Assessing Third-Party Risk in the Boardroom

Nicholas J Price
For a long stretch, many companies felt it was profitable to do as many operations in-house as they could. Today, the complexity of business and the severity of risks make it impossible for companies to do everything under their own roofs. More and more, they need to contract with third parties to complete tasks that aren't practical, efficient or cost-effective for them to do themselves.

The more common it becomes to use third parties, corporations are creating an environment that makes it ripe for third parties to mature, which should be a positive thing in most respects. The rise of third-party contracts makes it necessary for companies to create third-party risk management teams and to allocate a portion of their budget for them to address the risks that are associated with third-party risk. Using third-party teams is a relatively new development, and while it's become a necessary addition, it's not keeping pace with risks and regulatory demands.

Third-Party Risk Management Continues to Mature

Third-party risk management has been around long enough to go through identifiable stages that help companies assess the maturity of the people and processes. Experts have identified five distinct stages of maturity for third-party programs. In most cases, companies will go through these stages in the following order ' ad-hoc, fragmented, defined, integrated and agile.

Overall, third-party risk management has been gradually maturing at a slow and steady pace. According to a 2019 survey by Aravo, called 'Third-Party Risk: Chasing Maturity in a Dynamic Landscape,' 39% of the survey respondents stated that they are in the integrated and agile states, which is up from 33% last year. At the same time, it's important not to confuse longevity with maturity. Just because a program has been around for a few years doesn't mean that it's rising through the stages of maturity. The survey showed that it took most companies at least four years to become agile. Many companies reported having third-party risk management programs in place for seven years or longer, which puts them still in the ad-hoc stage.

Companies Risk Third Parties Causing Operational or Reputational Damage

Obviously, when a company contracts with a third party to take over a task or operation, it gives up a large degree of control. Proper oversight can be challenging. The lack of direct involvement opens the company up to additional risk. The most common risks due to third-party involvement are cyber risk and operational and reputational damage. The survey indicated that companies were aware of risk incidents related to third parties that had occurred within the last year that either did cause harm or that had the potential to cause harm.

Company representatives also indicated that oversight wasn't really even within their board's purview. To support that sentiment, about 27% of the respondents indicated that third-party risk wasn't a priority for their boards. Where company representatives do report to their boards, they expressed concerns that they weren't given opportunities to report frequently enough. Around 86% of the organizations represented in the survey indicated that they reported to their boards on a quarterly basis or less often.

The lack of knowledge by boards could lead not only to problems with risk, but also problems with stakeholders. Programs that rated higher for maturity tended to make more frequent reports. The overall results indicate that boards need to engage more frequently with their third-party risk management teams. Cyber risk rose as one of the greatest security concerns, which isn't surprising considering the vast number of cyberattacks and data breaches that have been reported in the media. About 35% of companies stated that cybersecurity was a high concern. About 18% of companies were concerned about reputational risk; operational risk followed closely behind, with 16% of companies expressing it as a concern.

Board and Third-Party Risk Management Drivers Are Misaligned

Corporate boards and third-party risk management teams are on separate pages with what drives third-party risk management. Around 52% of third-party risk management teams stated that they were driven by regulatory compliance. On the other hand, only 12% of board directors named compliance as a risk driver. These percentages indicate that third-party risk management teams need to propose value through the company's lens to help boards better understand the value they provide. With General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) still being fairly new, compliance concerns could rise notably in the coming years.

The survey also indicated that progress in key areas is uneven. A greater number of companies are starting to keep their third parties in a single inventory. Third-party risk managers aren't using risk assessments as consistently as in the past.

Boards Are Increasingly Aligning Third-Party Risk Management with Risk

The number of third-party risk management teams is up this year and alternative locations dropped. Also, companies are trending toward using a centralized model for third-party risk management teams. In addition, the number of companies that align third-party risk management to their overall risk appetite also increased. There is no indication that third-party risk management is handled consistently by a specific department. Third-party risk management tends to remain where the program originated unless regulatory requirements require otherwise.

Third-Party Risk Management Teams Challenged by Regulatory Changes

New rules and regulations continue to challenge third-party relationships. The scope and pace of regulatory changes are notable challenges and the changes make it difficult to separate the impact of compliance with other types of risks and business drivers.

Third-Party Risk Managers Concerned with the Lack of Concern Over Innovation

Respondents for the survey were given an opportunity to offer explanatory comments. Many of them took this opportunity to express their concerns that innovation with third-party risk management could be under threat. They noted their mounting concerns that the level of funding that companies allocated for innovation and improvement in the discipline simply isn't enough. This situation could become even more alarming in the coming years if third-party risk management teams don't have the necessary resources to be able to keep up with regulatory change.

In another notable change, more third-party risk management programs are replacing outdated processes like spreadsheets in favor of specialized software solutions. For example, a board management portal by Diligent Corporation is a good solution for third-party risk managers to communicate and collaborate with boards using a secure platform. Third-party relationships are moving in the direction of becoming a standard part of the corporate infrastructure. New opportunities bring new risks and it's best to address those risks at the earliest opportunity.
Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.