A large technology organization hires a third party to help with routine website updates, and allows access to its intranet. For some of the work, the third party employs its own third party. It’s suddenly a lot harder for the organization to assess and mitigate risks they are aware of — let alone the ones they are not.
In 2019, 71% of organizations report their third-party network contains more third parties than it did three years ago, and the same percentage reports their third-party network will grow even larger in the next three years. In fact, our research shows that 60% of organizations are now working with more than 1,000 third parties.
“ Third parties have greater access to organizational data assets and are working with an increasing number of third parties”
Not surprisingly, Gartner research reveals that compliance programs are focused on third-party risk more than ever before, with more than twice the number of compliance leaders considering it a top risk in 2019 than three years ago. Why the increased attention on third-party risk?
“Increasingly, third parties have greater access to organizational data assets and are working with an increasing number of third parties themselves,” says Chris Audet, Director, Gartner. “The nature of third-party relationships has changed, and so too has the way businesses are using third parties. It only makes sense that a new approach is needed to identify and manage third-party risks successfully.”
Download eBook: Stay Ahead of Growing Third-Party Risk
Current approach fails to capture risk
Traditional third-party risk management strategies focus on fixed points in time, and rely heavily on exhaustive effort expended on upfront due diligence and recertification processes, rather than devoting effort to ongoing monitoring strategies. But this fixed-point-in-time approach fails to address the risks that arise after due diligence and before recertification. In fact, Gartner found that 83% of legal and compliance leaders identified third-party risks after due diligence and before recertification. Of those identified risks, 31% resulted in a material impact to the business. Critically, 92% of legal and compliance leaders told us that those material risks could not have been identified through due diligence. Changes in scope, strategy and personnel all tend to arise over the course of the third-party relationship, often resulting in risk but failing to be identified.
“ Those businesses that employ the iterative approach indicate business partners are three and a half times more satisfied with the business’s ability to quickly engage with third parties”
The answer to improving risk identification and monitoring, Gartner research shows, is to take an iterative approach that requires some information gathering prior to the third-party engagement, but places a greater emphasis on information gathering over the course of the relationship.
“As third-party relationships change, compliance leaders must ensure risks are mitigated over the course of the relationship,” says Audet. “Leaders must shift from a point-in-time approach to an iterative approach that can identify risks throughout third-party relationships and account for changes in the business environment.”
Learn more: New strategies for risk management
Iterative approach has many benefits
Gartner research found that organizations applying an iterative approach observe improved business and risk outcomes. Those businesses that employ the iterative approach indicate business partners are three and a half times more satisfied with the business’s ability to quickly engage with third parties, twice as satisfied with their ability to remediate third-party risks before they have a potential impact, and one and a half times more satisfied with the ability to surface third-party risks before they are too late to remediate.
Three transitions are key to shift from point-in-time to iterative third-party risk management:
- Streamline due diligence to focus on critical risks. Use a data-driven methodology to determine critical risks that have impacted the organization in the past and gain insight on emerging risks, in an effort to streamline the due diligence process.
- Establish internal triggers to monitor for change. Monitor your third-party network with triggers throughout the business to signal changes in the third-party relationship.
- Create controls and incentives to monitor for change. Embed controls and incentives to manage high-risk third parties and improve ongoing monitoring.