Risk assessment for supply chain inadequate to face current challenges says report
Study suggests that there is a widespread inability to adequately vet and manage suppliers
A new study by Prevalent, Inc., says that even before the current pandemic companies did not have adequate risk assessment for their vendors and suppliers, citing cos and resources as the major barrier to doing so. The Third-Party Risk Management: The 3rd Rail of Security & Compliance report found that only just over half of companies were conducting risk assessments of third parties they work with and the lack of scrutiny meant that they were being let down, with three quarters saying that they had experienced operational issues as a result of an issue originating with a third party, frequently leading to productivity falls.
Key findings include:
- Lack of confidence in the program inhibits results: 54% of organizations have some meaningful experience in conducting third-party risk assessments, yet only 10% are extremely confident in their programs.
- Significant consequences: 76% of respondents said that they experienced one or more issues that impacted vendor performance – resulting in a loss of productivity (39%), monetary damages (28%) and a loss of reputation (25%).
- Unsatisfactory number of assessments: 66% of respondents say they should be assessing more than three-fourths of their top tier vendors but aren't doing so.
- Costs, resources and lack of process are inhibitors to success: Lack of resources (74%), cost (39%) and insufficient processes (32%) are keeping respondents from assessing all their top-tier vendors.
- No one seems happy with their existing toolset: Satisfaction levels among existing tools hovers in the 50% range, and weighted average of satisfaction caps out at 3.8/5.0. GRC tools have an especially long way to go with a 41% satisfaction rate.
"Organizations are starting to ask the question about what happens to them if their supply chain partners go out of business. Sadly, most companies don't have the risk visibility into their supply chains to answer that question," stated Brenda Ferraro, vice president of third-party risk at Prevalent, Inc. "How can they expect to adequately manage their own risk without understanding the risks vendors and partners pose?"
The report concludes with five recommendations to jump start vendor risk activities:
- Develop a programmatic process
- Build a cross-functional team that extends beyond risk and compliance
- Be comprehensive without being complex
- Maintain options for assessment collection and analysis for agility
- Complement your decision-making with risk-based intelligence.