There is no doubt that third-party cyber-susceptibility is one of the biggest threats companies face today. However, it’s important to recognize, cyber is not the only third-party threat that can result in a significant disruption of services. If cyber-risk is seen in isolation, a significant part of the third-party risk landscape is missed. Companies can elevate their risk management practices by making four improvements to realize the competitive benefits of a strong Third-Party Risk Monitoring (TPRM) program.
Widen the Focus of Third-Party Risks beyond Cyber and Financial
Traditionally, risk leaders were almost entirely focused on financial risks. In recent years, cyber has been added to that focus, but that is still too limited a view. A comprehensive third-party risk framework should go beyond cyber and financial to include several key risk categories.
Governance, regulatory and compliance risks should be added to a comprehensive risk framework. Because of the COVID-19 outbreak, government regulations and work restrictions are changing rapidly. Consider what COVID-related threats may emerge through lawsuits against third parties for failure to adequately protect employees from infection or the breakdown in data privacy due to unsecure work locations.
Solutions maturity risks also need to be monitored, especially with the financial pressures that third parties will be facing through the pandemic. Services and products upon which your company relies may be underfunded or even discontinued. A comprehensive framework should also include client risks, as third parties could experience significant loss of clients as the pandemic is prolonged. Last, people risks are now more important than ever, as the pandemic has a significant effect on employees and continues to present a significant risk to human capital.
Add Location-Based Risks to Your Risk Program
Location-based risks are some of the most disruptive third-party business risks that are not being adequately monitored today. Most businesses don’t monitor these risks at all or simply rely on their third parties to warn them or keep them updated on location-based risks events.
According to the 2020 World Economic Forum Global Risks Report, the top 10 risks include infectious diseases, extreme weather and natural disasters. These are all location-based risks. And as we are experiencing now, infectious disease may well turn out to be the most impactful global business disruption risk in recent history.
It’s important to monitor risks beyond individual third parties to the locations in which they operate to get the full third-party risk picture. A comprehensive location-based risk-monitoring framework should include geo-political, legal, financial, scalability, macro-economic, infrastructure and quality of life risks.
Move beyond Point-in-Time Assessments
In today’s hyperconnected global business environment, annual, quarterly or even monthly assessments don’t cut it. Take, for example, a rapidly developing situation like the COVID-19 outbreak, and imagine making decisions based on point-in-time risk assessments from the end of 2019, before this outbreak was even identified as an international concern. This situation has and continues to develop so rapidly that even month-old risk data is virtually useless for making effective decisions for today’s reality.
Third-party and location-based risks are in constant flux during a pandemic, but even when we aren’t experiencing a global health crisis, today’s business moves very fast. Continuous monitoring isn’t just a current need; it will be a permanent need long after we have the COVID-19 crisis under control. We don’t know where the next catastrophic global business disruption will come from, but when it comes, guaranteed, it will move faster than a periodic assessment can handle.
Know Your Third-Parties’ Cyber-Susceptibility for Proactive Mitigation
The more third parties you have, the more your organization is exposed to the threat of cyberattacks. After all, you’re only as strong as your weakest link—or in this case, your weakest third-party’s cybersecurity.
Fortunately, there are changes companies can make to overcome the shortcomings in traditional approaches to third-party risk management and elevate their TPRM programs. Companies that widen their risk focus beyond cyber and financial to include a broader framework of third-party and location-based risks, move to embrace continuous risk monitoring and are proactive in addressing their third-parties’ cyber-susceptibilities will be more resilient. Because they are better equipped to make informed, efficient and effective risk avoidance and mitigation decisions, they will have a competitive advantage over those that aren’t.