Why Managing Third-Party Risks Demands a Different Approach


In an increasingly complex business landscape, managing third party risk is one of the most pressing yet challenging tasks facing enterprise risk managers. Without a systematic and automated way to identify and track vendor risks, the approach is often ad-hoc, cumbersome, and ultimately ineffective. Therefore, VirtueSpark is pleased to confirm that the third-party risk management module of its integrated GRC platform is now live, enabling a comprehensive and consistent way to manage third-party risks.

Third-Party Risk Management is More Critical Than Ever

In an increasingly digital world, organizations are more dependent than ever on third parties to manage their IT infrastructure, systems, and data. According to one 2018 study, nearly 60% of companies have experienced a third-party data breach, yet only 16% believe that they’re effectively mitigating third-party risks.

One challenge is that third-party risk management (TPRM) is excessively focused on compliance. However, failing to ensure consistent monitoring and reporting of risks leaves the organization with blind spots that can result in significant financial or operational business disruption.

Recent events have thrown the need for effective third-party risk management into stark relief. The 2020 SolarWinds attack was quite shocking in its scale. Hackers took advantage of multi-layered supply chains to gain access to 250 networks, bypassing defenses deployed by the United States Department of Homeland Security.

However, third party risks can manifest in any type of supplier, not just limited to IT services. Industries including pharmaceutical, automotive, chemical, and luxury goods are targets for counterfeiters who often exploit vulnerabilities in supply chains. Outsourcing financial services such as payroll or accounts payable can create risks, including data breaches or employees and suppliers not getting paid.

The Challenges of Effective TPRM

Most experts agree that common standards, combined with a systematic approach, would help organizations to mitigate their exposure to third-party risks. However, effective third-party risk management becomes an almost insurmountable task without the right tools for the job, particularly in larger organizations where suppliers can number into hundreds or thousands.

Manual questionnaires and Excel-based tracking are often the norms, making the process onerous, inefficient, and unable to deliver any tangible value to the organization. Moreover, risk managers often find it challenging to assess any given supplier’s criticality to business strategy or operations and expend high efforts on following up with the internal service manager responsible for the third-party vendor.

In response to client demand and to help address these challenges, VirtueSpark has now launched a dedicated TPRM module that helps you answer the two most important questions in third party risk. How critical is the supplier to your business, and what is the associated risk exposure? Furthermore, the VirtueSpark TPRM module actively engages your suppliers in the risk assessment process in a way that ensures TPRM becomes a value-generating activity.