Increased regulatory pressure and stakeholder demands for commitment to environmental, social, and governance (ESG) initiatives have prompted organizations to enhance their due diligence efforts, increasing scrutiny on third-party practices. However, almost half of third-party risk management (TPRM) leaders report that they are mostly not confident in the information gathered by due diligence questionnaires.[1]
Results from Gartner’s recent survey on TPRM reveal two reasons for this lack of confidence:
1. Longer questionnaires do not promise quality information
Likely because of increased regulatory and ESG pressure to rethink due diligence requirements, nearly half of TPRM leaders (47%) increased the size of due diligence questionnaires compared to three years ago.
Even with increasing questionnaire sizes, only 21% of respondents report collecting the right kind of information, with a plurality of respondents (42%) collecting more information than necessary. Gathering excessive information does not translate to gathering information useful for better risk detection: 63% of respondents report that their due diligence practices could not identify a majority of moderate to severe risks for the organization.
Collecting more information than necessary can dilute the information most relevant to the organization. Further, once the volume of information surpasses the ability to parse through it, a variety of cognitive biases are triggered to cope with excess information. Both factors lead to lower confidence in information gathered and pointed to the need to strike a balance between the amount of information gathered and the ability to adequately process it.
