[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries

Lack of third-party risk management leaving businesses vulnerable

Nearly half of organisations across industries such as financial services and healthcare do not have a dedicated third-party risk management function, according to a report from MetricStream.

Businesses vulnerable without "vital" risk management ©iStock
Businesses vulnerable without "vital" risk management ©iStock

This is despite 21% of companies believing they have faced significant risk due to third parties over the last 18 months, and 25% of those who shared financial impact data revealing losses of over £8m.

These costs were generated through a period of downtime, regulatory fines, and reputational damage, with firms that outsource processes and services exposing themselves to a plethora of threats.

MetricStream chief evangelist, French Caldwell, said: “It’s clear that many enterprises are yet to grasp fully how vital risk management is, but businesses can no longer plead ignorance. They are responsible for the actions of their third parties and they will bear the brunt of any fallout.

“For example, if a business shares sensitive data with a third-party without checking if it has relevant cybersecurity, and that supplier suffers a data breach, under some rules the company could be liable.

“Not only will it suffer reputational damage, but new regulations such as the EU General Data Protection Regulation could see large fines imposed too.”

The research involved a global survey of 40 organisations across 15 industries, including financial services, retail, healthcare, pharmaceuticals, and insurance.

Nearly three-quarters of respondents admitted that they did not track fourth parties in any capacity, meaning they have no visibility past their immediate suppliers.

Caldwell said that as enterprises rapidly adopt Cloud services, entities that would have been third parties when services were managed in-house, become fourth parties, which are more difficult to monitor.

The findings from the survey also reveal that 48% of businesses still use office productivity software, suggesting an immaturity of the function.

“Companies must become more vigilant. That means monitoring the entire supplier and IT services ecosystem more frequently, and, based on associated levels of risk, establishing dedicated third-party risk functions and accountability with GRC technology that enables informed decisions,” Caldwell added.

Sign up to our free newsletter here and receive a weekly roundup of news concerning the actuarial profession