Although there is currently no single consensus on whether the economy is slipping into a recession, many central banks and policymakers are recommending that governments and organizations around the world take proactive steps in preparation for one, such as anticipating wage-related labor constraints and expanding their supplier bases.
Economic instability isn’t a new phenomenon, however. In the last two years the global economy went from boom to short-term COVID shock, and it remains unsettled by constant supplier disruptions and the tightest labor market in decades. This turmoil emphasizes the need for organizations to focus on business resilience – and, for the third-party risk management professional, this means ensuring supplier resilience.
In the face of so much economic uncertainty, how can security, risk management and procurement teams ensure their organizations maintain their focus on third-party risk and resilience? Here are three recommendations:
If your organization is facing challenges brought on by wage pressures, labor shortages, or employee turnover and burnout, then consider offloading some lower-level TPRM activities to a domain expert. Third-party risk management managed services can perform tasks on your teams’ behalf, including:
Outsourcing the day-to-day tasks of managing a third-party relationship will free your team to focus on high-value tasks, like managing risks instead of updating vendor contact lists. In turn, this will make your organization more resilient against vendor and supplier disruptions.
Studies show that shifting the day-to-day work of supplier management to a managed services provider results in time savings, efficiency improvements, and faster discovery and mitigation of risks. With outsourced managed services, TPRM teams can instead focus on:
Operational and Financial Resilience Questionnaire
Determine whether your vendors and suppliers are prepared to handle business challenges with this free, customizable assessment.
Vendor risk management professionals understand that one-and-done third-party assessment approaches fail to capture all supplier risks in a timely fashion. Although point-in-time assessments are essential for capturing internal controls data, a continuous approach to monitoring for changes to a vendor’s cyber posture, business events, financial position, and reputation is required for additional context and to fill gaps between those point-in-time assessments.
Yet, organizations often address this problem with an expensive, disjointed mishmash of tools that can’t be integrated or deliver context for assessment results. If your organization is going into 2023 with flat or decreased budgets, consider a continuous third-party risk monitoring strategy that:
A consolidated monitoring approach yields much better economies of scale, improves efficiency, and reduces coverage gaps.
Third-party risk assessments can be taxing and expensive if you are using manual methods such as spreadsheets. Automation can help, but how do you quantify how much risk can be reduced by automating the assessment process? Consider calculating the value of risk that can be eliminated from the business by automating risk assessments. Here’s an example:
In this example, we eliminated $1,854 in potential data breach costs for each third party assessed. Multiply this across 500 critical vendors, and you can reduce your potential risk by almost $1 million!
Without Automation | With Automation | |
---|---|---|
Step 1: Number of higher-risk or critical vendors |
500 |
500 |
Step 2: Average cost of a third-party data breach |
$4,590,000 |
$3,000,000 |
Step 3: Inherent likelihood of a breach in the next two years |
30% |
15% |
Step 4: Risk exposure (Average cost x likelihood) |
$1,377,000 |
$450,000 |
Step 5: Risk exposure per vendor (exposure / # of high-risk or critical vendors) |
$2,754 |
$900 |
Step 6: Value of Assessment (risk reduction per vendor) |
$1,854 |
The bottom line is that a robust, automated third-party risk assessment process can reduce the cost, impact and likelihood of a breach.
Note: This model applies only to cyber breaches. Automating third-party assessments can also head off costs from operational disruptions, but those numbers can vary greatly across different scenarios.
Given the ever-increasing number of third-party data breaches and supplier disruptions, your organization can’t afford to let economic conditions distract it from ensuring supplier resilience. Download the Value of a Third-Party Risk Assessment Calculator, assess your suppliers against business resilience requirements, or contact us today for a demo to learn how we can help you reduce risk assessment costs with consolidation and managed services expertise.
Third-Party Risk Management (TPRM) has advanced from being an annual checklist exercise to a critical daily...
10/07/2024
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024
Learn how to leverage vendor risk assessment questionnaires for stronger third-party risk management, including a customizable...
09/18/2024