Most third-party risks are discovered after the initial due diligence period according to a survey by Gartner. Among organisations that engage third parties to provide business services, 83% identified third-party risks after conducting due diligence and before recertification.

Gartner’s survey of more than 250 legal and compliance leaders found that the standard point-in-time approach to risk management is no longer effective in today’s landscape of fast-paced, rapidly changing business relationships. With an increasing number of third parties performing new-in-kind and noncore services for organisations, material risks cannot always be identified prior to the start of a business relationship. Gartner says that modern risk management must account for ongoing changes in third-party relationships and mitigate risks in an iterative way - that is, on a continual basis, rather than at specified intervals.

“Legal and compliance leaders have relied on a point-in-time approach to third-party risk management, which emphasises exhaustive upfront due diligence and recertification for risk mitigation,” said Chris Audet, research director for Gartner’s Legal & Compliance practice. “Our research shows an iterative approach to third-party risk management is the new imperative for meeting business demands for speed and stakeholder demands for risk mitigation.”

Due to the changing nature of third-party risk, it has become an increasingly important focus area among legal and compliance leaders in 2019. According to Gartner's data, there are a number of factors that have contributed to this shift. 80% of legal and compliance leaders state that third parties provide new-in-kind technology services for organisations, including startups and business model innovators, rather than incumbent service providers. It found that two-thirds of legal and compliance leaders find third parties are providing services outside of the company's core business model. In addition, third parties now have greater access to organisational data and are often working with an increasing number of their own third parties (effectively fourth and fifth parties).

Gartner points out that with a point-in-time risk management approach, compliance leaders attempt to identify potential third-party risks upfront with extensive due diligence before contracting and again at recertification. However, it says this approach is largely ineffective because not only does it contribute to longer onboarding and waiting periods, but it also fails to capture any risks that may arise due to ongoing changes throughout the relationship. Among survey respondents who identified risks post-due diligence, 31% of those risks had a material impact on the business.

“92% of legal and compliance leaders told us that those material risks could not have been identified through due diligence,” said Audet. “The only way to surface those risks was through actual engagement with the third party and through ongoing risk identification over the course of the third-party relationship.”

Gartner says that its data shows that an iterative approach to risk management allows legal and compliance leaders to improve risk and business outcomes in terms of speed to engage, and by remediating and identifying third-party risks before their impacts materialise. Organisations that applied an iterative approach experienced almost four times the level of business partner satisfaction with the speed to engage, twice the ability to remediate risks prior to impact and 1.5 times greater ability to identify risks prior to impact.

Share Story: