A Better Way to Manage Third-Party Risk

An iterative approach better equips legal and compliance leaders to combat third-party risks in a rapidly changing business environment.

A large technology organization hires a third party to help with routine website updates, and allows access to its intranet. For some of the work, the third party employs its own third party. It’s suddenly a lot harder for the organization to assess and mitigate risks they are aware of let alone the ones they are not. 

In 2019, 71% of organizations report their third-party network contains more third parties than it did three years ago, and the same percentage reports their third-party network will grow even larger in the next three years. In fact, our research shows that 60% of organizations are now working with more than 1,000 third parties.

Third parties have greater access to organizational data assets and are working with an increasing number of third parties

Not surprisingly, Gartner research reveals that compliance programs are focused on third-party risk more than ever before, with more than twice the number of compliance leaders considering it a top risk in 2019 than three years ago. Why the increased attention on third-party risk?  

“Increasingly, third parties have greater access to organizational data assets and are working with an increasing number of third parties themselves,” says Chris Audet, Director, Gartner. “The nature of third-party relationships has changed, and so too has the way businesses are using third parties. It only makes sense that a new approach is needed to identify and manage third-party risks successfully.”

Stay Ahead of Growing Third-Party Risks

Why legal and compliance leaders must shift to an iterative approach

Download Ebook

Current approach fails to capture risk

Traditional third-party risk management strategies focus on fixed points in time, and rely heavily on exhaustive effort expended on upfront due diligence and recertification processes, rather than devoting effort to ongoing monitoring strategies. 

Gartner finds the traditional point-in-time approach fails to capture risk appearing after due diligence and before recertification.

But this fixed-point-in-time approach fails to address the risks that arise after due diligence and before recertification. In fact, Gartner found that 83% of legal and compliance leaders identified third-party risks after due diligence and before recertification. Of those identified risks, 31% resulted in a material impact to the business. Critically, 92% of legal and compliance leaders told us that those material risks could not have been identified through due diligence. Changes in scope, strategy and personnel all tend to arise over the course of the third-party relationship, often resulting in risk but failing to be identified.  

Those businesses that employ the iterative approach indicate business partners are three and a half times more satisfied with the business’s ability to quickly engage with third parties

The answer to improving risk identification and monitoring, Gartner research shows, is to take an iterative approach that requires some information gathering prior to the third-party engagement, but places a greater emphasis on information gathering over the course of the relationship.

“As third-party relationships change, compliance leaders must ensure risks are mitigated over the course of the relationship,” says Audet. “Leaders must shift from a point-in-time approach to an iterative approach that can identify risks throughout third-party relationships and account for changes in the business environment.”

Iterative approach has many benefits

Gartner research found that organizations applying an iterative approach observe improved business and risk outcomes. Those businesses that employ the iterative approach indicate business partners are three and a half times more satisfied with the business’s ability to quickly engage with third parties, twice as satisfied with their ability to remediate third-party risks before they have a potential impact, and one and a half times more satisfied with the ability to surface third-party risks before they are too late to remediate. 

Three transitions are key to shift from point-in-time to iterative third-party risk management:

  1. Streamline due diligence to focus on critical risks. Use a data-driven methodology to determine critical risks that have impacted the organization in the past and gain insight on emerging risks, in an effort to streamline the due diligence process. 
  2. Establish internal triggers to monitor for change. Monitor your third-party network with triggers throughout the business to signal changes in the third-party relationship. 
  3. Create controls and incentives to monitor for change. Embed controls and incentives to manage high-risk third parties and improve ongoing monitoring.

Gartner for Legal & Compliance Leader clients can read more in From Point-in-Time to Iterative: Identifying New Third-Party Risks.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Webinars

Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching