Aravo 2024 Report

Program

Technology

TABLE OF FIGURES

Figure A.

Figure B.

Figure C.

Figure D.

Figure E.

Figure F.

Figure G.

Figure H.

Figure I.

Figure J.

Figure K.

Figure L.

Figure M.

Figure N.

Figure O.

Figure P.

Survey respondent role in relation to their TPRM program

Ownership of TPRM program across respondent organizations

Scale of third party usage among respondents

Key drivers for TPRM

Range of risk domains

Current perception of TPRM programs

Perceptions of TPRM resource allocation

Relationship between TPRM programs and the executive level

Assessing TPRM programs

Respondents’ likelihood of standing up to audit

Survey respondents’ use of data

Range of technologies used across third party risk

Perceptions of long-term program success

Identifying gaps in programs

Anticipated changes in approach in the next 2-3 years

Predicted time until improvement in TPRM program

CENTER FOR FINANCIAL PROFESSIONALS (CeFPro®):

The Center for Financial Professionals (CeFPro) is an international research organization and the focal point for a global community of finance, technology, risk, and compliance professionals from the financial services industry.

CeFPro is driven by high-quality, reliable primary market research. It has developed a comprehensive methodology that incorporates data from its global community and validation by an international team of independent experts.

Examples of some of CeFPro’s research include:

• Non-Financial Risk Leaders: the most comprehensive independent study of trends, opportunities, and challenges within non-financial risk

• Fintech Leaders: an international survey to assess the status of the fintech industry and provide details for informed decisions on technology and business-related matters

To find out more, visit www.cefpro.com/research

Aravo

Aravo is an industry leader that enables global brands to accelerate their third party risk management program performance to predict, anticipate, and respond to business disruptions, meet sustainability goals, and comply with regulations. Aravo’s platform and its broad range of risk domain applications deliver unified visibility into an organization’s third party ecosystem to manage and proactively mitigate risks.

Aravo’s people, products, and services all work together to support a greater purpose: to elevate the operational integrity of the business community. More than just being regulatory compliant, Aravo helps customers meet the increasing demand for more responsible organizations and extended enterprises.

Using Aravo, customers can grow their top-line revenue, avoid financial and brand liability, gain process efficiencies, and promote integrity. Aravo was founded in 2000 and is headquartered in San Francisco, California, USA.

Learn more at www.aravo.com

METHODOLOGY & DEMOGRAPHICS

CeFPro, in partnership with Aravo, conducted a global research survey to better understand the status of third party risk management within financial service organizations. The working hypothesis for the research was that organizations may not be taking appropriate action to improve their program capacity, maturity, and performance.

The research program was conducted in two distinct stages. First, the survey: CeFPro conducted global outreach to ensure that the survey received a diverse and varied sample cohort. The online survey was open to respondents from January 29 to March 28, 2024, and a total of 115 responses were logged. Second, CeFPro conducted a follow-up period of qualitative consultation with industry experts and thought leaders from the UK, EU, and North America. These industry experts consisted of senior professionals across a range of financial organizations, predominantly from within the banking sector. This additional research sought to validate and provide depth to the responses received in the survey and provide an additional layer of ‘real-world’ insight into how representative the results were, and why some trends may be more or less apparent.

To aid comprehension and provide anonymity to the contributors, the information provided by the industry experts is referred to as ‘additional research’ throughout this report. The additional research was obtained through 1-on-1 interviews, which were held between the industry experts and a CeFPro researcher.

A. Survey respondent role in

To gain insight into the demographic profile of the survey respondents, the first question asked participants to detail their role in relation to their organization’s third party risk management (TPRM) program. As demonstrated in Figure A, 40.0% of respondents were the ‘Owner or co-owner of the program (decision maker)’, and an additional 26.7% were ‘Executive with responsibility for TPRM’. Accordingly,

a large portion (66.7%) of respondents were involved with directly driving TPRM, or held ownership/leadership positions within the program. As such, the majority of the survey’s respondents can be considered to have been well-placed to provide expert insight for the purposes of this report.

