Your Business News

Effective utilization of generative AI in third-party risk management programs

October 4, 2023

Authored by RSM Canada LLP

Joel A. Humphrey, CPA, CA shared this article

ARTICLE | October 04, 2023

While companies have become more reliant on third-party providers, regulatory requirements and guidance have also increased, placing additional responsibilities on organizations to assess and manage the risks of those providers. These requirements have imposed an extra strain on third-party risk management (TPRM) teams that rely on existing manual processes and often work under time constraints due to a company’s need for timely third-party support and/or products. Backlogs in third-party due diligence requests are developing, as are inconsistent outputs from TPRM and/or risk management teams that are struggling to keep up.

Artificial intelligence and, more recently, generative AI have become important tools for businesses looking to increase both insight and efficiency. After seeing the potential power of generative AI across the business and the TPRM life cycle, organizations are seeking tools with AI capabilities to augment existing programs, both to decrease the time it takes to review third-party controls and to build additional metrics and data points for leadership. 

However, while companies seek opportunities to leverage generative AI within TPRM programs, these new strategies also carry new risks. As with other business initiatives, taking a measured approach to generative AI for TPRM and implementing a comprehensive governance plan can help companies develop an effective strategy that aligns with the goals of their vendor programs and delivers on expected value.

Incorporating generative AI into vendor relationships

Generative AI presents a significant opportunity for companies to gain rapid insights into the risk landscape of their vendor ecosystem and get answers to complex questions that would otherwise require considerable personnel, time and research to address. Generative AI is being incorporated into mature TPRM programs in several ways to improve decision making across the vendor life cycle, including:

  • Inherent risk evaluation. Generative AI can streamline the vendor onboarding process by automating your intake form and scoring responses from internal stakeholders to provide an inherent risk score. This score can be used to prioritize risk assessment needs for critical and high-risk vendors.
  • Risk assessments. Incorporating generative AI capabilities and algorithms with large language models will allow your organization to review large volumes of vendor responses and provide a residual risk score to predict risks based on known criteria or flag questions for further review. With the right amount of tuning, generative AI can even produce follow-up questions to your vendors based on their responses to your risk assessment questionnaires. 
  • Contract compliance. Algorithms can be used to search contracts for keywords related to data, cyber, and privacy requirements and to identify missing terms, ensuring alignment with your organization's risk tolerance.

“The power of AI and its abilities to automate large portions of the TPRM life cycle has proven to increase efficiencies and decrease manual errors and backlog,” says Amy Feldman, a director at RSM US LLP. 

Ultimately, though, with any generative AI application, the capabilities and risks are contingent entirely upon how it is used. Without careful implementation, vulnerability to cybersecurity threats and potential exposure to evolving privacy laws can increase, along with quality control and bias concerns with the resulting data and outcomes and the interpretation of those outcomes. 

Optimizing the value of generative AI within TPRM programs

Adopting an AI governance-first approach within your TPRM program can enable your organization to unlock opportunities and achieve meaningful impact. With effective governance in place, you can confidently evaluate business processes to identify and incorporate third-party, external and internal AI systems.

In addition, RSM has developed a comprehensive governance approach that leverages all the currently available credible information on AI adoption and usage. The RSM AI Governance Framework combines elements from leading frameworks as well as best practices from foreign nations and leading organizations. The solution is flexible and adaptable to align with today’s business needs but extensible to evolve as AI innovation continues to grow in and around your organization. 

While we highly recommend incorporating the RSM AI Governance Framework as part of the AI implementation process, it is flexible enough to be repurposed for second-line operation risk assessment and third-line internal audit and compliance activities.

Imagine a scenario in which an employee is engaged to review a lengthy questionnaire completed by a critical vendor. They open the questionnaire and manually review each response and cross-reference the responses to a stand-alone scoring guide. AI tools can be used to automate this task. By integrating AI into the review cycle, the employee must review only unfavorable responses and/or ensure that all questions were answered rather than parsing the raw responses. The resulting efficiency is sorely needed in all businesses today.

However, an organization must address many questions before adopting this type of advanced digital transformation, to ensure alignment with internal risk appetite. Responsible adoption requires mature data and software development governance within most organizations going forward.

Getting started

Generative AI solutions are evolving quickly and are rapidly becoming a key strategy across the business, including in TPRM. If applications are aligned effectively to business goals and implemented responsibly, generative AI can identify vulnerabilities within vendor strategies and offer potential solutions. As generative AI solutions begin to show their significant potential, quick action is necessary to determine how they benefit your overall third-party approach, address potential risks and ultimately drive increased business success.

Let's Talk!

Call us at 1 855 363 3526 or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by Dave Mahoney and originally appeared on 2023-10-04 RSM Canada, and is available online at

RSM Canada Alliance provides its members with access to resources of RSM Canada Operations ULC, RSM Canada LLP and certain of their affiliates (“RSM Canada”). RSM Canada Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM Canada. RSM Canada LLP is the Canadian member firm of RSM International, a global network of independent audit, tax and consulting firms. Members of RSM Canada Alliance have access to RSM International resources through RSM Canada but are not member firms of RSM International. Visit for more information regarding RSM Canada and RSM International. The RSM trademark is used under license by RSM Canada. RSM Canada Alliance products and services are proprietary to RSM Canada.

FCR a proud member of RSM Canada Alliance, a premier affiliation of independent accounting and consulting firms across North America. RSM Canada Alliance provides our firm with access to resources of RSM, the leading provider of audit, tax and consulting services focused on the middle market. RSM Canada LLP is a licensed CPA firm and the Canadian member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM Canada Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how FCR can assist you, please call us at 1 855 363 3526

Important Notice:

FCR will now redirect you to CCH Portal where your FCR Client Portal login is located.

Share This