How organizations shift from operational reliance to operational resilience

Building a Third-Party Program that Fosters Resilience

How do you measure resilience?

• Risks are managed collectively via a singular workstream
• The business has a shared risk appetite and definitions
• The prioritization of risk aligns with set business objectives
• The risk appetite is always in agreement with business goals and growth plans

For true operational resilience, organizations need to rethink how they set up their vendor programs – starting with realigning who manages the program. Operating models for third-party programs differ heavily based on a company’s size, culture, and organizational structure. Realistically, the program could live with the risk assessment team, the cyber team, the procurement team, and so forth. There is no wrong place for a program to live – so long as each team’s role is communicated so that the entire organization knows who is responsible for vendor management and security. 

Once ownership is settled, an organization should determine its risk appetite—in other words, how much risk it is willing to take on. This step includes a thorough review of third parties currently in use, their importance to business operations, and what data they need to have access to. The latter is especially essential—responsible data management requires visibility into how each vendor uses data.

While traditional risk management frameworks recommend sharing this questionnaire as the first step before conducting the internal risk appetite assessment, many are starting to take a “questionnaire last” approach. Using this method, organizations conduct the initial analysis and risk appetite assessment and, from there, develop a questionnaire that encompasses the full view of what the organization already learned about its risk appetite. With the whole picture, risk teams can implement policies and controls to protect data and reduce risk.

Data is the connective tissue between risk and resilience – if organizations don’t have visibility into all aspects of their data, they cannot identify or mitigate the associated risk. However, visibility into data isn’t enough on its own; organizations should consider how they share that data and insight internally and pull in the right subject matter experts for data-driven decisions and assessing third parties. This requires harmony with infosec, privacy, ethics, and legal teams. 

Furthermore, third-party operational resilience balances supplier operational risk and technological risk management, so teams should track risk from the perspectives of sanctions, financial health, anti-bribery, security posture, incident response, and privacy.

Each third-party vendor program will need its unique approach to ensure operational resilience, but consistency is ultimately key. This means conducting a thorough assessment when new vendors are introduced and consistently re-analyzing risk appetite. New technologies, regulations, or processes are constantly being introduced, and checks and balances are needed to guarantee that new and incoming risks aren’t overlooked.