Third-party risk management is one of the top concerns among compliance leaders. However, despite remaining a priority, there is little consistency regarding which department within an organization will be responsible for managing third-party risk. This is just one finding in a new report from NAVEX Global – the 2017 Ethics & Compliance Third-Party Risk Management Benchmark Report. According to the report, the departments most often assigned to manage compliance and third-party risk are the legal department (58%) and the ethics and compliance department (51%). Out of the organizations surveyed, 47 percent had four or more full time employees assigned to manage their third-party risks.
Managing third-party risks can be costly. Very few organizations surveyed (8%) indicated that their budgets for third-party risk management would shrink, instead 41% indicated that their budgets would increase.
What motivates organizations to address third-party risk? The report indicated that organizations with revenues of $1 billion or higher are more likely to prioritize protecting their organization from reputational risk (52%) than organizations with annual revenues of less than $50 million (36%). Additional objectives for managing third-party risks include:
- 69% Protect the organization from legal and financial risk
- 63% Comply with laws and regulations
- 45% Protect the organization from reputational risk
- 33% Create a culture of trust and transparency with third parties, employees, customers and community
- 22% Define the organization’s exposure to risk
- 21% Identify and prevent future issues or misconduct
- 18% Establish strong legal or compliance defenses
- 16% Inform organizational decision making based on risk factors
- 8% Reduce litigation and fines
Integrating third-party risk management into a strong cyber defense is a way to incorporate best practices such as screening, training and monitoring. These best practices, adapted to a third-party’s cybersecurity stance, can help to prevent data loss via cyber attacks.
The number of third parties engaged by organizations has remained consistent from 2016 with 29 percent of organizations engaging with fewer than 100 third parties, 30 percent engaging with between 100 to 999 third parties, and 27 percent with 1,000 or more.
The report states that many respondents (39%) consider 10 percent of their third-parties to be high risk. However, 31 percent believe that between 10 and 25 percent of their third-parties could be considered high risk; while 11 percent consider 25 percent of their third-parties to be high risk. Finally, only 3 percent of organizations believe that they engage with no high-risk third-parties. This number is down from 25% in 2016.
Many organizations have discovered ‘red flags’ in their interactions with their third-parties. These red flags are usually discovered in various ways, but most organizations identified them via an internal due diligence process (65%). Consistent with 2016, 47% of organizations screen all of their third parties and preform their own due diligence.
Respondents noted a range in cost per incident:
- More than $1million – 10%
- $500,00 to $1million – 3%
- $100,000 to $499,999 – 14%
- $10,000-$99,999 – 18%
- Less than $10,000 – 17%
The report states that the top methods of assessment for organizations are periodic risk assessments (47%) and audits (46%). When comparing 2017 to 2016, the report notes an increase in program expenditures (41% versus 33%) suggesting that organizations are recognizing the value of investing in their third-party program.
Download the full survey here.
About the survey:
The findings of the survey used for the report are from a total of 427 survey respondents in the following job functions:
- 25%-Ethics and Compliance
- 20%- Legal
- 15%- Risk Management
- 14%- Internal Audit/Quality Control
- 6%- Procurement/Supply Chain
- 4%- Human Resources/ Employee Relations
- 16%- Other