Large enterprises work with hundreds of thousands of third parties, and a misstep by just one of them can leave the entire organization vulnerable to regulatory noncompliance, financial risk, operational and reputational damage. And the threat is more than simply theoretical: A Gartner survey found that 84% of enterprise risk management (ERM) teams have overlooked a third-party issue. Aravo CEO Dean Alms draws up what to expect in third-party risk management (TPRM) this year.
Business challenges will only increase in 2024 as more ESG regulations come into effect, climate change continues to take its toll on supply chains and cyber threat actors increasingly target third parties. As such, regulators, investors and the board want to know that organizations are actively managing risks and can be resilient in the face of change.
To adapt in a changing environment, organizations will need to ditch the traditional risk management playbook and shift toward a more centralized and holistic third-party risk management (TPRM) approach. In doing so, organizations can successfully mitigate disruptions associated with these evolving risks in 2024 and beyond.
Cybersecurity will be the No. 1 priority
Cyber and information security risks are rising. There are advanced persistent threats from state actors, especially now as active wars continue in the Caucuses and Levant and start to brew in East Asia, and it’s not uncommon for cyber warfare to spill over into civilian infrastructure and businesses. This, along with new and emerging cyber regulations on the horizon, is making compliance a top priority. For example, the SEC’s new cybersecurity rules went into effect mid-December, primarily targeting larger, publicly listed companies, but smaller public companies, and even private businesses, must also remain vigilant in 2024.
The majority of public companies rely on small, third-party software and supply chain companies, but a recent survey by PwC found that only 40% of organizations have a thorough understanding of the data breach risks presented by third parties. Alarmingly, 98% of organizations worldwide have worked with at least one third-party that has been breached in the last two years. Consider Uber’s two data breaches in less than one year. Third-party vendors are five times more likely to exhibit poor security, making them the ideal target for cyber criminals.
But it’s not just third parties that businesses have to look out for — it’s their third parties’ suppliers and subcontractors as well. Without a clear understanding of their nth parties’ business operations, companies leave themselves vulnerable to not only cyberattacks but also a slew of other risks, including ESG non-compliance, bribery and corruption risks, financial risks, geopolitical risks and more.
ESG no longer optional as regulations take hold
The spotlight on environmental, social and governance (ESG) compliance will intensify as emerging regulations come into effect, reshaping the way organizations conduct business in 2024. The SEC is now targeting April to make its long-awaited ruling on its climate disclosure rule, regulations like the EU Corporate Sustainability Reporting Directive will come into effect, and the German Supply Chain Due Diligence Act (LkSG) will expand its scope. While the LkSG applied to companies with a principal location in Germany, and foreign companies with branches in Germany, with 3,000 employees in 2023, it will include those with 1,000 employees this year.
If companies do not have the right practices in place for compliance, they could face hefty fines and penalties, a lesson learned by Goldman Sachs to the tune of $4 million in penalties for ESG compliance failure.
Climate risk is here to stay
Companies and governments are actively working towards net zero goals to reduce their carbon footprint – with the EU aiming to be carbon neutral by 2050. These initiatives are growing in importance as extreme weather events ramp up and climate change continues to impact business operations. Consider the tornado that hit Pfizer’s Rocky Mount plant and the drought that’s still limiting traffic flow in the Panama Canal.
These events underscore not only the need for more sustainable business practices but also active climate risk monitoring. In 2024, business leaders will need to regularly reassess how their suppliers’ business practices align with their sustainability initiatives as well as their level of climate risk. To prevent their enterprise operations from being stalled by a single extreme weather event, businesses must avoid over-concentration in any particular region or with any individual supplier. By sourcing from suppliers in different geographic locations, enterprises can be more resilient to supply chain disruptions brought on by hurricanes, wildfires or low-water levels. They can rely on suppliers in unaffected regions to prevent product shortages and ensure supply continuity.
How to achieve organizational resilience in 2024
A holistic third-party risk management approach is critical for organizations to successfully navigate the complexities and wide range of risks that vendors and suppliers bring. This means transitioning from manual processes and spreadsheets to more advanced risk-intelligence solutions and enhanced due diligence to continuously manage, monitor and mitigate enterprise risks. Additionally, TPRM can no longer be siloed within different departments of an organization. Companies must adopt a more standardized and centralized process that automates workflows and provides unified visibility into third-party risks within the organization and its extended enterprise.