Advocating for a 2025 Third-Party Risk Management Budget

One only needs to read the news to understand how crucial third-party risk management (TPRM) is. Given the rise in regulations in the U.S. and internationally, the relentless wave of cyberattacks and data breaches, as well as significant business continuity incidents, like the CrowdStrike outage impacting millions globally, it's clear that the risks associated with third, fourth, and nth parties should receive full attention from an organization's management and board.

Still, despite a growing awareness around TPRM and its importance, leaders of TPRM programs across industries report that management and decision-makers haven't consistently stepped up to ensure better governance or provide more resources. In Venminder’s State of Third-Party Risk Management 2024 Survey, 73% of respondents found it challenging to get organizational support for TPRM. Forty-three percent (43%) reported having less than two full-time employees dedicated to TPRM.

Many organizations are quick to blame economic uncertainty, inflation, or the lingering effects of a global pandemic for the funding challenges often seen in TPRM. However, this reasoning is counterintuitive. When finances are tight, prioritizing TPRM and its role in safeguarding organizations and customers is even more essential. Products and services from vendors often make up a significant portion of an organization's operational expenses. Logically an organization should want to protect its financial investments and ensure vendor relationships deliver expected value. 

Furthermore, if vendor risks aren’t properly managed, they can increase costs and lead to unplanned expenses due to data breaches, operational interruptions, legal fees, and enforcement actions. This can also result in a loss of customer trust, a damaged reputation, and lost revenue. Adequately funded and resourced TPRM programs aren’t only necessary but also incredibly valuable.

Why is there a disconnect between the importance of TPRM and the allocation of budget resources? Many organizational leaders underestimate the complexity of TPRM as a process or don’t understand the nuanced differences between enterprise risk and TPRM. Leadership may also perceive TPRM as a check-the-box activity vs a value-added one or incorrectly assume the bulk of work effort lies with the lines of business, information security, or compliance. Unfortunately, many organizational leaders don’t even think about TPRM until there’s a major vendor incident. 

Yes, TPRM is all about managing the risks, but it might start to feel like you must paint a picture of utter calamity before getting anyone's attention. Shouting "the sky is falling" didn't work for Chicken Little, and it won't work for you, especially when asking for money for your TPRM program. So, what are you to do?

Considering the complexity of TPRM, it’s essential to ask yourself specific questions such as:

• What are the risks?
• What are the potential impacts?
• How can we mitigate them?
• What are the benefits?
• What is the value?
• How can I make my case for resources?

As budget season approaches, we would like to share some considerations for your TPRM budget and help you think about strategies for getting those precious dollars.

Considerations for a Third-Party Risk Management Budget

The first step is to identify who has authority and decision-making power over the resources your TPRM program needs. This often rests with senior management and the board. However, you should be prepared to explain your requests to your management and their management. Making sure you can articulate and defend your request will improve your chances of getting advocacy and support from those who ultimately make the decisions.

Here are questions to consider when writing your TPRM budget request:

