Third-party risk management ‘misses’ are hurting firms – survey

Enterprise risk management teams are struggling to effectively mitigate third-party risk in an increasingly interconnected business environment, according to research by Gartner.

In a Gartner survey of 100 executive risk committee members in September 2022, 84% of respondents said that third-party risk ‘misses’ resulted in operations disruptions. Gartner defines a third-party risk ‘miss’ as a third-party risk incident resulting in an occurrence such as disrupted operations, adverse financial impact, or increased regulatory scrutiny or impact, once or more in the 12 months leading up to the survey.

Chris Matlock, vice president of research in the Gartner legal risk & compliance practice, says that most organizations have seen an increase in the number of third parties under contract in recent years, with a majority also using third parties for new-in-kind-services and have become more reliant on them to conduct their operations. “While increased use of third parties can improve business operations in many ways, it also introduces risks that are causing notable impacts on organizations.”

“ERM involvement in third-party risk management activities has increased across the board since 2016. However, just doing more isn’t enough because the characteristics of third-party risk undermine the effectiveness of a typical ERM setup.”

Gartner suggests ERM is struggling to elevate the right issues because it is generally failing to limit its focus to a manageable set of issues. It adds that ERM leaders are not clearly defining which issues must be acted on first, and they are not typically preparing their audiences well to take tangible steps on the issues they surface. It says that it is vital ERM teams manage the information overload that is being created by the exponential increase in risk volume and variability brought about by the rapid growth of third parties’ use.

Matlock added: “With third-party risk exposure elevated and a multitude of incoming threats on the horizon, risk committees are expecting ERM to play a greater role in managing third-party risk. Yet traditional ERM posture is struggling to provide a concise, actionable view of third-party risk at the enterprise level. That’s why ERM must focus on enterprise third-party risk management, which involves defining enterprise-level priorities, enabling cross-functional alignment, and monitoring forward-looking indicators.”

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.