AI and TPRM: Shaping the Risk Landscape of Today
Risk management and compliance professionals have long employed highly detailed questionnaires to help assess the risks involved in conducting business with vendors and other third parties. These questionnaires are extensive and highly detailed, and usually require several back-and-forth cycles to confirm that potential partners are operating in a responsible and secure manner and conform to all necessary technology standards, regulations, laws, statutes, and sector-specific guidance.
Most risk professionals believe that the rigorous and manual coordination is essential to complete these questionnaires and represents best practice in Third Party Risk Management (TPRM).
Until 2020, that was largely true.
Today, the ongoing digitization of almost every organization is well underway—largely for the better, but this modernization is also presenting new cyber risks. The complexity of gathering and assessing these cyber risks has expanded sharply and now requires far more urgent assessment, with far greater data access and mastery than manual processes alone can deliver.
Enter AI.
TRPM and the Era of AI-Driven Transformation
New large language models and generative processing—viewed as “AI for the masses”—have recently entered the public arena, but the fact is that over the last decade in particular, innovators have been evolving machine learning and advanced AI applications with levels of sophistication almost unimaginable to many. The addition of generative AI to these applications is enhancing both their evolution and their usability.
Innovators behind purpose-specific AI applications and initiatives have been hard at work amassing both the data that’s foundational to intelligence and the deep-learning capabilities needed to leverage the massive data troves to derive new knowledge with unprecedented speed and levels of insight.
AI isn’t only a tool, it’s a collaborator. It completes arduous, months-long business functions and tasks in minutes or hours, and imbues its users with new, highly applicable insight and technical acumen. This work is yielding immediate insight that is of greater depth and breadth than most could conceive a few years ago.
It is now helping forward-thinking organizations transform their TPRM programs, enabling analysis of more vendors, at a deeper level, and in a timeframe that supports critical business decisions—and growing the risk practitioner’s value to their organization.
Decisions around mitigation responses to a third party’s cyberattack, the timely analysis of potential M&A partners, and more informative assessments of an organization’s community of potential partners are just some of the insights that risk professionals are offering. These aspects of a risk professional’s role will become even more important as threat actors apply their own AI-enabled, advanced threats.
Measuring AI’s Impact on TPRM
As many organizations’ partner ecosystems expand and grow increasingly complex, and resources become more stressed, risk managers report tha less than 25% of potential and current partners and vendors will fully complete lengthy questionnaires manually.
Platform-derived findings show that VISO TRUST’s AI-driven response and completion rates have risen above 98%. This is unsurprising given that the VISO TRUST knowledge base contains more than 2.4 million companies in the vendor database, recognizes more than 30 security frameworks, and leverages hundreds of different types of source artifacts, from SOC2 filings to sector-specific guidance compliance documentation.
Today, across all industry verticals, more than 90% of third parties can be assessed thoroughly on artifacts and evidence alone, 51% of third parties have detailed assurance artifacts available, and 49% have made detailed technical information (such as penetration tests) available. Only 6% of third parties make this valuable information broadly accessible publicly.
Survey results from risk managers and data from the VISO TRUST platform, which includes automated artifact analysis, public data, and adaptive questionnaires, provide these insights:
- Up to 75% of vendors decline to complete questionnaires based on vendor portal usage statistics drawn from the VISO TRUST platform.
- Public data is insufficient for meaningful risk assessments—only 6% of vendors can be assessed on public data alone.
- Ratings are an incomplete determinant of risk and call as much as 98% of reports into question.
- AI-supported artifact-based assessment, which leverages data on 2.5+ million companies, delivers near 99% coverage
- The completion rate on AI-driven assessments reaches 98%
- The reported completion cycle on manual questionnaire based assessments takes an average of 60-90 days, reported by VISO TRUST customers and Shared Assessments
- AI-enabled, artifact based assessment took an average of 5-7 days to complete, resulting in 96% fewer human hours spent on assessment
Advancing Risk Management with AI: Discover More in Our Detailed Report
AI-driven risk management will continue to expand beyond today’s functions to assess and compensate for third party risks in new ways, and break through process and data assessment bottlenecks to help prevent data breaches.
VISO TRUST and our fellow AI innovators continue to look beyond today’s horizon to expand what’s possible as AI redefines the landscape of TPRM. It is essential to delve deeper into how these technologies not only expedite processes, but also enhance the accuracy and depth of risk assessments.
This transformative shift is thoroughly explored in the new report State of Third Party Risk Management in 2024: AI’s Impacts & Future Trends. This report provides a comprehensive overview of the current challenges and inefficiencies plaguing traditional TPRM approaches and it showcases how AI-driven, artifact-based assessments can address these challenges by offering more precise and timely insights, enhancing a company’s ability to make informed decisions at the speed of business.
Explore the report today to ensure your organization is at the forefront of TPRM innovation and prepared to tackle the challenges of an increasingly interconnected digital world.