B. Ownership of TPRM program across respondent organizations

To gain a sense of organizational structure among the respondent cohort, the survey also asked respondents to detail which group owned the TPRM program within their respective organizations. The results demonstrated that there is a divergence in approaches across the financial service sector, with 41.1% of respondents reporting that ‘Risk management’ owned their program, and a further 23.3% reporting that theirs were owned by ‘Procurement’. Further responses are detailed in Figure B. The feedback from the industry experts interviewed as part of CeFPro’s additional research were varied, which speaks to the disparity of risk management approaches across the industry. No two interviewees provided the same response, and many highlighted that the ‘Other’ category, which received 22.2% of answers, could be the most ‘true to life’ response, as often, ownership for TPRM programs fell under more than one area. Some stated that, while, for the most part, ‘Risk management’ typically owns the policy, standards, and requirements associated with TPRM programs, ‘Procurement’ often operates as an overarching parent, with overall and/ or final responsibility. In many cases, risk and procurement share aspects, with specific sections allocated to own policy, and others to own the program. This lack of standard ownership of TPRM within organizations in the financial sector is extrapolated across other industries where TPRM programs are often less mature. This inconsistency is further reflected in the program challenges analyzed further in this report, namely fractured data systems, teams, technologies, processes, and reporting, all of which needlessly complicate program reliability and performance.

INTRODUCTION

As the third party risk management industry continues to mature, and the management and oversight of third parties becomes increasingly regulated on a global scale, organizations are under pressure from internal and external sources to ensure their programs are at a sufficient level and compliant. While specific regulations can differ based by region and hemisphere, the direction and pace of change remains consistent and constant. Too many organizations are already behind and not ready for the additional changes on the horizon.

This research demonstrates a divergence in maturity across current TPRM programs, despite these rapidly emerging challenges. Is this an accurate reflection of the current financial services landscape, or is more work needed to understand risk exposure? The data provided in CeFPro’s outreach survey suggest there is a level of inconsistency and fragmentation in approaches across organizations. This report delves into the nature of these inconsistencies and provides analysis regarding how they provide an opportunity to benchmark programs and identify gaps and vulnerabilities.

ORGANIZATIONAL DRIVERS

The survey also explored the number of third parties that organizations work with. While the responses were diverse in scope, they were fairly widely distributed. A total of 25.6% respondents stated that their organizations have between 1,001 and 5,000 reported third party associations; a further 21.1% reported that theirs had between with 501-1,000 (Figure C). Figure C demonstrates the plethora of responses, and suggests there is a wide divergence in how organizations within the financial services sector approach the management of TPRM programs. This variety can be attributed to several factors, which vary in significance. The two most significant areas highlighted in additional research were:

• The size and global footprint of the organization: those with a global presence will have a higher number of third parties by default. It is unclear whether responses narrowed by geography, or their entire organization for those representing global organizations

• Definition of third party: the survey question used the term ‘third parties’, but did not define the term, or clarify whether third parties would include examples such as bank-to-bank, the use of central banks, joint ventures, partnerships, and intragroup arrangements. As a result, the question was open to interpretation, which may have increased the variety of responses provided.

In a 1-to-1 interview, one industry expert gave an example regarding the Bank of England and its role as a payment settlement agent. Many rely on the Bank of England to settle payments, whether as a settlement agent, real-time gross settlement service (RTGS), or CHAPS. If the Bank of England suffers any outage or disruption to service, there is a ripple effect across organizations and customers; it should, therefore, be managed as a third party. However, it may not be included by many in this count due to varying interpretations of the requirements. The same applies to bank-to-bank and intragroup arrangements, particularly for larger organizations, where the number of third parties could increase exponentially should they all be included. When all are included, the total number of third parties these respondent organizations engage with is likely significantly higher.

As organizations increase their reliance on third parties, and the number of relationships organizations engage in continue to rise (in some cases, organizations have upwards of tens of thousands of third party engagements), it is important to understand and identify the key drivers behind TPRM programs. Question 6 of the survey asked respondents to detail their organization’s primary drivers (Figure D). The most reported driver for 50.6% of the organizations surveyed was ‘Liability avoidance (audits, enforcement, regulatory alignment)’. This finding was in-line with the views of the industry experts, many of whom referenced how changes in regulation have increased the pressure on organizations to ensure they are operating in compliance with multiple policies across a range of jurisdictions.

