Organizations Unprepared for Third Party Risks

Jennifer Post


December 1, 2023

Sticky notes with Plan A through C and

According to a recent survey by EY, only 21% of organizations have a multi-year third-party risk management (TPRM) plan with defined goals and milestones. However, more are implementing specific third-party risk mitigation strategies, including: maintaining an integrated resiliency plan in the event of business disruption due to high-risk third parties (51%); conducting integrated resiliency testing (47%); performing scenario analysis (45%); maintaining exit strategies or contingency plans (45%); and testing exit strategies, contingency plans and business continuity plans (40%). To further mature an organization’s TPRM approach, EY suggested defining the objectives and scope of a TPRM program; understanding, documenting and maintaining third-party inventory; developing relevant policies and procedures; enhancing ongoing monitoring of third parties; establishing a governance structure; implementing technology and automation; and streamlining customer experience by sending out questionnaires or other customer response strategies.

Jennifer Post is an editor at Risk Management.