Posted: 06 Nov. 2020 5 min. read

How is COVID-19 changing third party risk management?

The COVID-19 pandemic has significantly changed the risk landscape and impacted organisations across industries globally. We recognised this in our 2020 global survey report on third party risk management (TPRM) through a number of predictions on how COVID-19 would change the discipline.

In this blog we highlight the changes we have seen and where our predictions have begun to ring true:

  • We predicted that organisations would become increasingly concerned about the rising cost of getting third-party risk management wrong – a reflection of the growing dependence on critical third-party relationships. We have witnessed clients make a huge effort to ensure continuity and resilience of their critical third parties. This is in addition to seeing them face increased pressure to operate as a responsible business. Organisations are more focused than ever on the safety and well-being of third parties they work with.
  • We have seen tangible investments in resources, capabilities, technology and reporting to monitor critical third parties, despite cash constraints. Cost and revenue recovery initiatives are increasingly being used to fund this additional investment. We predicted that a growing appreciation of the potential damage caused by third party failures throughout the COVID-19 pandemic would increase leadership attention on the value of TPRM, this investment suggests it has.
  • Third party risk management expectations continue to evolve. The pandemic has highlighted shortcomings in some organisations such as poor visibility of critical third party relationships or key contractual terms. Organisations that learn during the pandemic and evolve their TPRM frameworks accordingly will leave their peers behind.
  • Many organisations are acquiring ready-made risk intelligence from external sources and consultants, rather than building deep in-house expertise, to improve their TPRM frameworks. The trend was already shown in this year’s survey: organisations use third parties for managed services and utility models, and to buy in domain-specific feeder technologies, subject to financial constraints.
  • Technology will be at the heart of finance and controls transformation initiatives. COVID-19 has strengthened the desire for better visualisation of data and online alerts to enable action and make top-level reporting more succinct and smarter. During the pandemic we’ve seen many organisations realise the need to identify and visualise third party delivery locations, as mapping headquarter locations did not always identify the right level of geopolitical risk exposure.
  • Finally, although insourcing some third-party processes initially appeared an attractive option to regain control during the pandemic, organisations are realising that insourcing must be balanced against the associated costs – such as developing relevant in-house capability – at a time when cash reserves must be protected.

Read more about our predictions on how third party risk management could change in our report: Be responsible and effective: Strike a balance. To discuss any of the TPRM developments discussed in this blog, contact one of our authors.

Key contacts

Kristian Park

Kristian Park

Partner

Kristian Park is global leader for Extended Enterprise Risk Management. As a partner in Deloitte UK, Kristian works with his clients to develop governance frameworks to identify and manage all types of third-party risks, looking at both process and technology solutions; performs inspections of third-party business partners on his client’s behalf; and assesses third-party compliance with contractual terms and conditions. In addition, Kristian is responsible for Deloitte UK’s Software Asset Management and Software Licensing teams and assists clients in managing their software licensing obligations–driving efficiencies and savings. He has experience across a broad variety of industry sectors including Life Sciences, Financial Services, Energy & Resources, Sport, Technology, Media, and Consumer & Industrial Products. Related articles  How to predict and prevent future threats - Raconteur Companies fail to monitor data across supply chain - Financial Times UK companies face upheaval from contractors’ failings - Financial Times £1.8m fines for bank over outsourcing failings - Accountancy Daily

Danny Griffiths

Danny Griffiths

Partner

Danny Griffiths is a partner in our UK Extended Enterprise team and leads the third party advisory proposition. He has 14 years of experience providing assurance and advisory services relating to third party risk and specialises in supporting clients to develop and implement third party governance and risk management frameworks. Danny also has significant experience leading compliance programmes for large national and multi-national organisations, assessing third party compliance against contractual obligations. Danny has led inspections across a range of third parties including suppliers, outsourcers, marketing agencies, distributors, resellers and licensees. Danny has worked extensively in the financial services sector but also has experience working in other industries such as technology, telecommunications, consumer, sports and the public sector. He has led projects in multiple countries within EMEA, the Americas and Asia Pacific and regularly hosts roundtables and presents at events on third party risk.

Dr. Sanjoy Sen

Dr. Sanjoy Sen

Head of Research and Eminence

Sanjoy Sen is the head of research for third party risk management at Deloitte LLP. He has a doctorate in business administration from Aston University in the UK based on his global research on the third party ecosystem. He also holds the honorary title of visiting senior fellow in strategy and governance in the school of business and economics at Loughborough University. Since 2014, Sanjoy’s work has been cited in various global academic and professional journals, newspapers and conference papers. Sanjoy has extensive experience advising boards, senior leadership, heads of risk, and internal audit on strategic governance and risk management of the extended enterprise, outsourcing, and shared services. He has worked across the UK, Gibraltar, India, and various countries in the Middle East. He is a chartered accountant (FCA), cost and management accountant, and certified information systems auditor (CISA) with over 30 years of experience, including 17 years of partner-level experience at Deloitte and another big four firm.