Fear. Uncertainty. Doubt. Also known as “appeal to fear,” fear-uncertainty-doubt (FUD) is a fallacy in which a person tries to create support for an idea (or technology) by attempting to increase fear towards an alternative. Since passage of Sarbanes-Oxley (SOX), the regulation that launched the era of compliance, technology sales have been predicated on creating a sense of urgency, complexity, and even FOMO (fear of missing out), especially in third-party risk. These strategies increase fear of regulatory fines and penalties, plant uncertainty for how to comply with new and changing regulations, and spread doubt about the ability to assess third parties efficiently and onboard them quickly enough to keep up with business demands. In The Forrester Wave™: Third-Party Risk Management Platforms, Q4 2020, regulatory compliance was the top driver for investing in a third-party risk management (TPRM) platform among customer references surveyed. Today, TPRM buyers are looking past the FUD. Here’s what we found.
Announcing The TPRM Platforms Wave, 2022
The Forrester Wave™: Third-Party Risk Management Platforms, Q2 2022 looks at the 12 most important TPRM platform vendors in the market today — a vastly different place than it was two years ago. Experience from two back-to-back global crises, many more regional and localized critical events, and aftershocks from all of these has shifted TPRM market focus from compliance to resilience. It’s not that compliance has gone away or isn’t a priority for risk and compliance pros, it’s just not the main focus. Forrester defines TPRM platforms as:
Platforms that identify, assess, score, monitor, and report on risks to the enterprise from the ecosystem of third-party relationships at every stage of the third-party lifecycle including: (1) sourcing/procurement, (2) due diligence, (3) selection, (4) onboarding, (5) ongoing risk monitoring, and (6) termination/off-boarding. In addition, TPRM platforms support analysis of the impact of risks on strategic objectives, compliance posture, and business resilience across multiple categories of risk.
The Top Business And Risk Priorities Influencing TPRM Purchasing Decisions
As many organizations have now learned, third parties are critical for their business success. However, when a third party, such as a vendor, supplier, partner, or affiliate, fails or experiences a critical event, it’s a matter of time before the third party’s disruption impacts its own firm. Maintaining a resilient third-party ecosystem is a top priority and a competitive advantage in an uncertain business environment. Here’s what customer references from the Wave evaluation told us about their top business and risk priorities.
Regarding business priorities, we found that:
- Buyers invest in TPRM primarily to get a handle on disruption from/to third parties. Disruptive and critical events involving third parties continue to increase and cascade throughout the business. Disruptions come in many forms, such as a cybersecurity event, or even from natural disasters, geopolitics, and the lingering effects of COVID-19. When asked about the degree to which business priorities influenced the purchase of their TPRM platform, 44% of customer references cited the need to reduce impact of business disruption from third-party risks events as critical.
- The rate of change drives third-party risk pros to prioritize preparedness. The last two years have leveled up the jobs of third-party risk pros from difficult to excruciating. Just when it appears that businesses are getting over one catastrophe, two more are waiting in the wings. Not surprisingly, 36% of our customer references ranked the need to accelerate their response to business and market changes as critical for influencing TPRM investments, as compared with 17% that ranked reducing regulatory fines or penalties as critical.
Regarding risk priorities, we found that:
- As ecosystems grow, firms lean on TPRM platforms to scale efficiency. The transition from just-in-time efficiency to the just-in-case contingency effectively doubles the size of the third-party ecosystem. To scale, third-party risk efforts must keep pace. Wave customer references overwhelmingly (58%) identify “increase process efficiency” as the most critical priority that factored into their purchase of a TPRM platform.
- TPRM pros lean on platforms to remove blind spots. Forrester’s The State Of Enterprise Risk Management, 2022 report highlights the increase in the number of discrete critical risk events — those events where significant business, financial, or reputational impacts or disruptions were experienced by the organization. The desire to improve risk visibility and transparency is a high or critical risk priority that influenced the purchase for 53% of customer references. For context, the need to better comply with regulations was a critical factor for just 25%.
For more on the TPRM market and vendor capabilities, please check out the full evaluation, The Forrester Wave™: Third-Party Risk Management Platforms, Q2 2022, and schedule an inquiry to talk to me about it.