As you watch events unfold around the world as governments seek to diagnose and contain the coronavirus, you probably are also considering how prepared you are in case it becomes a true pandemic. As the virus appears to have originated in China, and with many global organizations sourcing a portion of their supply chains from there, it’s natural to also begin considering how concentration risk plays into your broader risk management and incident response plan. In this blog I will define concentration risk and discuss a proactive incident response awareness process meant to ensure stability and resiliency during periods of interruption.
Originating in the banking industry and adapted for use across multiple sectors, concentration risk describes the level of risk in an organization’s supply chain due to concentration in a single industry, geography or partner. The risk comes from a lack of diversification in the vendor portfolio.
An incident response plan consists of a pre-made list of actions to take, tasks to be completed and individuals to contact in sequence when there is a potentially business-impacting incident or event (for example a natural disaster that impacts a data center, or a DDoS attack cripples a website). There are myriad examples of incident response plans available via a simple Google search; I recommend you examine your existing incident response plan and compare it to other industry examples and best practices and conduct third-party related incident response scenario tests.
Resiliency is defined as “the capacity to recover quickly from difficulties.” Emphasis on quickly. With regard to your supply chain, resiliency is the ability for your organization to rapidly adjust to circumstances with limited negative, downstream effects (for example, shifting production to back-up or secondary data centers or facilities). Resiliency should be a driver behind your incident response plan.
Specific to risks from third-parties, a proactive incident response plan includes five (5) steps:
Incident response plan maturity can be categorized in one of the following three levels:
Level 1 – Manual
In a level 1 mature incident response plan:
With so much manual work you can quickly see the gaps in such a process; we know that with manual work comes errors, and with errors come risks – risks of missing important elements that can help diagnose and resolve an incident.
Level 2 – Automation with human interaction
In a level 2 mature incident response plan:
A level 2 mature incident response plan begins to address the manual work inherent in a level 1 plan through centralization into a specific system bounded by some processes.
Level 3 – Data-driven model
A level 3 mature incident response plan contains the following characteristics:
Prevalent can help organizations measure their third parties’ incident response program effectiveness through assessments geared toward revealing their maturity level, as well as reviewing the internal compensating controls in place – through standard assessments – to prevent incidents from quickly getting out of control. This level of visibility is universally shared between you and your third parties for complete transparency. Augmenting these assessments is a cyber and business monitoring service that combines technology, data analytics, and analyst insights to evaluate business risk such as news events and the public relations response to incidents.
As well, the Prevalent platform features an industry-unique relationship mapping capability that identifies relationships between your organization and third parties to discover dependencies and visualize information paths so you can audit the failover and resilience plans of your organization, thereby limiting the effects of concentration risk.
Taken together, these solutions provide a solid foundation for understanding the scope of your concentration risk, and you and your vendors’ incident response plans so that you can ensure resilience and agility.
Ready to take the next step?
Contact Prevalent today for a free, one-hour maturity assessment where we will determine areas where your current practices could improve to reduce risk.
2025 promises to be a consequential year for third-party risk management. Read our top TPRM predictions...
12/12/2024
Learn how a third-party risk management (TPRM) policy can protect your organization from vendor-related risks.
11/08/2024
Follow these 7 steps for more secure and efficient offboarding when third-party relationships are terminated.
10/17/2024