articles

CMBYND supports buyers, vendors and investors in developing and utilising class leading solutions for risk and regulation. This whitepaper, developed specifically for our investor community, is one of a series that focuses on a specific buyer need, leveraging our insights from working across the value chain. More in-depth insights are available through consultation.

Dependency on third parties, either buy or sell-side, presents a complex but necessary risk exposure for any business. Intelligence providers that can offer outside-in perspectives for managing this exposure are primed for strong growth, beyond the 16% CAGR estimated by market analysts.

Building or maintaining a competitive advantage requires accumulation of a broad range of data sources and a flexible platform for bespoke interpretation. Whilst this is already being achieved in pockets, both customers and providers will benefit from market investment and consolidation.

Market overview

For any business, multiple risk exposures arise when entering and maintaining a third-party relationship, including operational, reputational, regulatory, financial and cyber. This suite of risk categories has continued to evolve with respect to inclusion and prioritisation, with ESG being a pertinent and comparatively recent addition.

There is a natural overlap in the activities performed to address these risks – for example, background checks that may be necessary to comply with Anti-Bribery & Corruption regulations are something many organisations would do to manage reputational risk anyway. Hence a risk monitoring service that addresses one risk has scope to address many.

Whilst there is a natural tendency to think of these risks as being supply-chain related, for many businesses, they apply equally to the sell-side. This is particularly true when an intermediary, such as a local distributor, is responsible for sales of a regulated product (such a model being common in both the financial and pharmaceutical sectors, amongst others).

Just as with internal risks, third party risks are dynamic. Anyone responsible for third party risk will typically think of this as a two-stage process – when performing a one-off assessment at the point of onboarding and, if onboarded, on a periodic or continuous basis thereafter. Significantly, the effectiveness of ongoing monitoring will be more effective if it can achieve a continuous, or near-continuous, state.

Key components of risk management

This can be broken down thus:

Process	Data
Procedures for standardising onboarding and monitoring of third parties. Relevant services for supporting this include: Platforms for managing third party information and performing risk assessments. Managed/out-source services for vetting and monitoring third parties.	Information and intelligence to screen and monitor third parties. Relevant services include: Risk ratings: Entity skills typically covering a specific risk (e.g. ESG, financial), utilising a specific methodology and datasets. Raw data: Including financial and alternative data, typically with some cleansing and structuring for end users to incorporate into own rating methodology.

Process

Data

Procedures for standardising onboarding and monitoring of third parties. Relevant services for supporting this include:

Platforms for managing third party information and performing risk assessments.
Managed/out-source services for vetting and monitoring third parties.

Information and intelligence to screen and monitor third parties. Relevant services include:

Risk ratings: Entity skills typically covering a specific risk (e.g. ESG, financial), utilising a specific methodology and datasets.
Raw data: Including financial and alternative data, typically with some cleansing and structuring for end users to incorporate into own rating methodology.

Meeting market requirements

These requirements are a snapshot, with emphasis given to areas where there are variations or shortcomings in current offerings, as identified by our buyer-side engagements (including those specifically concerned with procuring the services addressed in this workpaper) and from our broader research.

Service providers in this space need offerings attuned with the following 4 criteria:

Breadth – Some risk categories are well represented, such as financial risk/credit scores. However, newer or more novel risks may be of greater importance to end buyers. Where established service providers fail to provide insights that really matter, many buyers are reverting to manual self-assessment or other procedures to gain sufficient confidence, accepting the various limitations and additional administration that this approach brings.
Completeness – Buyers who validate risk data services before buying, are being left frustrated by gaps in data offered. When tested, even leading providers often have incomplete data records for third parties that are of critical importance to the buyer.
Timeliness – Near real-time data greatly improves the usefulness of risk monitoring. In an increasingly digital age, this point has seemingly become less of a differentiator between providers. However, competitive advantage can be achieved by moving from secondary (media) to primary source data.
Adaptability – Service providers will typically provide filters and use other techniques to rationalise and remove noise from third party signals. Filtering is subjective – what’s unimportant to one party, matters greatly to another. Limitations in filter flexity has shown to be a key reason for service providers to be de-selected.

Market size

Market valuations are provided with reference to several independent market analyst reports, typically spanning 5-7 years, considering both the specific segment being addressed as well as the broader risk and regulatory market. With respect to this specific sector, we observe a relatively high consistency between analyst predictions:

CAGR predictions for 2022-2027 range from 14.5-17.0% with a mean of 15.9%.
This growth rate is significantly above the risk and regulatory market as a whole - the GRC market (the consolidation of all key risk & reg user cases, including third party risk) is estimated at 8.4%.
Total Addressable Market in 2022 is in region of $5.0bn. Note this spans multiple services, including data, technology and consulting.