Many organizations are driven to meet regulatory requirements out of a desire to avoid potential liability. Although there were differing interpretations across the additional research conducted, different regulatory initiatives were referenced, many of which stem from the UK and Europe, such as the Digital Operational Resilience Act (DORA). In one interview, an industry expert highlighted that the regulatory agenda in the UK has a heavy customercentric focus, which is being predominantly led by Consumer Duty regulation. Although not an option in the question posed, for UK respondents, it was suggested that the focus should be shifting towards making sure the customer gets the best outcomes, in which third parties play a big part. In addition to concerns regarding direct regulatory action, organizations are facing increasing pressure from shareholders, customers, and the public to go beyond the specifics of a regulation. While regulatory actions can be damaging to an organization’s reputation and financial standing, an appearance of misalignment with regulatory or public expectations can be more so.

The final analysis of organizational drivers looked to identify the key risk domains that organizations focus on when evaluating a third party. The most popular driver was ‘Data privacy/GDPR alignment’ (Figure E), which was selected by 89.9% of respondents. As respondents could select multiple answers, there were several prominent drivers identified, with ‘Financial/credit risk analysis’, ‘Infosec’, ‘Program & operational resiliency’ and ‘ABAC (anti-bribery & corruption/ regulatory compliance)’ each being selected by more than 80.0% of the survey respondents.

The survey results mirrored the expectations of the industry experts interviewed in CeFPro’s follow-up research. One expert summarized that as all the popular drivers were highly regulated domains, organizations would need to ensure they were heeded during third party evaluations, to ensure they avoided potential liability; this further supports the findings in Figure D.

Figure E. Range of risk domains

In interviews with experts from the UK and EU, researchers were surprised to see that ‘Program & operational resiliency’ was only the fourth most popular response. With the DORA due to go live in January 2025, many of the industry experts interviewed predicted that organizations would be focusing on operational resiliency programs, at least for the subset of respondents under its regional purview (EU and UK). As a holistic approach to operational resilience, it was also expected to capture areas such as data privacy and financial risk analysis of third parties.

Industry experts selected two areas that they predicted to rise significantly over the next few years: ‘ESG’ and ‘Third party usage of AI for technology or operations’. First, with regards to ESG, there is an expectation of increased attention, fines, and sanctions for those not in compliance with regulations by 2025. While it remains unclear whether the requirements will evolve or change in the future, their impact, particularly across Europe, is expected to be significant.

Second, the implementation of AI is also expected also to increase. AI is a current focus across the industry, with regulatory announcements expected to be on the horizon for its use across financial services; while understanding how it will fits within a TPRM program is yet unclear, its use is expected to rise substantially.

Overall, organizations must stay ahead of market changes and the escalation of conditions across the industry. They also need to be asking questions regarding how the expectations of their clients and customers may change in the future, and updating their client outreach questionnaires to keep up to date on the changing market conditions. In general, AI use within organizations is a question of governance, rules, and policies, which, in turn, is a question of compliance. AI is also a potential risk, that should be taken into account when assessing third party risks - especially in the financial sector.

PROGRAM BENCHMARK

The next phase of the survey looked to establish a benchmark as to where TPRM programs are viewed today and their value within organizations. The evolution of third party risk has been heightened in recent years. While it has historically been seen as a relatively immature risk discipline, it has evolved considerably in relation to strengthening regulations and impact to organizational strategies and performance. When asked as to how they viewed the maturity of the TPRM programs in their host organizations, 49.4% of respondents described their programs as ‘Integrated: the organization has adopted centralized methodologies, templates, processes, governance and reporting’ (Figure F). Although this finding suggests that there is a baseline level of maturity in current programs, other charts within the research, discussed later, suggest that self-assessments of program maturity is potentially more optimistic of showing a higher confidence than some perhaps should be.

The industry experts interviewed in CeFPro’s follow-up research were surprised that such a large portion of the respondents considered their organizations to be advanced, particularly when considering that larger organizations can find integration and centralization challenging. As with any of the questions in this survey, there are variations in interpretations as to the question and the results; one such example was given of large organizations that have multiple acquisitions and companies or fintech under a parent. The larger parent may consider themselves as integrated, however, subsidiaries within them may differ in nature, and be viewed as more fragmented. Typically, larger organizations are host to vast amounts of data; integration can be a huge undertaking, particularly from a data standpoint, in complex organizations. While organizations with fewer third party engagements could be considered more integrated, they may have less data to process, and thus have an ‘easier’/more straightforward task at hand. There is also a degree of interpretation on what would be included within the definition of the ‘TPRM program’.

