In 2022, organizations in the public and private sector learned a new skill: juggling. New business priorities, strategic initiatives, and a boatload of new risks — all of which are a “top priority” — mean that security, risk, and compliance professionals must master the art of keeping all balls in the air and none on the ground. This is especially true of managing third-party relationships and partnerships, which are critical for firms to meet their goals and execute their strategies but are not without risks (and potential missed opportunities) to the organization.

Many firms began 2022 reeling from Log4j, a software vulnerability reminding us that open source software is third-party software. Other incidents, such as the attack on a contractor for the Red Cross that resulted in stolen data, frozen operations, and brand damage reminded us that no industry is immune to third-party risk events. How firms manage risk differentiates between balls in the air and balls on the ground.

Whether responsibility for third-party risk management (TPRM) rests with a specific team or gets incorporated elsewhere in the organization, a multipronged strategy is essential to keeping the balls airborne.

Three Findings From The State Of Third-Party Risk Report

How firms manage third-party risk depends on a host of factors, from budget to staffing to stakeholder priorities. Here are some highlights from the new report, The State Of Third-Party Risk Management, 2022:

  1. Third-party risk is lower on the list of risk priorities than other enterprise risks. Not as many firms are as concerned about third-party risk as headline-making disruptions and breaches involving or stemming from the third-party ecosystem would suggest. Only 20% of enterprise risk management decision-makers surveyed in Forrester’s Business Risk Survey, 2021, said that the impact of third-party risk on their organization was a primary concern. Concern about third-party risk varied significantly among respondents in different industries and geographies, and not in the way you might think.
  2. Prioritization of third-party risk doesn’t move the needle for program maturity. Forrester data found that increased reliance on third parties was among the top drivers of increased levels of enterprise risk and was highest among US responders. Prioritizing TPRM had little effect, however, in translating to increased program governance, accountability, or volume of third parties assessed.
  3. Investment in TPRM technology is high, and it’s the same for manual processes. Having multiple TPRM tools is common. Dedicated third-party risk management platforms and cybersecurity risk ratings are among the most ubiquitous, and yet, many TPRM programs are still managed with spreadsheets. Even among respondents to our survey whose organizations are self-assessed as having the most mature third-party risk programs, the majority said that their third-party risk program is manual.

For the full results of my analysis, read the report, and schedule a guidance session with me to discuss this topic further.

And be sure to check out Forrester’s upcoming Security & Risk event live in Washington, D.C. November 8-9 and virtually.