Managing third-party risk and compliance is becoming an increasingly important factor in doing business. The days when engineering companies, legal firms or even moviemakers did everything in-house are long gone. More and more modern organisations rely on third parties to do their day-to-day business. This has led to a rapid increase in awareness of the need to manage the risks involved in working with such vendors and partners – and a rising demand for relevant professionals.
Failure to manage this risk can be catastrophic: If a factory cannot get some simple, cheap parts and has to slow or cease production, it can haemorrhage millions of dollars a day. When it comes to cyber security, surveys suggest that over the past two years more than half of data breaches were caused by third parties, involving billions of pieces of personal information. As a result of this, most businesses immediately think of cyber security when it comes to third-party risk management, and not without good reason. However there are many other forms of risk that should also be considered. What is the financial state of the vendor? Could your reputation be damaged? Can geopolitical factors affect the third party? Does it create any operational or continuity risk? Does your partner comply with relevant local and international regulations and laws?
Many businesses are opting to outsource at least some of their third-party risk management. This is often a good idea; the field is extremely specialised and there are often not enough qualified professionals to meet the demand. Outsourcing can not only address this problem, but can also often save a business significant money. (However it does also raise the intriguing concept of a third party managing third parties – you may be vulnerable if too reliant on your outsourced risk manager.)
A study by the US-based company Adroit Market Research found that the global market for third-party risk management – including compliance – will reach US$8 billion by 2025, growing at an average 16 percent per year. The study said that cyber security and the growing adoption of virtual platforms were among the biggest drivers of this rise, along with increasingly complex and stringent data protection regulations. Crucially, however, the study said that a lack of skilled professionals is likely to hold back the market from expanding even faster. Also, technological advancements such as smart contracts, data analytics, and automation are expected to be key factors in the coming years.
While automation is becoming an increasingly powerful tool in third-party risk management, it does not replace the need for an overall plan and a team to implement it. Automation can perform data analytics and crunch numbers millions of times faster than people. It can also provide warnings in far more timely manner. But the information and warnings still need to be analysed and acted upon by specialist risk staff. The rise in technology also creates opportunities for those with strong IT skills to benefit in this risk sector. Risk managers are not at risk of being completely replaced by computers just yet.
For example, a search on just one Hong Kong jobs website shows seven postings for third-party risk managers in the past month alone, while a similar search for the US shows dozens of vacancies advertised over the same period. Clearly, there is a strong demand for professionals with relevant skills, and all the evidence suggests this demand will continue to grow for the foreseeable future.
VIVIAN CHEN, Ashford Benjamin Ltd.