I am in London throughout June and interacting with various GRC RFPs in the United Kingdom; several are focused specifically on third-party risk management. Next week, many UK organizations will gather for my Third-Party Risk Management by Design workshop in London. Let’s explore the challenges these organizations and others around the world are facing in this context . .  .

In today’s interconnected business landscape, organizations are more reliant than ever on a complex web of third-party relationships. While this reliance is beneficial, it introduces significant risks that need to be managed effectively to ensure resilience, compliance, and integrity in and across these relationships. The governance, risk management, and compliance (3rd Party GRC) of these third-party relationships are critical yet fraught with challenges that require a sophisticated and integrated approach. 

NOTE: I prefer third-party GRC over third-party risk management as, at the end of the day, it starts with governing relationships to achieve the objectives of the relationship and the business. Focusing on risk before governance is putting the cart before the horse. But I refer to third-party risk management as it is what is commonly used.

The Modern Organization’s Third-Party Landscape

Modern organizations operate in an environment that extends far beyond their physical and organizational boundaries. They depend on the extended enterprise of third parties, including suppliers, vendors, partners, and service providers, which collectively form an intricate web of interactions and dependencies that nest themselves in deep supply chains and subcontractors. This extended enterprise necessitates a robust mechanism for third-party risk management to navigate the inherent uncertainties and avoid disruptions that could impact business objectives.

The challenges organizations face in third-party risk management are:

  • Fragmented Views and Siloed Oversight. One of the primary challenges in third-party risk management is the fragmented nature of oversight. Different business functions/departments often manage their third-party relationships independently, leading to silos that obscure the full spectrum of risk. This disjointed approach prevents organizations from seeing the cumulative risk exposure, which can be significant when aggregated across all functions.
  • Limited Resources and Manual Processes. Organizations often struggle with limited resources to handle the growing risk and regulatory demands. Many still rely on manual processes such as spreadsheets, emails, and file shares to manage third-party risk, which is neither efficient nor scalable. This approach can lead to overlooked risks and delayed responses to emerging threats.
  • Incomplete Risk Coverage. Another significant issue is the limited view of third-party risk vectors. Many organizations focus predominantly on financial and cyber risks, neglecting other critical areas such as compliance, operational risks, environmental, social, and governance (ESG) factors, and geopolitical risks. This narrow focus leaves the organization vulnerable to a broader range of risks.
  • Overreliance on Periodic Assessments. Traditional risk management practices often involve periodic assessments at the onboarding stage and at set intervals thereafter. This sporadic monitoring fails to capture the dynamic nature of third-party risk, which can change rapidly between assessments. Continuous, real-time risk monitoring is essential to maintain an up-to-date understanding of third-party risks.
  • Inadequate Incident Response & Issue Management. When incidents occur, the typical response involves sending surveys to third parties to assess the impact. This process is time-consuming and often yields low response rates. This reactive approach does not provide the real-time insights necessary to mitigate risks effectively as incidents unfold.
  • Information Overload. Risk intelligence feeds can overwhelm organizations with vast amounts of data, much of which may be irrelevant or false positives. This deluge of information requires intelligent filtering to ensure that only actionable insights are highlighted, enabling risk teams to focus on critical issues.

The Need for an Integrated Third-Party GRC/Risk Management Approach

To address these challenges, organizations must adopt an integrated approach to third-party risk management that leverages both third-party risk intelligence content and robust risk management platforms. This approach should encompass the entire lifecycle of third-party relationships—from onboarding to ongoing monitoring and assessment to offboarding.

Some core elements of an integrated third-party risk management architecture

  • Comprehensive Risk Framework. A hierarchical framework that categorizes third-party risk domains, ensuring all potential risk areas are covered.
  • Intelligence Content Aggregation. Aggregating third-party risk intelligence from various sources, including regulators, law firms, feeds, and expert blogs, using automation and AI to filter out noise.
  • Metrics, Dashboarding, and Reporting. Tools to monitor and report on third-party risk, providing visibility into current exposures and emerging risks.
  • Defined Roles and Responsibilities. Clear assignment of third-party risk management responsibilities to subject matter experts (SMEs) within the organization.
  • Workflow, Task & Process Management. Structured workflows to manage third-party governance, risk, and compliance across the onboarding, ongoing monitoring, issue resolution, and offboarding processes. This includes ongoing risk mitigation actions, ensuring accountability, and timely responses.
  • Accountability Tracking. Ensuring that all third-party risk-related tasks are tracked and managed effectively.
  • Business Impact Analysis. Assessing the impact of third-party risk changes on the organization and the supply chain, communicating these to relevant stakeholders.
  • Mapping Risks to Policies and Controls. Linking third-party risks to organizational policies, controls, and processes to facilitate comprehensive risk management.
  • Audit Trails and Reporting. Maintaining a detailed record of risk management activities and providing comprehensive reporting capabilities.

