EY Global Third-Party Risk Management Survey 2023 Reveals Shift Towards Data-Driven Resilience

EY Global Third-Party Risk Management Survey 2023 Reveals Shift Towards Data-Driven Resilience

By

In the ever-evolving landscape of modern business, third-party relationships have become increasingly integral to organizations across industries. To ensure resilience and minimize potential risks associated with these partnerships, companies are placing a growing focus on Third-Party Risk Management (TPRM). The results of the EY 2023 Global Third-Party Risk Management Survey underscore the critical role of TPRM in today's business environment.

According to the survey, a remarkable nine out of ten respondents reported that their organizations had directly invested in their TPRM programs. Such investments have led to a more profound understanding of risk and optimized capabilities and effectiveness.

Joseph Kelly, EY Oceania Third Party Risk Leader, commented on this trend, stating, "The only way to completely zero out your third-party risk is to not work with third parties, but that's not going to happen. So it's more about, 'How do you identify, manage, and mitigate?' We're moving from the era of just identification into management and mitigation."

Centralized and Data-Driven Approach

While some organizations continue to rely on traditional methods such as email questionnaires and manual spreadsheets to track third-party relationships, a growing number are adopting a centralized and data-driven approach. These forward-thinking organizations seek to gain a more sophisticated understanding of overall risk and leverage additional capabilities, including automation and real-time external reports.

Scott McCowan, EY Americas Risk Management Leader, noted that leading organizations are now able to assess thousands of third parties, rank them based on risk domains, and develop targeted responses. "As companies continue to lean into their third-party network, a data-driven approach to screening allows for better coverage, real-time data, continuous monitoring, and targeted assessment activities," McCowan emphasized.

Emerging Drivers for TPRM

While regulatory pressures have traditionally driven TPRM programs, other factors have emerged as significant drivers for TPRM program investments in recent years. These include data breaches, supply chain disruptions, and board pressures. Cybersecurity and digital risk topped the list of risk domains included in organizations' risk inventory reporting, followed by strategic risk, financial viability risk, and environmental, social, and governance (ESG) and sustainability risk.

Kanika Seth, EY Global Financial Services Third Party Risk Leader, highlighted the changing landscape: "Survey respondents ranked cybersecurity and digital risk as the top risk domains included in their risk inventory reporting, followed by strategic risk, financial viability risk, and environmental, social, and governance (ESG) and sustainability risk. Organizations are also reexamining risk governance and integrating ESG commitments into third-party risk assessments."

Joseph Kelly emphasized that organizations have a wealth of data at their disposal, presenting an opportunity to turn TPRM into a strategic enabler. A data-driven approach can provide better coverage, real-time insights, and more targeted responses.

The survey also indicated a growing trend towards centralized risk management. Ninety percent of organizations are moving towards centralized risk management, allowing for a more comprehensive assessment of third-party risk. However, some organizations still operate in a decentralized manner, assessing third parties separately or in risk silos.

Centralized TPRM structures offer distinct advantages. Organizations with centralized models can effectively manage nearly twice as many third parties as those with hybrid structures. They also report a better understanding of correlated risks and mitigating measures. Furthermore, organizations with centralized models can perform control assessments more rapidly.

Harald deRopp, Asia-Pacific (Japan) Third Party Risk Leader, highlighted the ongoing shift away from spreadsheet-based applications toward cloud-based software, which provides real-time reporting and continuous assessment capabilities.

ESG Integration and Evolving Conversations

Environmental, social, and governance (ESG) commitments are increasingly important in TPRM. Organizations are recognizing the need to align their ESG commitments with those of their third parties. Survey respondents indicated that they are prioritizing compliance with local regulations, corporate responsibility, and stakeholder expectations.

The survey found that 54% of organizations include ESG risks in their risk inventory reporting. Additionally, 32% of organizations include clauses requiring third parties to comply with their own ESG policies and regulations. ESG is evolving into a significant risk domain, prompting organizations to integrate ESG into their strategy and processes.

Challenges and Opportunities in TPRM

The survey revealed that while TPRM programs are increasingly vital, challenges persist. Many organizations still rely on traditional methods, and less than one-third of participants have run a TPRM program for more than five years. Some organizations only invest in their programs after experiencing a breach or failure.

However, organizations that have assessed their network of third parties and risk from a central viewpoint are moving in the right direction. More mature organizations are developing common taxonomies and using advanced software for real-time processing and greater transparency.

In the pursuit of resilience, organizations are actively considering the resiliency of their third-party partners. The survey found that 48% of organizations have exit strategies or contingency plans for high-risk third parties, while 52% are unprepared. These strategies are essential to ensure business continuity in the face of potential disruptions.

As Michael Giarrusso, EY Americas FSO Third Party Risk Leader, emphasized, "Having a strong third-party program can support resiliency, but it needs to be intentional. Make sure that you're identifying those third parties that are supporting critical business processes, and then have plans in place — whether it's contingency or exit strategies — for those third parties in the event of a business disruption."

Conclusion

The EY 2023 Global Third-Party Risk Management Survey highlights the evolving landscape of TPRM. Organizations are recognizing its strategic value and investing in data-driven approaches to enhance resilience and minimize risks. Centralization, ESG integration, and ongoing monitoring are among the key trends driving TPRM program development.

To thrive in a constantly changing business environment, organizations are leveraging technology, automation, and external data sources. These tools, combined with a centralized approach and a commitment to ESG principles, enable organizations to better identify, manage, and mitigate third-party risks.

TPRM is no longer just a compliance exercise; it has evolved into a strategic tool for business. As organizations continue to strengthen their TPRM programs, they position themselves for greater resilience and success in an increasingly complex world.