MetricStream, the market leader in governance, risk and compliance (GRC) apps, has today released the results of a global survey revealing the current state of third party risk management. Respondents were from more than 40 organisations, across 15 industries – including financial services, retail, healthcare, pharmaceuticals and insurance.

As companies outsource processes and services, they expose themselves to a plethora of third party risks. Whether its data security, business disruptions or compliance risks, organisations must have the relevant measures in place to mitigate their potential impact on continuity and reputation.

The full report can be viewed here, but key findings include:

• 21 percent of respondents reported that their organisations faced significant risk due to third parties in the last 18 months; of those who shared financial impact data on the losses, 25 percent said that the loss was greater than £8 million (generated through cost of downtime, regulatory fines and reputational damage)  
• Nearly three quarters (73 percent) of businesses do not track fourth parties, meaning they have no visibility past their immediate suppliers
• 44 percent of respondents reported that their organisations don’t have a dedicated third party risk management function or a centralised information repository, suggesting a lack of focus and tools
• Nearly half of businesses (48 percent) still use office productivity software to manage third-party risks, revealing immaturity of the function

French Caldwell, chief evangelist at MetricStream, provides the following comments on the findings.

“As companies continue to outsource their processes and services in order to decrease costs, streamline or scale up quickly, they are opening themselves up to risks. However, despite some supplier incidents costing upwards of £8 million, 44 percent of the respondents said that their business had no dedicated third party risk management function. Furthermore, as enterprises rapidly adopt cloud services, entities that would have been third parties when the services were managed in-house become fourth parties which are more difficult to monitor; nearly three quarters of businesses don’t track fourth parties in any capacity. It’s clear that many enterprises are yet to grasp fully how vital vendor risk management is.

“Businesses can no longer plead ignorance. They are responsible for the actions of their third parties and they will bear the brunt of any fallout. For example, if a business shares sensitive data with a third party without checking if it has relevant cybersecurity, and that supplier suffers a data breach, under some rules the company could be liable. Not only will it suffer reputational damage, but new regulations such as the EU GDPR could see large fines imposed too.

“To build truly beneficial relationships with vendors, companies must become more vigilant. That means monitoring the entire supplier and IT services ecosystem more frequently, and, based on associated levels of risk, establishing dedicated third party risk functions and accountability with GRC technology that enables informed decisions.”