CMBYND insights – What are the likely drivers of above average growth that analysts are consistently forecasting for this sector? We consider the following factors to be pertinent:

Breadth of stakeholders: Third party risk is relevant to both buy and sell-side activities as well as joint ventures and acquisitions. Within any business, these risks are normally managed distinctly, by different risk owners with their own budgets.
Regulation: Third party risk data plays a key role in meeting various regulatory needs e.g. complying with regulations for customer onboarding (anti-bribery, anti money laundering etc), necessitate extensive use of third-party data. Meantime, complying with regulations such as GDPR requires looking beyond internal business activities and considering third parties too.
Geopolitics: Business operations can’t change overnight to accommodate the more recent trend in de-globalisation - customer and supply chains now span borders that didn’t exist until recently, or are in markets with greater levels of unrest. Hence, there is greater need for third party monitoring now, than a decade ago, and this trend is set to continue.

Other commercial factors

Beyond market size and growth, this table summarises segment attractors and detractors when compared to other sectors in the risk and regulatory market. This assessment is focused on data services, this representing the more attractive market sub-segment, with a focus on factors that differentiate this sector from its adjacencies.

Attractors	Detractors
Ratings and data services naturally follow a subscription rather than outright model. These services can offered entirely through the cloud. Various channels to market exist beyond direct sales. In particular i) co-sell/sell-through or with third party onboarding and management solutions and ii) sell-through alternative data platforms.	These services are comparatively less sticky than other service provisions in this sector.

Opportunities and challenges for driving service value

The rest of this whitepaper focuses on opportunities for building service provider value. These specifically focus on risk data/intelligence providers rather than technology, as we consider the former to offer greater growth opportunity.

Suggestions are provided both with respect to future proposition development and investment strategies. These are not mutually exclusive.

Proposition development

The proposals outlined below focus on addressing the gaps we identify from assisting risk and compliance professionals who continually seek better ways of managing third party risk.

Aggregate disparate data services – Various providers exist to address specific risk categories – they maintain and grow market share by either focusing on i) a more topical risk (e.g. cyber) and/or ii) by providing more in-depth insights. Amassing and integrating risk-specific services makes sense for both provider and customer.
Shift to primary versus secondary data source – Risk data that utilises secondary source (e.g. adverse media) lacks timeliness and may be incomplete. It provides value in the absence of anything else but, for many risk categories, niche providers now offer primary data sources that are new to market.
Broader utilisation of risk data – The market has evolved in a way whereby different service providers focus on specific customer sectors. These different service providers often use the same data. Hence any one provider is primed to enter new markets.
Greater data access – Businesses routinely seek sales growth and new supplier options in previously untested markets. In many cases, relevant data for these markets is lacking.
Data versus answers – Risk ratings are typically offered with a prescribed methodology that isn’t appropriate for all businesses. Provision of raw data, presented in a way that facilitates bespoke assessment, has broader appeal than standard risk assessments in several markets.

Investment strategies

Platform development	Acquire service providers with different market focus. Aside from addressing a broader range of markets, significant efficiency opportunities will likely exist, with the same data sources being relevant to multiple sectors.	Seek tuck-in opportunities with specialist monitoring capabilities on specific risk categories. In particular, such players are well placed to better serve both ESG and InfoSec risk categories, for which market demand is markedly high.
Revenue growth	Identify possible opportunities for better service leverage. This is a service area where both technology vendors and data aggregators offer key, additional channels to market.
Margin growth	Invest in AI and other technologies to improve the quality, breadth, analysis and timeliness of raw data aggregation and interpretation, whilst also reducing overhead.

Conclusion

Today there are distinct groups of service provider that offer third party risk intelligence, with a focus on specific industry sectors and/or personas. Fundamentally, their customers’ data needs, if not their interpretation, are the same or have significant overlap. Hence this is a market that is ripe for consolidation.

A successful consolidation strategy will efficiently harness a broad, singular dataset but will continue to provide nuance how this data is shaped and provided for different user groups. Indeed, this data shaping is sometimes best left to clients, particularly those in Tier 1 who will wish to perform their own interpretation, while smaller users may prefer ‘answers’ (or ratings) to data.

Until recently, many data providers have required large teams to mine, manage and interpret data. Amongst this cohort, many are now well progressed with using technology to both improve operational efficiency and customer insights. This development pathway has no obvious end though. In fact, technology advances are only extending it. Hence targeted investment not only provides scope for better customer services but is also a necessity for staying relevant and competitive.

For more information and in-depth insights, please contact us.