How organizations shift from operational reliance to operational resilience

0
13

Third-party relationships are double-edged swords— they can be your most significant force multipliers or risks. Third-party vendors are ingrained in all aspects of an organization, from accountants who handle payroll to IT outsourcing providers to the software used to keep track of sales leads. Using third-party vendors is almost unavoidable in today’s digital and connected world. Yet, 41% of the organizations that suffered a material incident in 2023 say a third party caused it. Further, high-profile incidents now make global headlines with increasing regularity.

Organizations should evolve their traditional third-party risk management strategies into holistic, data-driven programs to drive resilience now and into the future. By strengthening operational resilience, organizations can elevate third-party management into cross-functional programs that align with greater business objectives while enabling responsible data use throughout the business.

Traditional risk management frameworks provide organizations the backbone to proactively identify and manage risk and prioritize prevention, reduction, and risk transfer. However, conventional methods and legacy technologies don’t always offer the flexibility needed for today’s dynamic environment. Often, risk management is compliance-led, ad hoc, and characterized by siloed risk functions. Traditional methods also fall short of addressing non-quantifiable or emerging risks like AI.

Third-party operational resilience, on the other hand, provides a unified understanding of supplier risk to guide strategic decision-making. As a result, organizations can:
● Ensure supply chain continuity
● Maintain quality control and product safety
● Comply with global regulations and standards
● Protect intellectual property and sensitive information

Third-party operational resilience also enables organizations to address some of the major risk challenges they face today: Suppliers present risks at both the organizational and product levels, regulations focus on operational resilience and sourcing requirements, and teams lack visibility and control over their extended supply chains.

Organizations can balance supplier availability and quality with operational and cyber risk by driving toward operational resilience, meeting cross-risk-domain regulatory frameworks requiring continuous third-party compliance, and identifying and aggregating risk across direct and indirect suppliers at multiple levels. Third-party operational resilience goes beyond managing vendors; it requires holistic relationships across various ecosystems, not just directly with the third party.

How do you measure resilience?
● Risks are managed collectively via a singular workstream
● The business has a shared risk appetite and definitions
● The prioritization of risk aligns with set business objectives
● The risk appetite is always in agreement with business goals and growth plans

For true operational resilience, organizations need to rethink how they set up their vendor programs – starting with realigning who manages the program. Operating models for third-party programs differ heavily based on a company’s size, culture, and organizational structure. Realistically, the program could live with the risk assessment team, the cyber team, the procurement team, and so forth. There is no wrong place for a program to live – so long as each team’s role is communicated so that the entire organization knows who is responsible for vendor management and security.

Once ownership is settled, an organization should determine its risk appetite—in other words, how much risk it is willing to take on. This step includes a thorough review of third parties currently in use, their importance to business operations, and what data they need to have access to. The latter is especially essential—responsible data management requires visibility into how each vendor uses data.

While traditional risk management frameworks recommend sharing this questionnaire as the first step before conducting the internal risk appetite assessment, many are starting to take a “questionnaire last” approach. Using this method, organizations conduct the initial analysis and risk appetite assessment and, from there, develop a questionnaire that encompasses the full view of what the organization already learned about its risk appetite. With the whole picture, risk teams can implement policies and controls to protect data and reduce risk.

Data is the connective tissue between risk and resilience – if organizations don’t have visibility into all aspects of their data, they cannot identify or mitigate the associated risk. However, visibility into data isn’t enough on its own; organizations should consider how they share that data and insight internally and pull in the right subject matter experts for data-driven decisions and assessing third parties. This requires harmony with infosec, privacy, ethics, and legal teams.

Furthermore, third-party operational resilience balances supplier operational risk and technological risk management, so teams should track risk from the perspectives of sanctions, financial health, anti-bribery, security posture, incident response, and privacy.

Each third-party vendor program will need its unique approach to ensure operational resilience, but consistency is ultimately key. This means conducting a thorough assessment when new vendors are introduced and consistently re-analyzing risk appetite. New technologies, regulations, or processes are constantly being introduced, and checks and balances are needed to guarantee that new and incoming risks aren’t overlooked.

With so much riding on this complex ecosystem of digital technologies, industry organizations and governments are taking steps to decrease the risk of third parties. Recently, the National Institute of Standards Technology 2.0 (NIST 2.0) released its new NIST 2.0 standard, a voluntary framework aimed at managing third-party risk across sectors.

Even more pressing, the EU passed the Digital Operational Resilience Act (DORA), going into effect in January 2025. This regulation aims to enhance operational resilience within financial institutions by setting strict requirements for managing and accessing third and fourth parties and information and communication technologies (ICT).

This regulation will bring about a significant shift, impacting financial entities in the EU and beyond and third-party service providers within their extended networks. While DORA and other regulations are core drivers of operational resilience across the EU and the U.S., it is just the start of what is necessary to ensure security across business ecosystems. Maturing from compliance-led risk programs to data-driven risk programs is key to realizing operational resilience.

We’ll unlikely see reliance on third parties shift soon, and organizations shouldn’t wait for regulation to mature their programs. Instead, they must be proactive and embrace an operational resilience approach to third-party management, resulting in a better risk posture and better visibility into their data.

As organizations invest heavily in AI and data-driven innovation initiatives, operational resilience is more than a protective measure. Risk teams can design a third-party management program that aligns with larger business objectives to enable responsible data use and accelerate strategic innovation initiatives