Third-party risk management is compromised in many organisations because those holding the relationship with the third-party don’t escalate red flags to compliance teams reliably, according to research from Gartner.

Relationship owners are most often mid-level managers, directors and senior vice-presidents who have a direct insight into multiple third parties that compliance leaders deem as high-risk.

Conducted in August 2024, the survey of approximately 900 third-party relationship owners revealed that while 95% saw a third-party red flag in the prior 12 months, only around half of them escalated it to compliance teams.

Gartner’s survey showed that three key factors significantly affect the likelihood of sharing: confidence in identifying red flags, objectivity in prioritising third-party issues and the perceived return on investment of sharing information.

When relationship owners develop affinity for their third parties, however, they are less likely to involve compliance out of fear that compliance may overreact and harm the relationship, the report’s authors found. Thirty-six per cent of relationship owners said they feel obligated to protect third-party relationships from people in their own organisations, and a further 27% are reluctant to do anything that might bring harm to the third parties they manage.

Commenting on the dynamics, Chris Audet, vice-president and chief of research in the Gartner Assurance Practice, said: “Organisations tend to be working with a lot more third parties as they are key to accelerating business growth after the various disruptions of recent years. In light of rising sustainability standards that pertain to the use of third parties, this is an area that has the attention of compliance teams.

"Relationship owners have a unique vantage point for identifying potential risks in third-party relationships. By empowering them to share insights effectively, organisations can significantly enhance their risk management capabilities.”

Helping relationship owners to be more confident in identifying third-party red flags should be seen as "low-hanging fruit" for compliance teams, Audet added, and is something that can likely be addressed with some targeted training or communications.

“Organisations must prioritise effective communication and collaboration with relationship owners to enhance third-party risk management," he explained. "By addressing the barriers to sharing and fostering a culture of transparency, businesses can mitigate risks more effectively and align with strategic goals.”

---