In today’s interconnected and digital landscape, organizations are increasingly dependent on third-party vendors for their operations. These vendors range from accountants managing payroll to IT outsourcing providers and software tools for tracking sales leads. Though integrating third-party vendors is almost inevitable, it comes with its own set of risks. In 2023, 41% of organizations that experienced a material incident attributed it to a third party. High-profile incidents making global headlines highlight the pressing need to evolve traditional third-party risk management strategies into holistic, data-driven programs to bolster operational resilience now and into the future.
The Concept of Third-Party Operational Resilience
Traditional risk management frameworks offer organizations a foundation to proactively identify, manage, and prioritize risk prevention, reduction, and transfer. However, these conventional methods and outdated technologies lack the flexibility required for today’s dynamic environment. Traditional risk management is often compliance-led, ad hoc, and characterized by siloed functions, failing to address non-quantifiable or emerging risks such as those posed by AI.
Third-party operational resilience, in contrast, provides a unified understanding of supplier risk, guiding strategic decision-making. This unified approach helps organizations ensure supply chain continuity, maintain quality control and product safety, comply with global regulations and standards, and protect intellectual property and sensitive information.
Third-party operational resilience enables organizations to tackle major risk challenges, such as supplier risks at both organizational and product levels, regulatory focus on operational resilience and sourcing requirements, and visibility and control over extended supply chains. By striving for operational resilience, organizations can balance supplier availability and quality with operational and cybersecurity risks. Aligning with cross-risk-domain regulatory frameworks requiring continuous third-party compliance and identifying and aggregating risk across direct and indirect suppliers at multiple levels remain imperative.
Building a Resilient Third-Party Program
To foster true operational resilience, organizations need to rethink how they set up their vendor programs, starting with realigning responsibility for managing the program. The operating model for third-party programs varies based on the company’s size, culture, and organizational structure. Whether the program resides within the risk assessment team, cyber team, procurement team, or another department, clear communication of each team’s role is crucial for the entire organization to understand who is responsible for vendor management and security.
Once ownership is established, organizations should determine their risk appetite. This involves assessing the extent of risk they are willing to accept, reviewing the significance of current third-party relationships, and understanding the data vendors need access to. Responsible data management necessitates visibility into how each vendor uses data.
Contrary to traditional risk management recommendations, which suggest starting with a questionnaire before conducting an internal risk appetite assessment, many organizations now adopt a “questionnaire last” approach. This method entails conducting initial analyses and risk assessments first, then developing a questionnaire based on the comprehensive view of the organization’s risk appetite. With a full picture, risk teams can implement protective policies and controls to reduce risk.
Data as a Crucial Component
Data is the connective tissue linking risk and resilience. Without comprehensive visibility into their data, organizations cannot identify or mitigate associated risks. However, it is insufficient to only have data visibility; organizations need to strategically share data and insights internally and involve the right subject matter experts for data-driven decisions and third-party assessments. This integration demands collaboration with information security, privacy, ethics, and legal teams.
Moreover, third-party operational resilience balances supplier operational risk and technological risk management. Risk should be tracked from perspectives including sanctions, financial health, anti-bribery measures, security posture, incident response, and privacy. Facilitating such comprehensive tracking allows organizations to fully gauge the overall health and reliability of their suppliers, thereby enhancing their resilience.
Implementing Consistent Evaluations
Each third-party vendor program must devise a unique approach to ensure operational resilience, with consistency being a key factor. This consistent approach involves comprehensive assessments when introducing new vendors and continuously reevaluating risk appetite. Due to constant advancements in technologies, regulations, or processes, checks and balances are necessary to ensure new and emerging risks are not overlooked.
Establishing a structured and ongoing evaluation process can significantly improve the ability to manage and mitigate risks effectively. By adopting best practices for regular vendor assessments, promoting adherence to evolving standards, and incorporating new risk factors into evaluations, organizations can maintain high standards of operational resilience. Continuous monitoring and reassessment empower organizations to stay ahead of potential vulnerabilities and safeguard their operational stability.
Regulatory Impact on Operational Resilience
With the increasing complexity and reliance on digital technologies, industry organizations and governments are taking steps to mitigate third-party risks. A notable initiative is the National Institute of Standards and Technology 2.0 (NIST 2.0) standard, a voluntary framework for managing third-party risk across sectors. NIST 2.0 offers comprehensive guidelines to help organizations strengthen their resilience and align their risk management strategies with industry best practices.
In the EU, the Digital Operational Resilience Act (DORA), effective from January 2025, sets stringent requirements for financial institutions to manage and assess third-party services, including information and communication technologies (ICT). This regulation aims to significantly enhance operational resilience within financial entities and their extended networks. While regulations like DORA are crucial in driving operational resilience, they mark the beginning of efforts to secure business ecosystems. To further operational resilience, organizations must mature from compliance-led risk programs to data-driven risk programs.
Strengthening Resilience for Innovation
Reliance on third parties is unlikely to diminish. Organizations should be proactive, embracing an operational resilience approach to third-party management, leading to better risk postures and enhanced data visibility. Investing in AI and data-driven initiatives positions operational resilience not only as a protective measure but also as a catalyst for innovation. By effectively managing third-party risks, organizations can create a stable environment that fosters growth and supports strategic innovation initiatives.
Advancements in technology and data analytics provide new opportunities to enhance operational resilience. Risk teams can design third-party management programs aligning with broader business objectives, facilitating responsible data use, and accelerating innovation. By leveraging cutting-edge technologies, organizations can gain deeper insights into their operations, proactively identify potential risks, and implement agile responses to mitigate emerging threats.
Conclusion
In today’s interconnected and digital world, businesses are increasingly reliant on third-party vendors to manage various aspects of their operations. These vendors cover a wide range of services, from accountants handling payroll to IT outsourcing providers and software tools that track sales leads. While the integration of third-party vendors is often essential, it also introduces unique risks. For instance, in 2023, 41% of organizations that suffered a significant incident attributed it to a third party. High-profile incidents receiving global attention underscore the critical need to transition traditional third-party risk management strategies into comprehensive, data-driven programs. Doing so will enhance operational resilience both now and in the future. Adapting to these evolutions ensures that organizations can effectively mitigate potential vulnerabilities and maintain the integrity of their operations in an increasingly complex and interconnected digital landscape.