CMBYND supports buyers, vendors and investors in developing and utilising class leading solutions for risk and regulation. This whitepaper, developed specifically for our investor community, is one of a series that focuses on a specific buyer need, leveraging our insights from working across the value chain. More in-depth insights are available through consultation.

Dependency on third parties, either buy or sell-side, presents a complex but necessary risk exposure for any business. Intelligence providers that can offer outside-in perspectives for managing this exposure are primed for strong growth, beyond the 16% CAGR estimated by market analysts.

Building or maintaining a competitive advantage requires accumulation of a broad range of data sources and a flexible platform for bespoke interpretation. Whilst this is already being achieved in pockets, both customers and providers will benefit from market investment and consolidation.

Market overview

For any business, multiple risk exposures arise when entering and maintaining a third-party relationship, including operational, reputational, regulatory, financial and cyber. This suite of risk categories has continued to evolve with respect to inclusion and prioritisation, with ESG being a pertinent and comparatively recent addition.

There is a natural overlap in the activities performed to address these risks – for example, background checks that may be necessary to comply with Anti-Bribery & Corruption regulations are something many organisations would do to manage reputational risk anyway. Hence a risk monitoring service that addresses one risk has scope to address many.

Whilst there is a natural tendency to think of these risks as being supply-chain related, for many businesses, they apply equally to the sell-side. This is particularly true when an intermediary, such as a local distributor, is responsible for sales of a regulated product (such a model being common in both the financial and pharmaceutical sectors, amongst others).

Just as with internal risks, third party risks are dynamic. Anyone responsible for third party risk will typically think of this as a two-stage process – when performing a one-off assessment at the point of onboarding and, if onboarded, on a periodic or continuous basis thereafter. Significantly, the effectiveness of ongoing monitoring will be more effective if it can achieve a continuous, or near-continuous, state.

Key components of risk management

This can be broken down thus:

Process Data

Procedures for standardising onboarding and monitoring of third parties. Relevant services for supporting this include:

  • Platforms for managing third party information and performing risk assessments.
  • Managed/out-source services for vetting and monitoring third parties.

Information and intelligence to screen and monitor third parties. Relevant services include:

  • Risk ratings: Entity skills typically covering a specific risk (e.g. ESG, financial), utilising a specific methodology and datasets.
  • Raw data: Including financial and alternative data, typically with some cleansing and structuring for end users to incorporate into own rating methodology.

Meeting market requirements

These requirements are a snapshot, with emphasis given to areas where there are variations or shortcomings in current offerings, as identified by our buyer-side engagements (including those specifically concerned with procuring the services addressed in this workpaper) and from our broader research.

Service providers in this space need offerings attuned with the following 4 criteria:

Market size

Market valuations are provided with reference to several independent market analyst reports, typically spanning 5-7 years, considering both the specific segment being addressed as well as the broader risk and regulatory market. With respect to this specific sector, we observe a relatively high consistency between analyst predictions:

CMBYND insights – What are the likely drivers of above average growth that analysts are consistently forecasting for this sector? We consider the following factors to be pertinent:

Other commercial factors

Beyond market size and growth, this table summarises segment attractors and detractors when compared to other sectors in the risk and regulatory market. This assessment is focused on data services, this representing the more attractive market sub-segment, with a focus on factors that differentiate this sector from its adjacencies.

Attractors Detractors
  • Ratings and data services naturally follow a subscription rather than outright model.
  • These services can offered entirely through the cloud.
  • Various channels to market exist beyond direct sales. In particular i) co-sell/sell-through or with third party onboarding and management solutions and ii) sell-through alternative data platforms.
  • These services are comparatively less sticky than other service provisions in this sector.

Opportunities and challenges for driving service value

The rest of this whitepaper focuses on opportunities for building service provider value. These specifically focus on risk data/intelligence providers rather than technology, as we consider the former to offer greater growth opportunity.

Suggestions are provided both with respect to future proposition development and investment strategies. These are not mutually exclusive.

Proposition development

The proposals outlined below focus on addressing the gaps we identify from assisting risk and compliance professionals who continually seek better ways of managing third party risk.

  1. Aggregate disparate data services – Various providers exist to address specific risk categories – they maintain and grow market share by either focusing on i) a more topical risk (e.g. cyber) and/or ii) by providing more in-depth insights. Amassing and integrating risk-specific services makes sense for both provider and customer.
  2. Shift to primary versus secondary data source – Risk data that utilises secondary source (e.g. adverse media) lacks timeliness and may be incomplete. It provides value in the absence of anything else but, for many risk categories, niche providers now offer primary data sources that are new to market.
  3. Broader utilisation of risk data – The market has evolved in a way whereby different service providers focus on specific customer sectors. These different service providers often use the same data. Hence any one provider is primed to enter new markets.
  4. Greater data access – Businesses routinely seek sales growth and new supplier options in previously untested markets. In many cases, relevant data for these markets is lacking.
  5. Data versus answers – Risk ratings are typically offered with a prescribed methodology that isn’t appropriate for all businesses. Provision of raw data, presented in a way that facilitates bespoke assessment, has broader appeal than standard risk assessments in several markets.

Investment strategies

Platform development Acquire service providers with different market focus. Aside from addressing a broader range of markets, significant efficiency opportunities will likely exist, with the same data sources being relevant to multiple sectors. Seek tuck-in opportunities with specialist monitoring capabilities on specific risk categories. In particular, such players are well placed to better serve both ESG and InfoSec risk categories, for which market demand is markedly high.
Revenue growth Identify possible opportunities for better service leverage. This is a service area where both technology vendors and data aggregators offer key, additional channels to market.
Margin growth Invest in AI and other technologies to improve the quality, breadth, analysis and timeliness of raw data aggregation and interpretation, whilst also reducing overhead.


Today there are distinct groups of service provider that offer third party risk intelligence, with a focus on specific industry sectors and/or personas. Fundamentally, their customers’ data needs, if not their interpretation, are the same or have significant overlap. Hence this is a market that is ripe for consolidation.

A successful consolidation strategy will efficiently harness a broad, singular dataset but will continue to provide nuance how this data is shaped and provided for different user groups. Indeed, this data shaping is sometimes best left to clients, particularly those in Tier 1 who will wish to perform their own interpretation, while smaller users may prefer ‘answers’ (or ratings) to data.

Until recently, many data providers have required large teams to mine, manage and interpret data. Amongst this cohort, many are now well progressed with using technology to both improve operational efficiency and customer insights. This development pathway has no obvious end though. In fact, technology advances are only extending it. Hence targeted investment not only provides scope for better customer services but is also a necessity for staying relevant and competitive.

For more information and in-depth insights, please contact us.

we are

local expertise, global experience.

© CMBYND Inc. All rights reserved.