Skip to main content

Deloitte’s 2023 Third-Party Risk Management Survey: Key Insights into Headwinds and ESG Focal Areas

As organizations’ dependence on third parties continues to grow, third-party risk management (TPRM) is becoming ever-more complex and important. Companies must navigate regulatory trends and requirements, data security and privacy concerns, and other operational and reputational risks when managing relationships with external vendors, suppliers, and other partners.

To help uncover and promote best practices – and enable organizations to identify trends and benchmark TPRM progress – Deloitte has published its global third-party risk management survey. Now in its eighth consecutive year, the report contains actionable insights from more than 1,300 TPRM leaders across 40 countries.

The full report, available on and titled “Navigating the headwinds: Enhancing agility to regain momentum,” highlights the many ways leaders can enhance third-party relationships to reduce risk and ultimately bolster organizational resilience. Key findings are spotlighted below:

Navigating the headwinds

The TPRM journey isn’t always a “breeze”; headwinds – in the form of growing uncertainties and challenges in the macro-economic and business environment – often converge to impact TPRM practices and relationships. Organizations face the need to both identify and understand these challenges, so they can better manage their supply chain and other external relationships.

In this latest survey, TPRM leaders highlighted the top headwinds affecting their third-party relationships today, including:

  • Geopolitical challenges – cited by 61% of TPRM leaders as a top headwind.
  • Inflationary trends – cited by 46% of TPRM leaders.
  • Increasing environmental, social, and governance (ESG) pressure – cited by 40% of TPRM leaders.
  • Logistic disruptions – cited by 39% of TPRM leaders.
  • Labor-market shortages – cited by 34% of TPRM leaders.

In spite of strong headwinds, there was a pervasive optimism and sunny outlook among survey respondents when asked about their sentiment around managing third-party relationships going forward. One in three TPRM leaders (32%) describes themselves as “optimistic,” with 83% having either an “optimistic” or “neutral” outlook. 

This positive outlook was even more pronounced in those organizations that continue to invest in TPRM capabilities. Ongoing investments in – and attention to – the people, processes, and technologies related to TPRM can help organizations better navigate the growing complexities and “ripple effects” of interrelated and emerging risks.

TPRM leaders also outlined the following areas of priority when it comes to addressing the challenges of TPRM today:

  • Time for a refresh: 63% of TPRM leaders would like to prioritize revisiting and refreshing their organization’s TPRM methodology. This need was the greatest in the government and public services sector (78%).
  • TPRM needs a champion: 48% expressed the need to strengthen the role of executive leadership in managing and governing third-party relationships. In the energy, resources, and industrials industry, this sentiment was the strongest (53%).
  • Increasing aptitudes: 47% would like to prioritize improving skills and talent related to TPRM. There was the greatest need for this in government and public services (56%).
  • Let’s talk tech: 45% stated that continued investment in technology, automation, and data for TPRM is important. Financial services organizations felt this most keenly (53%).

The pivotal role of third parties in managing sustainability commitments.

A combination of regulatory pressure, emerging legislation, executive attention, and customer and stakeholder expectations have put a spotlight on ESG. Indeed, Deloitte’s last three TPRM surveys have reflected the increasing emphasis from boards and the C-suite on social purpose as an integral element of integrated business strategies. The extended enterprise, with myriad third-party and subcontractor relationships, helps fulfill this mission. 

And organizations are laying the groundwork for progress: In fact, nearly 6 in 10 TPRM leaders (56%) believe their organizational culture has become much more supportive in understanding and managing ESG risks and opportunities in their third-party ecosystem.

The top 3 ESG focal areas for organizations, in ensuring their third parties behave sustainably and responsibly, are:

  • Corporate ethics and responsible behaviors – 69% 
  • Environment – 51%
  • Labor risks – 50%

These focal areas largely align with the priorities TPRM leaders identified in Deloitte’s last (2022) survey. However, product liability – identified as an ESG focal area by 59% of TPRM leaders in 2022 – dropped to 37% in 2023.

What’s more, data is key in understanding and evaluating ESG risks within third-party ecosystems. Survey results show that 1 in 4 TPRM leaders (25%) use quantitative scoring methods to assess such risks and supplement them with expert input and ESG tools: up from 18% in 2022.

But take heed of the common saying, “garbage in, garbage out.” Nearly one-third of respondents say the quality of external ESG data (such as from third parties and external agencies) is “low” or “very low”; a similar percentage felt the same about internally generated data. This highlights the need for better traceability, transparency, and data tracking across the supply chain, so that accurate, actionable, and complete insights can drive sound decision-making.

Additional advice, best practices, and considerations borne out of the survey data include:

  • The time to act is now. Executives and board members accountable for TPRM face the need to advance ESG initiatives well in advance of legislative and regulatory deadlines. By focusing on more emerging risk areas within ESG, such as those covered by evolving regulations, organizations can become more future-ready and resilient.
  • Digging deeper. More mature organizations are making investments to reduce and mitigate ESG risks not just from outside parties contracted directly, but from subcontractors as well.
  • Playing the long game. The frenetic pace of change today often impels businesses to react to many different events and pressures all at once. As Deloitte’s report notes, “Organizations find themselves stuck in an endless game of whack-a-mole, as they scramble to strike down whatever demand pops up first and forget about it as soon as a new one emerges.” Rather than take a reactive-only posture, which often results in organizations backtracking on ESG commitments, they can also adopt a long-term and strategic approach to balance sustainability and resilience.
  • Make strategic tech investments. Technologies that improve the availability, accessibility, and timeliness of ESG data from internal and external sources will help drive better-informed action. At a fundamental level, organizations also require a better understanding of the ESG data they need and how to best obtain it from various sources.

Powering organizational performance

There’s no single or static model for what TPRM excellence looks like. While the optimal state of TPRM is typically a moving target at organizations – not to mention, often unique to each business, and reflective of its risk appetite – the consequences of falling behind are amplified in complex and volatile environments. So, for forward-looking organizations, understanding and addressing the headwinds and priorities shaping TPRM are strategic priorities.

The survey also makes clear TPRM’s abundant potential in powering organizational performance. What’s more, organizations with more mature TPRM functions find themselves better able to navigate challenging and changing environments – responding adeptly and with agility. By enhancing trust and transparency in their extended enterprise, organizations can be more sustainable and resilient today, and ready to take on the challenges and imperatives of tomorrow.