ARTICLE | October 04, 2023

While companies have become more reliant on third-party providers, regulatory requirements and guidance have also increased, placing additional responsibilities on organizations to assess and manage the risks of those providers. These requirements have imposed an extra strain on third-party risk management (TPRM) teams that rely on existing manual processes and often work under time constraints due to a company’s need for timely third-party support and/or products. Backlogs in third-party due diligence requests are developing, as are inconsistent outputs from TPRM and/or risk management teams that are struggling to keep up.

Artificial intelligence and, more recently, generative AI have become important tools for businesses looking to increase both insight and efficiency. After seeing the potential power of generative AI across the business and the TPRM life cycle, organizations are seeking tools with AI capabilities to augment existing programs, both to decrease the time it takes to review third-party controls and to build additional metrics and data points for leadership. 

However, while companies seek opportunities to leverage generative AI within TPRM programs, these new strategies also carry new risks. As with other business initiatives, taking a measured approach to generative AI for TPRM and implementing a comprehensive governance plan can help companies develop an effective strategy that aligns with the goals of their vendor programs and delivers on expected value.

Incorporating generative AI into vendor relationships

Generative AI presents a significant opportunity for companies to gain rapid insights into the risk landscape of their vendor ecosystem and get answers to complex questions that would otherwise require considerable personnel, time and research to address. Generative AI is being incorporated into mature TPRM programs in several ways to improve decision making across the vendor life cycle, including:

• Inherent risk evaluation. Generative AI can streamline the vendor onboarding process by automating your intake form and scoring responses from internal stakeholders to provide an inherent risk score. This score can be used to prioritize risk assessment needs for critical and high-risk vendors.
• Risk assessments. Incorporating generative AI capabilities and algorithms with large language models will allow your organization to review large volumes of vendor responses and provide a residual risk score to predict risks based on known criteria or flag questions for further review. With the right amount of tuning, generative AI can even produce follow-up questions to your vendors based on their responses to your risk assessment questionnaires. 
• Contract compliance. Algorithms can be used to search contracts for keywords related to data, cyber, and privacy requirements and to identify missing terms, ensuring alignment with your organization's risk tolerance.

“The power of AI and its abilities to automate large portions of the TPRM life cycle has proven to increase efficiencies and decrease manual errors and backlog,” says Amy Feldman, a director at RSM US LLP. 

Ultimately, though, with any generative AI application, the capabilities and risks are contingent entirely upon how it is used. Without careful implementation, vulnerability to cybersecurity threats and potential exposure to evolving privacy laws can increase, along with quality control and bias concerns with the resulting data and outcomes and the interpretation of those outcomes. 

Optimizing the value of generative AI within TPRM programs

Adopting an AI governance-first approach within your TPRM program can enable your organization to unlock opportunities and achieve meaningful impact. With effective governance in place, you can confidently evaluate business processes to identify and incorporate third-party, external and internal AI systems.

In addition, RSM has developed a comprehensive governance approach that leverages all the currently available credible information on AI adoption and usage. The RSM AI Governance Framework combines elements from leading frameworks as well as best practices from foreign nations and leading organizations. The solution is flexible and adaptable to align with today’s business needs but extensible to evolve as AI innovation continues to grow in and around your organization. 

While we highly recommend incorporating the RSM AI Governance Framework as part of the AI implementation process, it is flexible enough to be repurposed for second-line operation risk assessment and third-line internal audit and compliance activities.

Imagine a scenario in which an employee is engaged to review a lengthy questionnaire completed by a critical vendor. They open the questionnaire and manually review each response and cross-reference the responses to a stand-alone scoring guide. AI tools can be used to automate this task. By integrating AI into the review cycle, the employee must review only unfavorable responses and/or ensure that all questions were answered rather than parsing the raw responses. The resulting efficiency is sorely needed in all businesses today.

However, an organization must address many questions before adopting this type of advanced digital transformation, to ensure alignment with internal risk appetite. Responsible adoption requires mature data and software development governance within most organizations going forward.

Getting started

Generative AI solutions are evolving quickly and are rapidly becoming a key strategy across the business, including in TPRM. If applications are aligned effectively to business goals and implemented responsibly, generative AI can identify vulnerabilities within vendor strategies and offer potential solutions. As generative AI solutions begin to show their significant potential, quick action is necessary to determine how they benefit your overall third-party approach, address potential risks and ultimately drive increased business success.

Let's Talk!

Call us at 1 855 363 3526 or fill out the form below and we'll contact you to discuss your specific situation.