MetricStream’s report, “How Organizations Are Managing Third-Party Risks,” surveyed executives in 40+ organizations across 15 industries to identify dominant trends in third-party risk management.
Palo Alto, Calif. (March 20, 2017) – MetricStream Research has released its latest report, “How Organizations Are Managing Third-Party Risks,” where approximately one-in-five respondents indicated that their organization has faced significant risk exposure due to a third party in the last 18 months; of those who shared loss data, 25 percent said that the loss impact was greater than $10 million. The report is based on a 2016 survey of executives in 40+ organizations, across 15+ industries, including financial services, retail, health care, pharmaceuticals, insurance, manufacturing and telecom.
As companies outsource their processes or services, they expose themselves to a range of third-party risks, including data security risks, business disruptions, legal liabilities, corruption and bribery risks and compliance risks – all of which have a major impact on profits and brand value. Fourth-party risk management is also emerging as a key area of focus, with organizations being held responsible not just for the actions of their immediate third parties, but also for the actions of their third parties’ vendors and suppliers. Adding further impetus are regulations from authorities such as the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB), as well as mandates such as the U.K. Bribery Act and the Health Insurance Portability and Accountability Act (HIPAA), which stipulate stringent requirements for third-party governance.
To find out how organizations are managing their third-party risks in this regulatory climate, MetricStream surveyed professionals from risk management, compliance, legal, supplier management, audit, IT and other business functions. The survey covered four primary areas: the responsibility for and ownership of third-party risks; the process of third-party risk assessment; the impact of third-party risk incidents and measures taken to resolve issues; and the role of technology in managing third-party risks.
Below are the key findings from the report:
- 21 percent of respondents reported that their organizations faced risk exposure due to third parties in the last 18 months; of those who shared financial impact data on the losses, 25 percent said that the loss impact was greater than $10 million
- The top three parameters on which third-party risks are assessed include:
- Data protection
- Financial viability
- Maintaining service level agreements
- Of the organizations with a dedicated third-party risk management function, 59 percent indicated that third-party risk management is included within their organizations’ broader enterprise risk management function
- 44 percent of respondents reported that their organizations don’t have a dedicated third-party risk management function or a centralized third-party information repository
- Nearly half of the respondents (48 percent) still use office productivity software to manage third-party risks
- 73 percent of respondents do not track their fourth parties
Commenting on the survey findings, French Caldwell, Chief Evangelist, MetricStream said, “Increased enforcement from regulators like the U.S. Department of Justice and the U.K. Serious Fraud Office underscores the importance of third-party risk management. However, as the survey results demonstrate, many organizations still don’t have dedicated resources or effective tools to manage their third-party risks. If companies want to build truly beneficial relationships with their vendors or suppliers, they need to be more vigilant – and that means monitoring third parties more frequently based on the associated level of risk, establishing clearly defined roles and processes for third-party governance, and implementing integrated systems that give organizations the risk visibility they need to make informed decisions about their third parties.”
To access the MetricStream Research report on third-party risk management, click here.
MetricStream, the independent market leader in enterprise and cloud applications for Governance, Risk, Compliance (GRC) and Quality Management, makes GRC simple. MetricStream apps improve business performance by strengthening risk management, corporate governance, regulatory compliance, vendor governance and quality management for hundreds of thousands of users in dozens of industries, including financial services, health care, life sciences, energy and utilities, food, retail, CPG, government, hi-tech and manufacturing. MetricStream is headquartered in Palo Alto, California, with an operations and R&D center in Bangalore, India and sales and operations support in 12 other cities globally. (www.metricstream.com)