A New Model for Managing Third-party Risk
Written by John Bree
In my role as Chief Evangelist, I connect often with risk leaders from banking, financial services, insurance, life sciences, manufacturing, and technology to get insight into what’s currently top of mind for them, the pain points they are experiencing, and how they are approaching the need to modernize their risk management practices.
Unfortunately, most enterprises are still following a siloed approach with assessments of a few risks. Data collected during point-in-time assessments is quickly stale and fails to present a current view of risk. A narrow a focus – typically on financial and cyber risks – fails to present a comprehensive view of the entire risk landscape. Finally, a siloed approach fails to provide an enterprise-wide view of risk. All three combined leaves enterprises unable to effectively prevent third-party disruptions which jeopardizes their continuity and operations resilience.
During my conversations with risk leaders, they often echo my sentiments about the challenges they face with the increasingly dynamic risk landscape, the shortcomings of periodic assessments, and how the siloed approach hinders their mitigation efforts. But they’ve also shared the pain point that while their internal staffing resources are limited, the sheer volume of risk data and findings are increasing beyond their teams’ ability to process.
Faced with these challenges, CROs are actively and urgently exploring new strategies, approaches, and technologies to mitigate third-party risk to ensure continuity and resiliency.
To move beyond the shortcomings of legacy third-party risk management (TPRM) practices, I believe a new model must address the two following tenets:
- Today a single vulnerability can cascade into a waterfall of risk events with exponential impact
- Early warning and continuous access to current risk intelligence is critical for proactively addressing disruption risks
Leading CROs are looking to modernize their approach by accelerating the adoption of full-spectrum continuous monitoring with real-time risk intelligence. Here’s why. Firstly, full-spectrum coverage brings any leading indicators to their risk team’s immediate attention to enable focus on most today’s most critical risks. Real-time intelligence provides the early warning they need to power effective proactive risk mitigation actions that can stop a cascading risk scenario. Secondly, integration of continuous, full-spectrum risk intelligence into existing third-party risk/GRC architecture will deliver the continuous 360° situational awareness they seek to enable enterprise resilience.
The good news is that a powerful technology stack combining RPA, ML, AI with data science is now available for CROs to leverage when building a new model for managing third-party risk. A modern third-party risk model can leverage these technologies for real-time intelligence, predictive analytics and forecasting that risk teams need to overcome the challenges of legacy practices and thrive in today’s environment. Data science, automation and AI can be critical components for detecting, confirming, and predicting risk events, continuously and accurately. Thus, technology can enable CROs and their teams to move faster, do more with less, prioritize and act proactively and confidently to avoid disruptions and ensure continuity and operations resilience.