How AI transforms third-party risk management | EY

Business and risk leaders can these three actions to accelerate the transformation of TPRM and achieve the full value potential of centralization and AI adoption:

1. Focus on the enterprise

TPRM is conducted in different verticals of the enterprise, which are structured and incentivized to focus on different metrics. Procurement may track contract compliance and vendor performance. Cybersecurity may be focused on incident response time and cost of breaches. Supply chain may care about supplier compliance and resilience metrics.

Yet, realizing the full potential of AI and centralization requires understanding your obligations at an enterprise level — such as regulations, board imperatives, or investor imperatives — as well as how these translate to third-party risks and connect to the metrics of individual business units. If you are only looking at specific risks, instead of how your ecosystem of third parties could impact the overall business, you are narrowing your view and may set yourself up for suboptimal decision making.

We’ve written previously about the concept of a “risk steward” — someone who is charged with prioritizing risk management requirements across your organizational siloes and driving a connected, proactive risk management approach. TPRM is a true horizontal that cuts across the enterprise, with every internal function having a mirror third-party impact. It would benefit tremendously from a risk steward approach.

2. Invest in AI readiness

The survey responses show that AI adoption in TPRM is low, but that organizations have the ambition to scale up adoption in the years ahead. Bridging that gap and achieving that ambition requires investing in AI readiness.

This includes a thorough assessment of existing TPRM processes, tools, and data management practices to identify gaps and areas for improvement in preparation for AI integration. It includes investing in data readiness to improve data quality, standardizing data formats and implementing data governance. It includes preparing the workforce, by closing skills gaps and investing in training and upskilling.

Critically, it includes monitoring trends, both to keep pace with emerging best practices in TPRM, as well as to prepare for the next waves of AI.

3. Question assumptions and accelerate tipping points

“A decade ago, most companies had policies prohibiting their data from ever touching the public cloud, because of the fear factor of the technology,” says Kawther Haciane, EY MENA Digital Risk Leader. “Today, the script has flipped. Companies everywhere are ‘cloud first’ — everything has migrated to the cloud, and exceptions have to justify why they shouldn’t be on the cloud. What happened? We reached a tipping point, the assumptions and economics flipped, and it triggered mass adoption.”

Indeed, technology is replete with examples of such tipping points — while the new risk environment is accelerating the pace of nonlinear change, making tipping points increasingly likely. Consider how the launch of ChatGPT upended assumptions about the capabilities of GenAI, and the time frames in which they could be achieved. Or consider something closer to home for TPRM functions: how the COVID pandemic transformed some components of TPRM almost overnight, as the shift to remote work removed the ability to do onsite audits, forcing organizations to embrace technology at scale.

We may now be approaching a similar tipping point for AI adoption in TPRM. As the number and complexity of third-party relationships has swelled in recent years, so too has the friction, pain and cost of doing third-party risk assessments manually. But this is also changing the economics of AI adoption. Once you are doing assessments at larger scale — in the thousands instead of hundreds — you have an increased financial incentive to invest in AI, as well as the expanded scale with which to recoup those investments.

An even bigger tipping point may be imminent in the advancement of the technology. The new generation of AI models — including agentic AI, multimodal AI, reasoning AI, and self-improving AI — are bringing breakthrough capabilities, and combining them could be a game changer for TPRM. This could challenge cost-benefit calculations and make the value proposition of AI irresistible.

The tipping points discussed above have one thing in common: they took most companies by surprise, requiring them to scramble and put together an often-hurried response. But there is another path. By anticipating a tipping point, you can prepare your organization for it. Even better, you can accelerate the shift by taking the steps identified above, to invest in the future, fix misaligned incentives, and realign organizational structures.

TPRM exists to ensure that the rest of the organization isn’t caught unawares by external disruptions. Now, more than ever, it may need to apply that focus to itself.