Survey Reveals Boards Failing to Grasp Third-Party Risks

A report released by Compliance Week and Aravo reveals a lack of engagement by boards in third-party oversight, with good governance hampered by incomplete and inaccurate board reporting.

While third-party relationships increasingly form a key part of business strategy, boards are failing to grasp the risks that third parties expose their organizations to, a new survey released today by Compliance Week and Aravo reveals.

In an environment of increased business risks, close to half (43 percent) of surveyed practitioners claimed that their board doesn’t have a good handle on third-party risk. Despite regulatory expectations for effective board oversight, 42 percent of respondents indicated that their board had not set the risk appetite for their organization, and another 19 percent revealed they did not know if their board had delivered this.

This could be due in part to a lack of engagement in third-party governance by many boards – 6 percent of respondents indicated that their boards were not engaged at all, and a further 29 percent said their boards were only infrequently engaged.

The survey also revealed that communicating the right information to the board was problematic. Over a quarter (27 percent) of practitioners say that they report to the board infrequently on third-party matters, and another 6 percent say that they never do.

Hampering efforts in board reporting were a number of challenges including: resource constraints (41 percent); “no golden source of truth” on all third parties (39 percent); a lack of standardization of processes (38 percent), data in disparate systems (37 percent), reporting capabilities in systems (35 percent), data quality (28 percent), and “not really knowing what the board expects” (24 percent).

As a consequence, compiling board reports was not an easy process. More than a third of survey respondents (36 percent) say it takes anywhere from one to two weeks to compile a board report on third-party issues. For some companies (18 percent) it takes more than three weeks.

Alarmingly, this means that boards are often presented with incomplete and inaccurate information about third party risk. Only 17 percent of respondents felt that the information in their board reports was wholly complete and accurate. Half (50 percent) thought that their reports were largely complete and accurate but contained minor information gaps, while 28 percent indicated that they are moderately complete and accurate but held some major information gaps. Finally, almost 4 percent noted that their reports were “worryingly incomplete and inaccurate.”

The results also revealed that cybersecurity, data privacy, third-party performance, bribery, and regulatory change and expectations impacting third-party risk management were the five most common issues brought up at the board level.

Kimberley Allan, Chief Marketing Officer, Aravo Solutions said, “The results tell us that there’s a huge opportunity for better communication between the board, senior management, and third-party risk practitioners. Boards need to be more engaged and should be requiring management to set the right governance framework and to provide a clear line of sight to the organization’s most significant third-party risks, as well as explanations of how they intend to manage these risks. They need to be asking the right questions about risk, but clearly, the results show they need better data to do this.”

Dave Lefort, Editor in Chief, Compliance Week said: “Industry research such as this is valuable for practitioners and boards looking to benchmark best practice and improve communications and governance within their own organizations and across their extended enterprise. The results provide important discussion points that boards and senior management should be examining to help improve and mature their own third-party risk management programs.”

The full survey report can be downloaded here.

1 2Next page

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button