Ad-hoc: no or minimal defined methodology, roles, and systems in place

Fragmented: processes tend to be manual, distributed, non-standardized, difficult to measure or improve, using Office productivity software

Defined: individual departments or locations have standardized and technology-enabled processes, but don’t tend to share data or insights

Integrated: the organization has adopted centralized methodologies, templates, processes, governance, and reporting

Agile: where TPRM is federated across the org, with integrated data and insight sharing, automation, AI, analytics, and defined accountability

Given the relative perceived maturity of TPRM programs across the industry, budgets and resources are expected to be, overall, sufficient. When asked about how well resourced their programs were, 33.7% of respondents reported having a sufficient budget, but a shortage of people to complete their required tasks. Only 32.7% of respondents reported that they had both the budget and personnel to produce maximum results (Figure G). The increase in budget and attempt at increasing headcount is expected to be driven largely by the regulatory environment; global regulators have several programs, including SS221, DORA, and Interagency Guidelines, to name a few. Some changes, mainly DORA, fundamentally alter some programs. Its implementation has led to a heightened demand in capacity, resources, tools, and technology. It was highlighted in additional research that risk is never properly resourced; as it continues to evolve, there is always more that can be done, and more resources required to develop a best-in-class program. A total of 21.3% of respondents said that their program is understaffed, and their budgets are too low, which is a trend we see across teams within the industry.

Often, teams are overstretched and understaffed; this can be exacerbated further by an influx of regulations. Overall, many budgets for TPRM appear to have received an increase, allowing for maximum results, although there is a long way to go to unify this across the industry and develop teams to be more integrated and advanced.

Figure G. Perceptions of TPRM resource

We have budget and personnel to do what we need to do

We have a budget but a shortage of people to do what we need to do

We have the people but not the budget to do what we need to do

Our program is under-staffed and the budet is too low I have no budget or people

Historically, too many organizations have not seen TPRM as a value-adding program. However, the last few years have seen it receive increased exposure at an executive level, and TPRM is now more prominent than ever. This shift is driven by regulatory pressures and external events, such cyber security incidents with suppliers, and geopolitical events, where the role of supply chain risk is prominent. The number of third parties organizations engage with is increasing as companies grow and M&A activity increases. The growth widens the threat landscape of regulatory non-compliance

events, including the above-mentioned cyber and geopolitical risks. Such pressures reaffirm the importance of a successful TPRM program, and the importance of understanding relationships and potential vulnerabilities in order to improve reaction and response times. When asked whether they could clearly communicate the value of their TPRM program to executives, 43.7% of respondents stated that they could, but would like executives to understand the value of the TPRM program on a consistent basis (Figure H). Only 4.5% of respondents felt that they could not communicate the program’s value, or that their executives only saw TPRM as a cost center. While TPRM is reaching the executive level and has seen progress in demonstrating its value, much work is needed to cement it as being seen as a valuable program to ensure the security of organizations. Developing consistency across the board in the recognition of value of TPRM is the next step in ensuring effective communication of values to executives.

Figure H. Relationship between TPRM programs and the executive level

No, I can’t clearly communicate the value of my program

No, they tend to see our TPRM program as a cost center, not a value center

Yes, I communicate our TPRM program’s value, but it is not seen as strategic to the business

Yes, but I’d like my Executives to more consistently understand the value of our TPRM program

Yes, our Executives consistently understand the strategic value our TPRM program delivers to the business

As this report aims to provide an opportunity to benchmark programs and gain a status update on a global level, it assesses organizations’ ability to benchmark themselves against their peers. The survey results provided a broad spread of results, with a slight lead for: ‘Yes, but we would like to understand better how our program compares to others in our industry and market more specifically’. Figure I shows the range of additional responses, which all received similar shares of the vote. This chart demonstrates the divergence across the industry; instead of a largely collaborative approach, organizations are operating in isolation, with almost half of the industry unable to benchmark their program to any degree. Larger or more mature organizations often undertake benchmarking activities to review the changing TPRM environment, identify ‘best-inclass’ approaches and learn lessons that can be used to strengthen the industry and meet regulatory demands.

Another key aspect of benchmarking programs is understanding any success stories that detail specific tools or technology. Although many organizations are unlikely to publicly share their success stories in public forums, closed-door discussions, and the informal sharing of lessons learned, are valuable tools for industry practitioners looking to develop new processes. With many tools available across the industry, deciphering those that fit best with your host organization, and those which provide the most appropriate service for the need, is a challenging task. Larger organizations should pursue more active engagement with the wider industry to ensure they remain current and aware of relevant developments. Meeting and interacting with peer organizations of a similar size and progress is a valuable opportunity to identify missed opportunities and areas for development.

