearly 16% of respondents in a 2022 AuditBoard poll of over 1000 compliance, risk, and audit leaders reported being “not prepared at all” to assess the ESG concerns of their third-party and Nth-party suppliers, more than 40% indicated that they were only prepared to follow minimum guidelines, and more than 35% said they didn’t know how prepared they were.
Download AuditBoard and RSM’s new ebook, Third-Party Risk Management: Trends and Strategies to Help You Stay Ahead of the Curve, to help your organization identify, reduce, and monitor third-party risk.