• Where should the money go internally? Determining where TPRM dollars should be allocated isn't always a straightforward process. When you feel understaffed, it may seem logical to request an additional headcount in support of TPRM. However, you need to be sure that adding headcount is the correct answer. For instance, you might be using spreadsheets to manage TPRM processes. When you do those tasks manually, it takes a lot longer than it would with an automated solution. Manual processes can also result in errors and rework, further complicating inefficient workflows. In this situation, investing in TPRM technology would be a better use of funds than adding more people.
• Will the money help expedite any processes or save time for the business? Suppose your vendor owners complain about the long lead time required for vetting and onboarding new vendors. This is a genuine concern because your organization uses third parties to either realize an opportunity or fix a problem. The longer it takes to get those third parties up and running, the longer it takes to realize the intended benefits. Therefore, consider whether your TPRM budget can be used to alleviate the time-consuming processes of vendor vetting and onboarding.
• Will the money help you better comply with regulations? If your organization is facing a backlog of due diligence because your internal subject matter experts (SMEs) are maxed out with other priorities, and vendor risk reassessments and reviews aren’t being conducted on time, that poses a regulatory risk. You may want to consider outsourcing your due diligence document collection and vendor risk reviews to a reputable third-party risk management company. Utilizing outsourced SMEs eliminates the need to recruit, train, and manage additional employees (salaries, benefits, equipment, office space, etc.). Professional SMEs can easily review a vendor's control environment, help your organization shorten the wait time, and give your internal teams more bandwidth by taking something off their plate. Best of all, it helps your organization comply with regulatory expectations by completing required re-assessments and reviews on time.
• Will the money strengthen operational resilience? It may be wise to take an inventory of your organization’s critical third-party vendors as you build your case for your TPRM budget. What’s the potential cost if one of these third parties’ services temporarily goes down? What if a critical third party experiences a cyberattack? It can be helpful to look at these potential situations that have become increasingly common and consider how additional resources could be used to better manage and monitor critical vendor relationships.
• How much money is spent on vendors? Ask your accounts payable team for a report detailing how much money has been spent with vendors in the past year. Compare that to your total TPRM budget. What is the ratio of TPRM spend per vendor? These figures can often highlight how little is being spent to manage the risk of what is often a large portion of an organization’s expenses.
• What are your priorities? It’s a safe bet that you won’t get everything you ask for, so it’s important to categorize your budget dollars in terms of wants and needs. For example, suppose there was an audit finding related to poor record keeping resulting from manual processes. In that case, you need a better way to manage vendor data and processes, and a dedicated TPRM software system is necessary. On the other hand, suppose you would also like to incorporate more risk intelligence reporting to improve current monitoring efforts. If you have to choose, it’s probably not as essential as implementing solutions to address an audit finding.
• Where do you want the TPRM program to be? Consider your current TPRM program maturity level, the desired state, and the resources needed to get there. It may be helpful to create a TPRM program roadmap that shows what improvements are required for a more mature program and the investments necessary to get there. For example, let’s say your organization wants to develop standard third-party communication templates for better consistency. To help implement this change, an investment in TPRM software may be wise, so templates can be created and stored within the same system. 

Remember, identifying solutions that provide better long-term value for the organization should be your priority when identifying your TPRM budget needs.

Cost Savings and Cost Avoidance

Many organizations have taken a "do more with less" attitude, which can include budget cuts, hiring freezes, and even layoffs. These cost savings are front and center, but what about cost avoidance?

There can be big problems when TPRM is not executed effectively. Significant financial consequences are typically associated with vendor performance failures. Those costs are rarely planned for or even considered in the budgeting process. A third-party failure can severely damage your organization's brand and reputation and impact customer retention and revenue.  

The consulting firm McKinsey observed that poor supplier performance can result in higher total costs of 10 to 20 percent. According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a data breach in the U.S. hit an all-time high of approximately $9.3 million between lost costs and data breach response. With numbers like these, it's easy to illustrate how a well-staffed and well-resourced TPRM team can bring more value, as they can more effectively reduce the likelihood, severity, and occurrence of vendor-related risks. This is key to avoiding unplanned expenses.

How to Advocate for a TPRM Budget

Unfortunately, TPRM isn't always a priority in many organizations. It can be very challenging to ask for a budget, so you must be strategic in your request and its presentation.

Here are some strategies you can use when requesting TPRM budget:

• Leverage your data. If you're asking for more money, make sure you have a data-driven business case. Provide the facts with your request, whether it's an increased vendor population or an extended cycle time for due diligence. In other words, rather than stating that your team is overwhelmed, you should suggest that a 30% increase in vendor volumes require additional TPRM resources.
• Focus on the business priorities. Ensure TPRM focuses on what the business needs to succeed. Knowing what's going on and what's important to the organization is key. We'll use due diligence cycle time as an example. Say your organization is about to launch a game-changing product or service. Before that can happen, a specific vendor must be in place. If due diligence takes 90 days instead of 60, that's at least 30 days of revenue lost. Any backlogged work has a domino effect, delaying the timely onboarding of other vendors as well. It's important to remember that resource requests always have more impact when framed in a specific context.
• Demonstrate the value to the organization. When writing a budget presentation, make sure value is your goal. Describe your proposal's cost savings, efficiency improvements, and productivity improvements in detail. Emphasize for example, that closely managing and monitoring a vendor’s performance and ensuring they are meeting contractual service levels means your organization isn’t paying for substandard goods and services that would cost the organization both time and money in the long run. You could also highlight how more efficient processes return bandwidth to the TPRM team, the business, and other stakeholders, giving them back time, and time is money. 

Asking for and getting additional resources can be challenging and it requires you to do research, collect data, and reframe TPRM as something that adds value to the organization. Despite your best efforts, you may not be able to get everything you ask for. Still, you’re more likely to succeed if you present a compelling, data-driven business case. Framing the value of third-party risk management as a strategic partner and defender for your organization could help you convince management to invest in TPRM.