Finally, in assessing progress to provide a benchmarking opportunity, the survey explored whether organizations felt confident that they would stand up to audit by a regulator. Almost half of the survey respondents (49.4%) stated that they felt confident that they had the information needed to stand up to audit and have a solution in place. A further 35.7% of respondents stated that, ‘Yes, we have a welldesigned, well executed and defensible program in place’ (Figure J). With over 75.0% of survey participants responding positively to this question, the survey data presents a favorable image of TPRM programs.

However, it was flagged in multiple interviews with industry experts that the responses in Figure J are somewhat overconfident, when contrasted with expectations. As outlined throughout this report, there are several regulatory change initiatives currently in operation across multiple jurisdictions, many of which have created a host of uncertainty with the inclusion of new concepts. For example, evolving expectations across the market for additional program diligence, reporting, and transparency are forcing organizations to assess and build better programs. With this in mind, it is surprising to see so many survey respondents cite such high levels of confidence in the ability of their organizations to stand up to regulatory and market scrutiny. For example, liability avoidance was highlighted as a key driver in TPRM programs in Figure F; however, the results shown in Figure J would suggest that over 85.0% of respondents feel as though this objective has already been achieved, and that they are seeing success in the regulatory initiatives.

Figure I. Assessing TPRM programs

No, we have so little consistency that we can’t do trend analysis or benchmark the program

No, we have several years of data and performance analysis but don’t benchmark our performance against others

No, we believe we have a comparable or better program than others in our industry, but not the data to show it

Yes, we use analysts and public / market data to benchmark the major components of our program

Yes, but we would like to better understand how our program compares to others in our industry and market more specifically

Respondents’ likelihood of standing up to audit

No. It has already happened, and we have to make corrections to our program

No. If there was a regulatory investigation, we risk compliance, operational, and reputational damage

Yes. We have a solution in place

Yes. We have a well-designed, well-executed and defensible program in place

TECHNOLOGY BENCHMARK

Data serves as a fundamental component of every TPRM program; often, organizations have challenges in accessing and managing data in a consistent format across large organizations. Aligning data and sources is an enterprisewide challenge for many, with many data programs being utilized to advance accessibility. It is no surprise, therefore, that 47.2% of respondents said that different groups are using different ways to view and monitor data; they are, however, able to easily ask for access to see the information needed (Figure K). This was seen as the truest representation of the industry, as many organizations are unable to develop an integrated or enterprise system due to their complex legacy systems and mismatches in data collection. The 23.6% of respondents that said their ‘entire enterprise is using one unified platform into which they all have data visibility’ are expected to be from less mature organizations, fintechs, or challenger banks, which do not have complicated structures to untangle or pre-existing, complex legacy systems.

As organizations explore the opportunity to leverage tools, technology, and outside information providers, the inclusion of external data adds an added level of complexity. While leveraging multiple data sources at onboarding can allow for greater insight, it can ultimately increase data disparities. Overall, the survey results suggested that there is promising progress being made in organizations’ ability to access data across different groups; only 29.2% of the survey respondents stated that they were still operating on disparate systems, where different groups handle their risk domains differently with no visibility into the information.

Figure K. Survey respondents’ use of data

enterprise is using

Different groups are using different ways to view data and monitor; however, I am able to easily ask for access to see this information as needed

Different groups are handing their risk domains differently with some being manual, some being standardized, and some handling in a way unknown to the rest of the organization. I have no visibility into that information

As technology continues to evolve, the options available across the market continue to increase; it is often challenging for organizations to decide on which appropriate tools and technologies to utilize. When assessing what technologies are used to assess third party risks (Figure L), most organizations will have some tool to manage TPRM. CeFPro’s additional research highlighted that there are limited ‘one-size-fits-all’ or ‘all-encompassing’ tools available on the market. This range of different product options could indicate why 46.2% of the survey respondents reported that they were leveraging office productivity software; it is expected that these are top-ups to larger purpose-built GRC tools. Due to the unique GRC requirements each organization has, they often deploy ‘mix and match’ solutions from across the market, which contribute to the proliferation of disparate systems, data, processes, and reporting. That being said, it is encouraging to see that over 48.0% of this sample cohort report leveraging purpose-built TPRM solutions to manage their programs.

