Third-party risk management (TPRM) has been on the minds of leadership and executives for many years but has garnered even more attention due to the rapidly increasing frequency of systemic disruptions as well as the cascading impacts that accompany them. Organizations have become reliant on an interdependent network of services, in a global third-party ecosystem, to enable their end-to-end operations. It’s clear that the way in which organizations engage with third parties and rely on their vendor ecosystem for operational success has fundamentally changed – and that has created both new and emerging enterprise-wide risks.  

A 2022 survey conducted by Deloitte found that 73% of global respondents reported a high level of dependency on third parties. That figure is expected to increase to 88% in the coming years, and dependence on financial services providers was listed as a top concern as well. And yet, according to Deloitte, only one out of three respondents indicated that they use technology solutions to better understand the ecosystem of material third-party relationships, including where they operate.

New regulations such as the EU’s Digital Operational Resilience Act (DORA) are highlighting TPRM as fundamental to managing operational risk, which has not always been universally adopted as a risk category for long-standing operational risk programs. Global digital transformation has created a vendor ecosystem that has become more complex, vulnerable, and interconnected. The evolution and criticality of third parties requires a different approach to risk identification, monitoring, and preparedness. So, how can organizations effectively evolve their third-party risk management strategy, programs, and approach to deal with the complexity of a global third-party ecosystem?

To begin, every organization should carefully evaluate their TPRM program and work to implement best practices. Here are a few core best practices to drive efficiency, cost-effectiveness, and business value:

  1. Create a holistic view across departments to drive better collaboration, coordination, and integration when managing third-party risks. Interdepartmental coordination is essential to ensure that there is a consistent awareness and understanding of cross-functional risk impact, including having an informed perspective of how third parties are supporting critical operations. Equally important is data sharing and connecting third-party risk intelligence to your organization’s core operational ecosystem (e.g., dependent processes, IT assets, people, etc.). Cross-functional teams can make more informed decisions about how third-party product/service providers support their functional areas which will enable them to manage disruptions with a business-focused lens.
  2. Shift from reactive to proactive vendor data collection to avoid future disruptions. Reliance on static surveys and reactive intel puts an organization in constant jeopardy, and managing a crisis or business disruption without a proactive plan only aggravates the situation. To start, every organization must thoroughly understand which third parties play a significant role in their critical functions and then rank these third parties according to their importance to the enterprise and the level of risk involved. New technological innovations exist to analyze risks and mitigate issues before they arise, including data brokers that continuously provide near real-time insights on how third parties may be exposed or how core elements of their risk profile have shifted. Organizations should leverage this type of technology to automate key aspects of the risk analysis process.
  3. Leverage real-time risk monitoring and intelligence to move beyond point-in-time data. This can be virtually impossible, however, for organizations that still rely on spreadsheets and manual processes for TPRM. Real-time assessments are essential to understanding how third parties govern their security practices and data privacy. Accurate and up-to-date assessments of cybersecurity threats and business risk intelligence is critical in maintaining a robust TPRM program. Having risk intelligence from multiple data sources instantaneously at hand enables an organization to recognize, mitigate, and manage risks before they cause significant harm. When coupled with a holistic view across departments, real-time vendor alert mechanisms can quickly inform not just TPRM practitioners, but every dependent operational stakeholder down the line.

Do You Understand How Risk Cascades Across Your Operational Ecosystem?

Evaluating your internal TPRM processes is only the first step to unlocking robust operational resilience. Your TPRM program should be able to proactively monitor strategic vendors and partners as well as detect early signals of trouble across the ecosystem, allowing your organization to take the proper steps to mitigate risk, reduce friction, and deliver quality experiences for your customers.

But before an organization can deploy an integrated TPRM program, it must perform due diligence on its extensive third-party network. This includes evaluating each vendor’s criticality, determining how prepared it is to carry out its assigned roles/tasks, and continuously tracking performance – not just working with static documents. It also means clearly tracking vendors as they come and go through automated renewal and termination notices to ensure that third parties are offboarded appropriately.

Understanding your ecosystem risk, tracking all types of third-party issues and exceptions, and knowing which third parties may impact your organization’s core products and services can significantly reduce operational risk and help avoid future disruptions.

Everyone Must Act as a Risk Manager

Traditionally siloed teams and processes can reduce visibility into potential disruptions and increase risk exposure. To achieve true operational resilience and an integrated third-party risk management program, the entire organization must be engaged – not just the third-party risk team. TPRM practitioners must continue to be experts in their ability to “look out the window” and mitigate risks outside of their organization’s four walls, but true resilience can only be achieved once vendors are approached as if they live within your four walls. If your organization can foster this wider culture of resilience and TPRM, it will be well positioned to properly focus its resources, anticipate risks, and weather future business disruptions.


Alex Toews

Alex Toews is a director, risk products at Fusion Risk Management. With extensive experience working across different industry verticals, Toews' professional experience has included driving methodology and program framework creation for many risk-based competencies such as: enterprise risk, operational risk, vendor risk, compliance, internal audit, corporate governance, regulatory requirements/expectations, and program/project management.

Colonial Pipeline Attack Puts Spotlight on Third Party Management and Operational Resilience
When the cyber-attack on the Colonial Pipeline hit the news, it was another sterling example that preparedness and backup plans...
Representation: The Antidote to Unconscious Bias
[EDITOR’S NOTE: Raven Solomon is a keynote speaker at DRJ Spring 2022, March 21, live in Orlando. With this series...
Solutions To Financial Services Risks (in 15 Minutes)
Subscribe to the Business Resilience DECODED podcast – from DRJ and Asfalis Advisors – on your favorite podcast app. New...
What Train Derailments in the U.S. Can Teach Us About Data, Workers, and the Risk of Cutting Costs Episode 147:  What Train Derailments in the U.S. Can Teach Us About Data, Workers, and the Risk of Cutting...