The latest enterprise risk management news from around the world

A new survey-based report from Prevalent, Inc., shows that, although organizations are starting to adapt their third-party risk management (TPRM) programs to address new and emerging non-IT risks, much more needs to be done to grow and mature these programs. Key areas needing improvement include incident response, compliance, and the vendor lifecycle.

Key findings from the 2022 Third-Party Risk Management Study include:

45 percent of organizations experienced a third-party security incident in the last year – but are using disparate tools that extend incident response timelines
69 percent of respondents say that the top concern facing their organization with regard to their usage of third parties is a data breach, with 45 percent of respondents reporting that they experienced a security incident in the last year – up from 21 percent in 2021. However, 8 percent of companies don’t have a third-party incident response program in place, while 23 percent take a passive approach to third-party incident response.

40 percent of organizations are paying more attention to non-IT security risks – but not enough
TPRM programs continue to focus on addressing the risks faced when working with IT vendors, but a surprising 40 percent of respondents in the study say they are focused on managing both IT and non-IT vendor risks. However, organizations continue to overlook less quantifiable non-IT risks such as modern slavery, anti-money laundering, and anti-bribery and corruption risks that could still lead to compliance violations, fines or negative reputational impacts.

TPRM is becoming more strategic but 45 percent of organizations are still using manual spreadsheets to assess third parties 
Two-thirds of respondents report that their TPRM programs have more visibility among executives and the board compared to last year. However, getting there took massive increases in third-party vendor and supplier-related cybersecurity issues. Unfortunately, manual processes are still holding organizations back, with 45 percent reporting that they use spreadsheets to assess their third parties. These manual processes add unnecessary complexity and time to third-party risk audits, with 32 percent of respondents saying it takes more than a month – more than 90 days in some cases – to produce reporting and evidence required to meet regulatory audits.

More details.

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.