Nobody expects a vendor breach until it happens, and when it does, the fallout is rarely contained to the vendor alone. If you want to stop vendor incidents turning into boardroom crises, treat third-party risk as a resilience problem, not a checkbox.
Michael Barry
Below we offer three practical, high-impact ways to build resilience into your third-party program – and keep your business running when others panic.
1. Design alternative processing pathways (don’t rely on one route).
Identify the processes that absolutely must keep running (payments, authenticated communications, trade confirmations, etc.) and map multiple ways to achieve the same outcome.
- Key question – if Vendor A is unavailable, how do we still authenticate a CEO voice call, confirm a transfer, or validate a sensitive email?
- Build redundancy via alternative tech stacks, backup providers, or manual fallback procedures.
- Test the handovers – run tabletop exercises that force people to use the backups under stress.
Takeaway: Redundancy isn’t just about hardware, but instead the full set of tools and levers that allow your business to meet critical objectives if a supplier fails.
2. Negotiate vendor-specific response plans, not generic playbooks.
A “runbook” is useful, but it is rarely enough. For critical vendors, agree a joint, detailed response plan that spells out roles, checklists, outage triggers and recovery service-level agreements (SLAs).
- Example: A network provider playbook that pre-agrees traffic rerouting, escalation contacts, and a safe mode for critical apps.
- Make it contractual where appropriate – the faster the decisioning, the less business friction during an incident.
- Practice it. Regularly. Include vendor teams in the drills.
Anika Yan
Takeaway: Pre-agreed, vendor-owned plans cut response time and avoid the paralysis that can happen when accountability is put to the test by a live incident.
3. Move from static assessments to predictive risk management.
Annual questionnaires can signal potential risks, but they are not early warnings. Combine threat intelligence, dark-web monitoring, cyber health rating and behavioral analytics with AI solutions to surface when a vendor’s risk profile is changing.
- Monitor indicators of compromise, credential leaks, patching cadence, and external chatter.
- Leverage AI tools to aggregate signals to produce a dynamic risk score that triggers escalation and remediation workflows.
- Make decisions based on current risk velocity, not last year’s audit.
Takeaway: Proactive detection gives you time to act before a vendor issue turns systemic.
At the end of the day, resilience is not about eliminating all risk – it comes down to ensuring you can keep operating when risk does materialize.
Michael Barry is a Managing Principal at Capco. He has over 20 years of experience in top tier banks across APAC, the U.S. and U.K., holding managerial and leadership positions in Operational Risk, Technology Risk, Information Security and Third-Party Risk Management. He is a hands-on risk manager with a proven track record of identifying and implementing innovative, sustainable solutions to complex business problems and leading key initiatives and transformations.
Anika Yan, a Principal Consultant at Capco, has over eight years of experience in Cybersecurity, Information Security and Regulatory Compliance, spanning industries such as financial services, technology and pharmaceuticals, and working with many of the key U.S,\., European and APAC cybersecurity industry standards. She has successfully led the delivery of multiple enterprise-wide transformation initiatives in strategy, encryption and cryptography, data classification, advanced threat detection and response, cyber resilience and identity access management.
Topics: Third Party Risk