“ERM involvement in third-party risk management activities has increased across the board since 2016,” said Matlock. “However, just doing more isn’t enough because the characteristics of third-party risk undermine the effectiveness of a typical ERM setup.”
ERM is struggling to elevate the right issues because it is generally failing to limit its focus to a manageable set of issues. ERM leaders are not clearly defining which issues must be acted on first, and they are not typically preparing their audiences well to take tangible steps on the issues they surface.
Enterprise Third-Party Risk Management
There are three aspects that ERM must do differently to improve effectiveness in managing third-party risk in a large organization, an approach Gartner calls enterprise third-party risk management. Essentially, this is an approach to help ERM teams manage the information overload that is being created by the exponential increase in risk volume and variability brought about by the rapid growth of third parties use.
- Third-party risks tend to be high volume, heterogeneous in nature, and vary greatly in importance across the business. It is hard, therefore, to identify and prioritize what matters most. ERM must first isolate and combine only those inputs that matter most at the enterprise level, enabling them to focus on aggregating the most important inputs and addressing the most critical enterprise third-party risks.
- ERM must work to enable alignment across a diverse set of risk owners to obtain a holistic view and create opportunities for them to work towards consensus. In practice, this means facilitating direct thought-partnership between risk co-owners with ERM adding expertise and aligning actions, as opposed to ERM acting as a central co-ordinator of all risk information and mitigation.
- ERM’s role as a trend spotter is also undermined by the expanding third-party landscape because the potential issues are too numerous and available data is often point-in-time and lagged. Again, the solution is to narrow down the scope of what is being monitored, limiting focus to the most critical emerging issues and proactively tracking them with a set of easily monitored forward-looking indicators that enables ERM to reliably spot critical enterprise risk trends.
“With third-party risk exposure elevated and a multitude of incoming threats on the horizon, risk committees are expecting ERM to play a greater role in managing third-party risk,” said Matlock. “Yet traditional ERM posture is struggling to provide a concise, actionable view of third-party risk at the enterprise level. That’s why ERM must focus on enterprise third-party risk management, which involves defining enterprise-level priorities, enabling cross-functional alignment, and monitoring forward-looking indicators.
This research was first presented for clients at a Gartner annual retreat for heads of ERM at Chicago in October 2022, and will be again in March 2023.
About Gartner for Legal, Risk & Compliance Leaders
Gartner for Legal, Risk and Compliance Leaders provides expert guidance and tools to help leaders across legal, risk, audit and compliance departments more effectively manage an increasingly complex risk landscape and build next-generation functions. Additional information is available at gartner.com/en/audit-risk and gartner.com/en/legal-compliance. Follow news and updates on LinkedIn and Twitter. Visit the Gartner Legal and Compliance Newsroom for more information and insights.