Posted: 06 Nov. 2020 5 min. read

How is COVID-19 changing third party risk management?

The COVID-19 pandemic has significantly changed the risk landscape and impacted organisations across industries globally. We recognised this in our 2020 global survey report on third party risk management (TPRM) through a number of predictions on how COVID-19 would change the discipline.

In this blog we highlight the changes we have seen and where our predictions have begun to ring true:

  • We predicted that organisations would become increasingly concerned about the rising cost of getting third-party risk management wrong – a reflection of the growing dependence on critical third-party relationships. We have witnessed clients make a huge effort to ensure continuity and resilience of their critical third parties. This is in addition to seeing them face increased pressure to operate as a responsible business. Organisations are more focused than ever on the safety and well-being of third parties they work with.
  • We have seen tangible investments in resources, capabilities, technology and reporting to monitor critical third parties, despite cash constraints. Cost and revenue recovery initiatives are increasingly being used to fund this additional investment. We predicted that a growing appreciation of the potential damage caused by third party failures throughout the COVID-19 pandemic would increase leadership attention on the value of TPRM, this investment suggests it has.
  • Third party risk management expectations continue to evolve. The pandemic has highlighted shortcomings in some organisations such as poor visibility of critical third party relationships or key contractual terms. Organisations that learn during the pandemic and evolve their TPRM frameworks accordingly will leave their peers behind.
  • Many organisations are acquiring ready-made risk intelligence from external sources and consultants, rather than building deep in-house expertise, to improve their TPRM frameworks. The trend was already shown in this year’s survey: organisations use third parties for managed services and utility models, and to buy in domain-specific feeder technologies, subject to financial constraints.
  • Technology will be at the heart of finance and controls transformation initiatives. COVID-19 has strengthened the desire for better visualisation of data and online alerts to enable action and make top-level reporting more succinct and smarter. During the pandemic we’ve seen many organisations realise the need to identify and visualise third party delivery locations, as mapping headquarter locations did not always identify the right level of geopolitical risk exposure.
  • Finally, although insourcing some third-party processes initially appeared an attractive option to regain control during the pandemic, organisations are realising that insourcing must be balanced against the associated costs – such as developing relevant in-house capability – at a time when cash reserves must be protected.

Read more about our predictions on how third party risk management could change in our report: Be responsible and effective: Strike a balance. To discuss any of the TPRM developments discussed in this blog, contact one of our authors.

Key contacts

Kristian Park

Kristian Park

Partner

Kristian Park is global leader for Extended Enterprise Risk Management. As a partner in Deloitte UK, Kristian works with his clients to develop governance frameworks to identify and manage all types of third-party risks, looking at both process and technology solutions; performs inspections of third-party business partners on his client’s behalf; and assesses third-party compliance with contractual terms and conditions. In addition, Kristian is responsible for Deloitte UK’s Software Asset Management and Software Licensing teams and assists clients in managing their software licensing obligations–driving efficiencies and savings. He has experience across a broad variety of industry sectors including Life Sciences, Financial Services, Energy & Resources, Sport, Technology, Media, and Consumer & Industrial Products. Related articles  How to predict and prevent future threats - Raconteur Companies fail to monitor data across supply chain - Financial Times UK companies face upheaval from contractors’ failings - Financial Times £1.8m fines for bank over outsourcing failings - Accountancy Daily

Danny Griffiths

Danny Griffiths

Director

Danny Griffiths is a Director in our London based Extended Enterprise Risk Management (EERM) team. He has ten years of experience providing assurance and advisory services to his clients in the area of Third Party Risk. Danny leads the Third Party Advisory (TPA) proposition within our UK EERM team, and specialises in supporting clients in the development of Third Party Governance & Risk Management frameworks. He has worked extensively in the Financial Services sector in this regard as well as advising organisations across many of the other industry sectors and he regularly hosts roundtables and presents at forums on this topic. In addition Danny has significant experience leading compliance programmes for large national and multi-national organisations, assessing third party compliance against contractual obligations. Danny has led inspections across a range of third parties including suppliers, outsourcers, marketing agencies, distributors, resellers and licensees. He has practical experience working in a broad range of industries including Financial Services, Technology & Media, Consumer Business, Sports Business, Energy & Utilities, Real Estate and Public Sector. He has led projects in multiple jurisdictions within Europe, the Middle East, Africa, the Americas and Asia.

Dr. Sanjoy Sen

Dr. Sanjoy Sen

Head of Research and Eminence

Sanjoy Sen is the head of research for third party risk management at Deloitte LLP. He has a doctorate in business administration from Aston University in the UK based on his global research on the third party ecosystem. He also holds the honorary title of visiting senior fellow in strategy and governance in the school of business and economics at Loughborough University. Since 2014, Sanjoy’s work has been cited in various global academic and professional journals, newspapers and conference papers. Sanjoy has extensive experience advising boards, senior leadership, heads of risk, and internal audit on strategic governance and risk management of the extended enterprise, outsourcing, and shared services. He has worked across the UK, Gibraltar, India, and various countries in the Middle East. He is a chartered accountant (FCA), cost and management accountant, and certified information systems auditor (CISA) with over 30 years of experience, including 17 years of partner-level experience at Deloitte and another big four firm.