Third Party Risk Programs Make A Good Start…
But Have A Long Way To Go
A recent poll of over 500 risk management professionals hosted by DVV Solutions technology partner ProcessUnity and other leading IT GRC and Vendor Risk Management (VRM) experts suggests that while many organisations are on the right path to a successful and automated TPRM, they are still yet to take the necessary steps to mature their program content and execution.
The headline figure that over half of risk manager believe their program is “Underperforming” is not surprising given the disproportionately low level of investment and organisational buy-in Third Party risk receives – as highlighted in the recent Shared Assessments 2019 Vendor Risk Management Benchmark Study.
However, what is possibly more concerning is that nearly 1 in 5 (18%) of respondents rate their TPRM program as “Informal” – meaning their is little to no program in place at all. Given the continued proliferation of outsourcing and migration to cloud-based services there is clearly still some basic groundwork to be done by both Risk Managers and senior stakeholders to properly understand and address and the significant Cyber, Operational and Enterprise risks this presents.
Below is an excerpt from the full article originally posted by ProcessUnity.
A third party risk management (TPRM) program is more than just checking a box, and organisations can grade their maturity level through the Third-Party Risk Management Maturity model. This model has four levels of program maturity – with informal indicating that organisations are playing with fire to optimised where TPRM is a top priority for the organisation. In the live poll taken during the webinar, 56 percent said that their programs are underperforming…or not performing at all.
Almost one in five (18 percent) indicated that their program is informal, where they have little to no program in place at all. These organisations do not have established policies or procedures for assessing risk, nor consistent processes for onboarding new vendors, or negotiating contracts. Today’s digital landscape exposes even the smallest businesses to devastating risks, and if these organisation’s vendors have access to crucial business data without any means of protection, they are playing with fire.
Another 38 percent said that they have a reactive TPRM, where there are minimal resources, manual questionnaire reviews and due diligence distribution, and little to no executive support. The policies and procedures of these companies fulfill the basics of point-in-time risk assessments but offer no pathways toward ongoing monitoring. Without centralisation of data and command of workflows, it’s difficult to demonstrate consistent, repeatable processes – not to mention the real risk of manual errors.
That means more than half of these organisations are putting third-party risk management on the back burner.
While many may be at risk, there is also a significant amount of organisations recognising the need and are making real changes to their vendor management processes. 37 percent of organisations said that they are proactive and have a dedicated, full-time third-party risk management team. In proactive organisations, risk policies and procedures are fulfilled through a dedicated third-party risk management system that automates workflows, centralises data, coordinates internal and external communications, archives contracts and other relationship documentation, and enables basic reporting that can draw insights from aggregate risk data.
Finally, only four percent of participants believe that their program is optimised. Optimised programs not only have all the benefits of proactive programs, but also can take third-party risk management from the tactical to the strategic level. These leaders are leveraging strategic advantages to reduce costs and improve service quality, while also having visibility into every vendor relationship.
How do you rate your Third-Party Risk Management program? Optimised? Reactive? Proactive?
You’re only as strong as your weakest link
It’s clear that many organisations are on the right path to a successful and automated TPRM, however still need to take the necessary steps to further mitigate risk. Businesses operate at different scales, with a variety of risks that have different degrees of severity…and potential consequences.
TPRM services and software can not only save valuable time and money, but also can safeguard companies from potential weaknesses in their vendors that can lead to data extraction, financial and reputational damage, and more.
That is why DVV Solutions has developed a range of services and solutions to deliver more effective and efficient third-party risk management for national and local public sector organisations. Our suite of consultative and managed services deliver significant improvements in
– developing and maturing current risk methodologies and frameworks,
– scaling resources to supplement and enhance existing risk assessment programs, and
– delivering time and cost efficiencies through established best-practice and workflow automation
to enable risk assurance teams to spend more time on what’s important: eliminating control gaps, raising security standards and reducing overall risk.
Contact DVV Solutions
To find out more about DVV Solutions, or information about our Third Party risk managed services and solutions please;
Call us on +44 (0) 161 476 8700, or
Complete our Contact Form