Alastair Parr, SVP of Global Products & Delivery, and Brad Hibbert, COO & CSO, at Prevalent, Inc. offer three predictions to guide organizations in their 2023 third-party risk management (TPRM) strategies…
Prediction #1: The old ‘annual and manual’ approach to TPRM will become an exception rather than the norm
Given the continual onslaught of third-party vendor and supplier-originated security incidents (for example, the ransomware attack at Kojima Industries that stopped production at Toyota), organizations are trying to better predict disruptions and mitigate them when they do happen. As if this wasn’t challenging enough, increasing regulatory pressures in the areas of data protection and supplier due diligence are requiring these same organizations to more regularly assess the business resilience of their vendors and suppliers.
What does this mean? In 2023, organizations will have to be more proactive, continuous, and agile in assessing their third-party vendor and supplier resilience, ditching manual methods once and for all. Threats, regulatory requirements and legislation won’t allow the bare minimum third-party vendor and supplier due diligence reviews anymore.
Simply put, third-party risk management can’t be an annual, manual check-the-box exercise.
To accommodate this shift, expect TPRM offerings to deliver better machine learning (ML)-based automations and analytics and stronger correlation against prior assessment findings. This evolution will help organizations more easily spot and respond to incidents and more efficiently gauge vendor and supplier resilience on an ongoing basis.
Prediction #2: Third-party risk management will evolve into third-party lifecycle management
It’s all about supplier resilience now, and that means looking at risks from the beginning to the end of the vendor relationship.
Looking at risks at a single point in the supplier relationship, for example only at the time of onboarding, is the wrong approach. Risks continually present themselves throughout a supplier relationship long after the contract is signed. Yet, according to a recent third-party risk management trends report, fewer than half of companies are tracking third-party risks as the relationship progresses through maturity.
In 2023, organizations will begin to look at third-party risks as a lifecycle with uniquely-tracked and managed risks during sourcing and selection, onboarding and contracting, ongoing management, and offboarding. This evolution will be driven by the need for better program oversight as professionals seek to capture information from colleagues adjacent to them in areas such as procurement, legal, compliance, audit, and risk. To facilitate this, data must become more accessible across teams and processes consolidated around a consistent set of workflows.
Prediction #3: Geographic and political insights will become increasingly accessible in TPRM solutions
If there was anything that the Russian invasion of Ukraine taught us, it’s the need to consider geo-political concerns in making supplier decisions. This is inherently a non-IT risk.
It is notoriously difficult to identify the regional sites of a third party supplier that may be impacted by a geographic event such as adverse weather or geo-political issues. While the head office is commonly identified during the contracting phase, the regional sites such as manufacturing plants are often not readily available.
Considering the ramifications of the Russian invasion of Ukraine, in 2023 organizations will seek to capture more geographic information so they can report immediately to executives once a major event hits the media, identify potential challenges in the supply chain quickly and efficiently, and adjust accordingly. Supplier risk management solutions will help facilitate the collection and analysis of this information through passive scanning and the creation of a comprehensive supplier profile.