Brian K. Lee (brian.k.lee@gartner.com) is a Managing Vice President and Dian Zhang (dian.zhang@gartner.com) is a Research Specialist at Gartner in Arlington, Virginia, USA.
When managing third-party risk, compliance teams often focus most of their efforts on initial due diligence and recertification. Although these are important activities, they don’t decrease the risks nearly as much as we think in today’s risk landscape.
According to the 2019 Gartner Third-Party Risk Management Survey, 83% of legal and compliance leaders admitted that they identified third-party risks after due diligence but before recertification, and almost a third of those risks resulted in a material impact. More important, 92% stated that these material risks could not have been identified through initial due diligence. This often occurs because business strategy has changed (54% of the time) or the scope of the relationship has changed (50% of the time).[1]