The Role of Artificial Intelligence in Enhancing Third-Party Risk Management

As organizations continue to grapple with the complexities of third-party risk management, artificial intelligence (AI) emerges as a powerful enabler, driving further efficiency and effectiveness in risk management processes. AI’s capabilities in aggregating risk intelligence content from diverse sources and automating assessments are particularly transformative.

AI can significantly enhance third-party risk intelligence content aggregation by leveraging advanced data processing and machine learning algorithms. Here’s how AI contributes to this critical aspect:

  • Intelligent Data Aggregation. AI systems can scan and aggregate data from a vast array of sources, including regulatory updates, news feeds, legal documents, and social media. By processing this data in real-time, AI ensures that organizations have access to the most current risk information.
  • Noise Reduction. One of the major challenges in risk intelligence is sifting through the sheer volume of data to identify relevant insights. AI algorithms can filter out noise and false positives, delivering only pertinent information to risk managers. This reduces the burden on human analysts and enhances the focus on critical risks.
  • Contextual Analysis. AI can analyze data in context, understanding the nuances and implications of risk-related information. This capability allows AI to provide more accurate and actionable insights, tailored to the specific needs and risk profiles of the organization.

AI-driven automation of assessments and continuous monitoring is another area where AI proves invaluable. Here are the key benefits:

  • Real-Time Risk Assessments. AI can automate the initial and ongoing risk assessments of third-party entities, continuously monitoring changes and providing real-time updates. This ensures that organizations are always aware of their current risk landscape and can respond promptly to emerging threats.
  • Enhanced Predictive Capabilities. By analyzing historical data and identifying patterns, AI can predict potential risk events before they occur. This proactive approach allows organizations to implement preventative measures, reducing the likelihood of adverse incidents.
  • Scalability and Efficiency. AI-driven automation can handle large volumes of assessments simultaneously, something that would be impractical with manual processes. This scalability ensures that even organizations with extensive third-party networks can maintain robust risk management practices without overburdening their resources.
  • Consistent and Objective Evaluations. AI provides consistent and objective risk evaluations, eliminating human biases and errors. This consistency is crucial for maintaining the integrity and reliability of risk management processes across the organization.
  • Dynamic Risk Scoring. AI systems can dynamically adjust risk scores based on real-time data, ensuring that risk ratings accurately reflect the current risk environment. This adaptive approach allows organizations to prioritize their risk mitigation efforts more effectively.

Incorporating AI into third-party risk management strategies empowers organizations to manage their extended enterprise with greater agility, accuracy, and efficiency. By automating data aggregation and assessments, AI enhances the quality of risk intelligence and frees up human resources to focus on strategic decision-making and critical risk mitigation efforts.

Integrating AI into third-party risk management processes marks a significant advancement, enabling organizations to navigate the complexities of their third-party relationships with confidence and foresight. As AI technology evolves, its role in enhancing third-party risk management will only grow, offering even more sophisticated tools and capabilities to safeguard the extended enterprise against an ever-changing risk landscape.

Adopting this approach will enable organizations to move beyond outdated, manual processes and towards a more agile, efficient, and effective system of managing third-party risks, ultimately securing their extended enterprise against potential disruptions and ensuring sustainable business operations.

1 comment

  1. Can’t agree more with Michael Rasmussen quote introducing his insightful article :

     – I prefer third-party GRC over third-party risk management as, at the end of the day, it starts with governing relationships to achieve the objectives of the relationship and the business.

    After all, it’s about a holistic approach… and it’s EVERYBODY’s BUSINESS … with or without AI

    Thanks for sharing

Leave a Reply

Your email address will not be published. Required fields are marked *