Optimizing Third-Party Risk Management

Crowe 2024 TPRM Benchmark Study

Morgan Strobel, Kassi Wilson, David Bellucci

Our benchmark study details how people, processes, and technology are critical components to consider when optimizing third-party risk management programs.

The Crowe “2024 Third-Party Risk Management Financial Services Benchmark Study” focused on financial services organizations ranging from small organizations to large enterprises and highlighted the evolving landscape of third-party risk management (TPRM).

While participants received a complimentary and personalized report comparing them to their peers, now organizations and TPRM professionals can benefit from this full-study summary about how companies are thinking about TPRM and what kinds of challenges they’re facing. This summary addresses those challenges and offers insights on people, process, and technology.

People, process, and technology

People: Structure TPRM for success

Procurement’s role. The Crowe study revealed that 45% of organizations actively involve their procurement departments in TPRM, which underscores the importance of cross-functional collaboration. However, 48% lack a dedicated procurement function, with the remainder having a procurement department that is not actively involved in TPRM. Therefore, potential areas for improvement exist.
Collaboration challenges. The largest issues faced by respondents are data quality, collaboration with third parties, and collaboration with business lines. Communication challenges can affect data quality and timeliness, and they demonstrate why well-defined processes are critical for overall program success.
Decision-making. Risk departments are the primary decision-makers in TPRM for 70% of organizations, which further emphasizes the critical role of risk management in guiding TPRM strategies.

Process: Streamline risk assessments

Cadence of reassessments. Reassessments are most commonly conducted annually for critical and high-risk third parties, biennially for moderate-risk third parties, and triennially for low-risk third parties. This cadence helps third-party risk profiles remain current while not overwhelming the team.
Outsourcing practices. Nearly half of organizations reported outsourcing some form of TPRM activities, including 21% that outsource assessments and another 21% for ongoing monitoring. This percentage is up from our last benchmark study and indicates a trend toward using external expertise to manage high-volume, complex TPRM tasks.
Interagency guidance. Staying ahead of regulatory developments is crucial for compliance and risk mitigation. When asked about planned changes resulting from the 2023 “Interagency Guidance on Third-Party Relationships: Risk Management,” participants responded that due diligence was the most common phase of the TPRM life cycle in which changes were needed to keep up with expectations.

Most common risk domains covered by assessments

Technology: Empower TPRM with innovation

Artificial intelligence. Nearly half (48%) of organizations plan to introduce AI technologies or data feeds within the next three years. Establishing AI governance policies and committees can facilitate the responsible adoption of AI in TPRM.
Data feeds. Cybersecurity ratings and financial health data are the most commonly used feeds, with 73% and 64% of organizations using them, respectively. Integrating diverse data sources can enhance risk assessment accuracy.
Looking forward. This year’s benchmark participants are strategically allocating their budgets to address key areas in TPRM. These allocations reflect a proactive approach to enhancing TPRM capabilities and addressing emerging challenges.

Allocation of TPRM budget

Actionable recommendations

Based on the benchmark data, organizations should consider the following steps to improve their TPRM programs:

Develop a comprehensive procurement strategy. Engage procurement departments in TPRM to take full advantage of their expertise in third-party selection and contract management. Consider cross-training initiatives to enhance collaboration.
Implement efficient resource management. Regularly review and adjust resource allocation to support optimal team performance and third-party oversight. Establish metrics to evaluate resource effectiveness and make data-driven adjustments.
Adopt agile assessment processes. Streamline assessment workflows and consider outsourcing noncore activities to enhance agility and focus on critical risks. Implement regular audits of outsourced processes to maintain quality.
Invest in technology and AI. Establish AI governance frameworks and explore data feed integrations to enhance risk assessment capabilities. Pilot new technologies in controlled environments to assess their impact before full-scale implementation.

Wherever you need help, we've got you covered

The Crowe “2024 Third-Party Risk Management Financial Services Benchmark Study” can provide a road map for organizations seeking to refine their third-party risk management strategies. By embracing collaboration, optimizing processes, and using technology, organizations can build resilient TPRM programs that effectively mitigate risks and support business objectives.

For more information on how Crowe can help you enhance your TPRM program or how to participate in the benchmark study, please reach out to our team of specialists. We’d also love to chat about your program and offer our perspective based on our experience and conversations with other industry leaders.

Captcha is required.

Contact us

As a member of the Crowe Global network, our team has access to more than 1,000 risk consultants around the world, and we can help you plan, build, and run a TPRM program that fits your business needs.