itb-au logo
Story image

New research highlights third party risks facing organisations

The standard point-in-time approach to risk management is no longer effective in today's landscape of fast-paced, rapidly changing business relationships, according to new research released this week from Gartner. 

The research identifies iterative approach to third-party risk management for faster engagement, risk identification and remediation. The research found more than eight in 10 organisations discover third-party risks after its due diligence period.

Among organisations that engage third parties to provide business services, 83% identified third-party risks after conducting due diligence and before recertification, Gartner explains.

According to Chris Audet, research director for Gartner’s Legal & Compliance practice, with an increasing number of third parties performing new-in-kind and noncore services for organisations, material risks cannot always be identified prior to the start of a business relationship. 

He says modern risk management must account for ongoing changes in third-party relationships and mitigate risks in an iterative way — that is, on a continual basis, rather than at specified intervals.

“Legal and compliance leaders have relied on a point-in-time approach to third-party risk management, which emphasizes exhaustive upfront due diligence and recertification for risk mitigation,” Audet says.

“Our research shows an iterative approach to third-party risk management is the new imperative for meeting business demands for speed and stakeholder demands for risk mitigation," he explains.
Legacy Approach to Third-Party Risk Management

Audet says due to the changing nature of third-party risk, it has become an increasingly important focus area among legal and compliance leaders in 2019. According to Gartner's data, there are a number of factors that have contributed to this shift:

  • Eighty percent of legal and compliance leaders state that third parties provide new-in-kind technology services for organisations, including startups and business model innovators, rather than incumbent service providers.
  • Two-thirds of legal and compliance leaders find third parties are providing services outside of the company's core business model.
  • Third parties now have greater access to organisational data.
  • There is increasing variability in the maturity of organisations' third-party networks.
  • Third parties are working with an increasing number of their own third parties (fourth and fifth parties).

"With a point-in-time risk management approach, compliance leaders attempt to identify potential third-party risks upfront with extensive due diligence before contracting and again at recertification," says Audet. 

"However, this approach is largely ineffective. Not only does it contribute to longer onboarding and waiting periods, it also fails to capture any risks that may arise due to ongoing changes throughout the relationship," he explains.

Among survey respondents who identified risks post-due diligence, 31% of those risks had a material impact on the business.

“Ninety-two percent of legal and compliance leaders told us that those material risks could not have been identified through due diligence,” adds Audet. “The only way to surface those risks was through actual engagement with the third party and through ongoing risk identification over the course of the third-party relationship.”

An Iterative Approach Improves Risk-Management Outcomes

Gartner data shows that an iterative approach to risk management allows legal and compliance leaders to improve risk and business outcomes in terms of speed to engage, and by remediating and identifying third-party risks before their impacts materialise.

"Organisations that applied an iterative approach experienced almost four times the level of business partner satisfaction with the speed to engage, twice the ability to remediate risks prior to impact and 1.5 times greater ability to identify risks prior to impact," explains Audet.

“An iterative approach will enable legal and compliance leaders to manage their changing and expanding third-party networks, while also satisfying business demands for quicker onboarding,” he says.

Key Risk Management Transitions for Compliance Leaders

For organisations that wish to shift from a point-in-time to an iterative risk management approach, Audet says there are three key steps that legal and compliance leaders should take:

1.   Streamline due diligence requirements to focus on the most critical risks.

2.   Establish internal triggers to monitor for change.

3.   Create controls and incentives to monitor for change.

“To effectively mitigate third-party risks, compliance leaders must streamline their current due diligence processes to focus on critical risks,” says Audet.

“This will eliminate burdensome duplicative process and focus attention on the risks that have the biggest impact on the organisation. But, most importantly, they must build in triggers to monitor for changes that give rise to risk over the course of the relationship," he explains.

Story image
Revealed: Why SD-WAN is thriving in Australia
New reports have found one in three Australian IT enterprises are considering implementing the technology within the next 12 months.More
Story image
Coles launches new digital experience in response to changes in customer behaviour
In response to a growing demand for digital shopping experiences, Coles has launched Coles&co, a new experience designed to offer customers specials and exclusive content about new products, tips and recipes. More
Story image
Location tech crucial for the future of transport and logistics, research finds
The transport and logistics sector has been hard hit by recent events, however location technologies are paving the way for post COVID-19 growth and, as a result, commercial telematics system revenue in Asia-Pacific is set to hit US$14 billion by 2025. More
Link image
Take your CX to the next level with intelligent automation
Complete projects more quickly, generate invoices accurately and efficiently, decrease accounts receivable cycles - all while meeting the growing demands of customers.More
Download image
NFV adoption surges as firms seek to reduce network complexity
IT infrastructure has become more complex than ever, especially when it comes to networking and the reality of highly distributed infrastructures. That’s why many enterprises are turning to network functions virtualisation (NFV).More
Link image
Making SASE a reality with dynamic edge protection
Gartner’s Secure Access Service Edge (SASE) model for cloud-delivered security is a new paradigm – Forcepoint’s Dynamic Edge Protection is one of the first to take this paradigm and make it a reality. Find out more.More