Third-Party Risk Management: An Evolving Marketplace

Third-party suppliers play an increasing role in delivering business-critical services to a range of organizations. For any company, a failure by a third party can lead to operational disruptions, unplanned costs, resource strain, and reputational damage. For large financial institutions and other regulated industries, this can also lead to a compromise of client information or assets and significant financial penalties.

As the use of third parties has increased, there has been a corresponding growth in third-party risk management (TPRM) solutions. The current TPRM landscape includes technology vendors and consultancies that provide everything from one-time risk assessments to cybersecurity reviews, to program audits. And the sector is expected to grow; the global TPRM market size is projected to rise from $3.2 billion in 2019 to $6.8 billion by 2024, at a CAGR of 15.9% during the forecast period. With regulation of third-party relationships becoming more stringent and complex, there is greater demand in the market for new technologies and tools to automate, enhance, and manage the entire risk assessment process to improve transparency and measure uncertainties – as well introduce more automation to TPRM tasks, which remain heavily manual.

The Current TPRM Solutions Landscape

The TPRM solutions landscape comprises four main categories that provide different data and capabilities to your TPRM program. These categories are:

• Data Sources – These providers specialize in a specific risk domain such as cyber, money laundering, bribery, and corruption or financial stability, for example. These data sources usually provide a narrow prism of risk displaying objective data that does not explore a wider set of possible impacts. The data provided is then manually correlated by subject matter experts inside the bank and investigated to create actionable insights and mitigation plans.
• GRC (Governance, Risk, and Compliance) Platforms – These platforms are crucial for keeping the records and logs in peak condition for an audit. Visibility is a secondary objective, as GRC systems do not provide advanced analytics to enable cross-referencing between data sources. Record and log collection is often done at a designated point-in-time, such as annually or bi-annually.
• Evidence Aggregator Platforms – These providers act as an exchange or a marketplace for domain risk-specific information. Third parties answer a designated questionnaire or provide evidence at one time upon request, and many financial institutions can go in and pull the data from this single source questionnaire. Over time, these platforms can amass data that sheds light on the general operations of a company. The data is effective for an individual third party but does not enable the correlation of multiple scopes at once, or concentrated risk.
• Service Providers – Out-of-the-box services are offered by a range of consultants who can supplement the skilled workers on a bank’s TPRM team. Audits, due diligence analysis, and other services are available upon request. Insights are usually not based on the essence of the relationship between the third party and the organization requesting the report.

What is Ahead

Traditional TPRM processes and solutions may not be the most efficient or effective method to identify, measure, or monitor risk associated with the growing range of supplier, vendor, and partner relationships that exist today. A fifth category of solution is needed to meet the challenges of many of today’s organizations, particularly those of financial firms– Orchestration and Automation Platforms.

Mirato is pioneering this new breed of TPRM solutions, which can ingest, digest, and correlate data from any of the above types of solutions and without forcing any change to a financial institution’s existing program.

Digitizing TPRM data processes allows firms to react more quickly to unexpected events. With more third parties integrating more deeply with banks, manual processes just are not enough anymore. Firms must identify and manage their exposures, not just from individual threats but also from factors that pose a threat when aggregated or concentrated.

Through 2022, more than 5% of publicly traded companies will see a decrease in market capitalization as a result of mismanaged or unmanaged vendor risks. –Gartner Research, 25 November 2019

Mirato applies the most advanced data science to the challenge of constantly monitoring third-party relationships. It is a dynamic world, and factors impacting risk domains change constantly. It is essential to monitor and manage this risk over time, which is why Mirato uses Artificial Intelligence, Machine Learning, and Natural Language Processing, among other tools. This new type of TPRM solution provides continuous, dynamic monitoring for as long as the relationship with the third party exists.

Advanced tools are needed for TPRM programs at financial institutions, and finally, they are here. The ability to orchestrate and automate all TPRM programs within the same platform provides financial institutions with visibility into their concentration risk, helps to reduce operational costs, and improves accuracy and corporate performance.