LONG-TERM VIEW

Thus far, this report has provided an assessment and benchmark of the industry’s current progress and capabilities, it now looks to explore a forward view on capabilities. When exploring whether organizations felt as though they had a strategic plan to ensure long-term TPRM program success, 51.7% of respondents stated that: ‘Yes, we anticipate growing our TPRM program but are not yet clear on the details’ (Figure M). As outlined throughout this report, there appears to be significant urgency toward making progress across many parts of the industry; however, it is clear that many respondents are not yet sure about how to define best next steps or to improve their program performance. As organizations move toward multi-year roadmaps, much more work needs to be done. Recent regulatory changes and market pressures have pushed many organizations to develop some level of forward view, many more are expected to develop implementation roadmaps to ensure progress in the next 12 months.

As part of developing a forward-looking strategic plan to ensure long-term success, organizations must identify and fill gaps in their existing programs. A total of 29.2% of respondents stated that they were aware of where the gaps were in their programs, and what they needed to do to fill those gaps (Figure M). This number demonstrates that the sense of awareness and ownership over the respective TPRM programs is growing.

These respondents were then asked to specify where their gaps were, and what needs to be done to fill them. Figure N is a word cloud of some of the key areas mentioned and a selection of pertinent quotes from respondents.

Automation and technology

Fourth parties Contract management

“4th parties, ensuring our critical suppliers are managing the risks presented by their own supply chain.”

“The ability to integrate strategic risk considerations earlier in the procurement process, better contract management and monitoring practices, increased awareness of contract owner accountabilities, 4th/ Nth party visibility and increased integration with continuity of operations.”

“Need to invest in a system that allows data to be collected as part of the process and not an additional (manual) task that requires additional steps/hours.”

“Being able to evidence adherence to governance activities and flag where key governance steps are missing and/or contractual documentation and/ or reporting needs to be enhanced.”

“Ensure that vendors’ risk and control environments are examined closely, assessing the compliance impact on first-line users of third parties who may not be regulated.”

“Looking to leverage AI to seek visibility into Nth parties and hidden risks that lie within. We are already looking at one AI tool that can do that. However, we are also in the process of integrating our internal TPRM application with other applications to streamline the due diligence requirements.”

“Fragmented approach resulting in operational ineffectiveness, low data and risk transparency, inconsistent risk management methodology, lack of collaboration and awareness.”

“Greater work on the flow of BCP to stressed exit planning and testing, strengthening of framework underway to greater control for those suppliers which don’t flow through main sourcing process.”

Looking further ahead, the survey explored anticipated changes in organizational approaches to TPRM expected in the next 2–3 years; insights presented by the survey respondents are presented in Figure O. The results here were clearly divided, with 35.7% of respondents stating, ‘Yes, we intend to invest in people, technology, and additional resources into our TPRM program in the next 2 years’, and a further 33.3% selecting ‘Maybe, with more people and technology investments/integrations’ (Figure P). Figure O highlights a demand for technology and automation opportunities to unify processes and build a more integrated TPRM program.

There remain many questions about the future of opportunities such as AI benefiting the management of third party risks. AI efficiencies can potentially advance documentation speed and efficiency, reducing manual aspects of TPRM and enabling programs to scale and improve performance with fewer resource requirements.

Figure P. Predicted time until improvement in TPRM program

organization has no plan for improvement

year 2024

Finally, the survey explored when organizations planned to make a move/invest in making improvements to their TPRM program with regards to maturity and readiness. A total of 41.9% of respondents stated that they had plans within the next 2 years, and an additional 34.9% stated that they had plans within the calendar year 2024 (Figure P). This is supported by Figure N, in which 88.4% of respondents identified gaps in their programs, and 76.8% stated that they are planning some level of process improvement within the next 2 years. It was also highlighted in additional research that although it is a positive sign to see a clear intention to invest in developing programs, this should also

2

be a continuous activity rather than a one-off measure. Continuous assessment, testing, monitoring, and due diligence is required to stay ahead of regulatory change and remain agile to emerging trends, opportunities, and challenges.

