Weaving trust into the fabric of third-party risk

By Matthew Moog, General Manager - Third-party Risk, OneTrust

Do you trust your third parties?

In theory, it’s a simple question, but for business leaders around the world – whose reliance on third parties is dramatically increasing – it’s a difficult one to answer. And yet, it’s imperative to business success.


According to KPMG’s 2022 Third-Party Risk Management (TPRM) Outlook, which surveyed 1,263 senior-level TPRM professionals, 73% of respondents have experienced at least one significant disruption, caused by a third party, within the last three years. Despite this, strategic budgets for TPRM initiatives are limited, with 61% of respondents saying that TPRM is undervalued despite its enterprise-critical role.

As a result, budget-strapped TPRM teams are struggling to answer basic questions about their third parties, such as:

  • Do you trust that your third parties can deliver their goods and services as promised?
  • Do you trust your third parties are ethical and will live up to your standards?
  • Do you trust that your third parties will adhere to their contracts?
  • Do you trust that your third parties can navigate a major disruption, cyber or otherwise?

New methods for third-party evaluation

To get these answers, organizations need to change their strategic mindset. They need to shift from tactical, questionnaire-driven third-party risk management to a program built on trust – aligning with the company’s aspirations and brand.

But what does this look like in practice?

Say for example, you assess the same third party for five years in a row using the same questionnaire and getting the same results. Beyond checking the box for compliance, is there really any benefit in sending the same questionnaire again? Ask yourself: what’s the objective of the activity?

Companies leading the charge toward trust are seeking out a wealth of data beyond questionnaires; data that didn’t exist ten years ago but now is readily available at our fingertips, such as cybersecurity ratings, location information, corruption indexes, carbon footprints, diversity metrics, sanctions lists, historical performance, and more. Even still, this data is rarely used in aggregate to make trust-informed decisions. Why?

The most obvious culprit is often a business’s operating model. Organizations rarely come together to make enterprise-wide decisions on trust, instead making siloed decisions based on risk. Typical risk models evaluate inherent risk conditions across many different risk domains. Then, through questionnaires, businesses will assess controls (or lack thereof) to arrive at a residual risk. What they have not considered, however, are non-control-based data points that often erode trust; less black-and-white concepts with respect to ethics, ESG, governance, responsible AI, performance, and other factors. Focusing on these factors gives businesses the opportunity to embrace the upside of a trusted partnership, such as ability to invest in innovation, instead of just the downside risk.

A trust-based approach to third-party risk doesn’t just consider questions and answers, but instead seeks to uncover data that informs decisions for long-term growth and value.

The value of trust

While third-party risk has remained a compliance-centric exercise, it has reached a scale that makes it critical to consider the frequency of disruptive, trust-breaking events – as well as the negative impact those events pose to a business.

Recent data from Deloitte shows that organizations that lose or lack trust experience negative consequences. According to the research, when trust was eroded, three $10 billion companies lost between 20 and 56 percent of their value. On the other hand, trusted companies, according to MarketWatch, outperform the S&P 500 by 30 to 50 percent.

So, building a business based on trust, instead of solely compliance, gives organizations the ability to drive growth. With this in mind, consider how important it is to trust that your third parties can uphold your reputation.

Embracing trust in third-party risk

So, how can you embrace trust and weave it into the fabric of your third-party risk program?

Start by:

  • Defining what trust means for your organization
  • Evaluating what changes may be necessary in your operating model to embrace trust
  • Defining your risk appetite across all trust domains (security, privacy, ethics, ESG)
  • Reporting to executive management and the board on a trust-first principle

Legacy frameworks that defined third-party risk for the last two decadesare being re-evaluated as models shift away from the traditional “risk” assessment and move toward trust-centric approach.

These companies are leaning into third-party risk functions as strategic differentiators for their organization – as opposed to business impediments and check-the-box compliance activities.

Organizations should define what trust means to them and make sure their program has an ability to set appetites not only on risk elements but also the elements that round out their definition of trust.

So, the question remains: Do you trust your third parties?

Hot Topics

Related Articles