CONCLUSION

Overall, the survey results demonstrate that the industry is seeing some change, with expectations for making investments toward advancing TPRM programs and performance. Organizations should remain cautious to ensure they are realistic in their view of their own program maturity and ensuring that their program investments are measurably beneficial to their organizations. The data demonstrates a story of progression with continued fragmentation and limited holistic TPRM strategies. Increased attention in the area - as a result of some negative events - have led to increased regulatory and

internal attention, raising the profile of TPRM and shining a spotlight on weaknesses and opportunities for improvement. An increasing number of firms are moving TPRM front-andcenter to their strategies and operations, and are investing in and setting expectations for program performance. There is much more to come for TPRM as it continues to evolve and mature within organizations, and becomes a discipline and value that is recognized at the executive level. This report recognizes that this is an area where strategic thinking is required for long-term success, in addition to immediate tactical plans to meet today’s regulatory needs.

Key takeaways:

• Data suggests that while respondents are making progress, there remains a lack of centralization in managing third parties

• There is an upward trend in recognition of third party risk as a value add program with engagement through to executive level

• Overall, there is an understanding as to the gaps in TPRM programs; however, inconsistency in responses could demonstrate uncertainty as to how to mature programs really are

• For the most part, teams are well resourced, and have future plans for additional investment

• Although the industry is not there yet, progress is visible, and regulatory initiatives are looking to further strengthen and unify approaches

A WORD FROM ARAVO:

The value and priority of well-designed and well-executed third party risk management within organizations is continuing to grow and evolve. Regulations are becoming more encompassing across jurisdictions and covering more risk domains, and stakeholders are expecting more secure, ethical activities from the organizations they choose to do business with. Because of this, it is important to benchmark TPRM programs, see where process changes should be made, and determine priorities and next steps for improvements.

CeFPro’s research and interviews give us important information into the state of programs today, namely their maturity, value within the organization, priorities, and technologies.

One of the largest takeaways we’re seeing with this research is that there is more fragmentation across teams, data, and systems than expected within TPRM programs, even within the financial industry, which typically leads the way for governance, risk, and compliance best practices. This includes within overall strategy, across platforms and technologies being utilized, realized value to executives, and overall direction and future of the programs.

Inconsistencies in TPRM maturity: Data suggests that while respondents are managing individual projects, there is a lack of centralization in managing all the third parties they engage with (the extended enterprise) within a single, automated platform. True TPRM maturity cannot be gained with manual processes and fragmented solutions.

Fragmentation when it comes to TPRM direction: While organizations surveyed (overall) have an understanding that they have gaps in their TPRM programs, and plan to grow their budgets and programs in the future, inconsistent responses showcase a lack of clarity, direction, and commitment to best shore up these gaps and exhibit TPRM as a value-add to executives and the organization.

Need to take a more strategic, holistic approach to TPRM: Overall, organizations that took part in this survey recognize they have gaps in their TPRM programs. While they’re working to define the priorities and next steps to make the strategic changes and investments needed to bridge these gaps, they’re not there yet.

Where to go from here

Growing TPRM maturity is not a one-step process, rather a large-scale, strategic initiative made over time by implementing process efficiencies, best practices, and taking a holistic approach to managing these with a centralized, automated solution.

One of the best ways to address fragmentation within teams, processes, and technologies is to focus on centralizing programs into one purpose-built, scalable, and flexible TPRM solution. By centralizing this data, organizations can improve visibility, identify priorities, and make informed decisions that benefit their business. TPRM solutions built to deliver insights and executive reporting, while standing up to audits and regulatory scrutiny, are proven to be of exceptional value to organizations no matter their size, industry, or program maturity. As the challenges and risks represented by third party relationships continues to scale and diversity, managing and mitigating risks with robust and purpose-built platforms is essential to long-term strategic, operational, and financial success.

If you are interested in learning more about how to make improvements to your TPRM program, Aravo is here to help. Contact us today.

or as trading as the Center for Financial Professionals or CeFPro®.

The facts of the Third Party Risk Management report are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions and recommendations that CeFPro® delivers will be based on information gathered in good faith, whose accuracy we cannot guarantee. CeFPro® acknowledges the guidance and input from the Advisory Board, though all views expressed are those of the Center for Financial Professionals, and CeFPro® accepts no liability whatever for actions taken based on any information that may subsequently prove to be incorrect or errors in our analysis. For further information, contact CeFPro®.

CeFPro®, Fintech Leaders™ and Non-Financial Risk Leaders™ are either Registered or Trade Marks of the Center for Financial Professionals Limited. Unauthorized use of the Center for Financial Professionals Limited, or CeFPro®, name and trademarks is strictly prohibited and subject to legal penalties.