This question – what’s your risk tolerance? – should be the foundation of every business’ risk management program. And yet, it’s a question few business leaders can confidently answer.
In a perfect world, organizations would aim to eliminate all risks. However, risk, and more specifically third-party risk, is ubiquitous. It stems from a wide array of areas that impact ecosystems of third parties, including but not limited to geopolitics, extreme weather, human rights violations, regulatory compliance, currency fluctuations, and both cyber and physical security.
In truth, no matter how robust the risk management program is, not all risks can be prevented. It’s not a question of if a third-party incident will occur; it’s a matter of when, how severely it will impact your business, and what you’re willing to do to stop it.
Effectively navigating complex risks and their potential impacts requires a strategic, systematic approach, unflinching executive alignment, and a collaborative response – a skill that builds operational prowess and a shared commitment to resilience. And this becomes even more of a challenge when third parties – vendors, suppliers and external partners – are involved.
The Complexity of Third-Party Risk
The CrowdStrike outage, AT&T breach, and the Red Sea attacks are recent examples of the potentially extreme and varying impacts of the risks that lay within third-party vendors.
Whether it arises from a first-tier third party or nth-tier in the supply chain, external threats risk financial outcomes, operational efficiencies, service levels, brand reputation, intellectual property and business continuity.
Aravo’s Loren Johnson: Profits and growth are at stake.
Risk management is complex, requiring a significant amount of digital and physical supply chain visibility and transparency, data, and executive-level leadership – a fact that today’s vast and interdependent global networks of suppliers only serve to exacerbate. According to Gartner, 60% of companies work with more than 1,000 third parties. As companies continue to expand their third-party networks, exposure to pertinent risks only increases.
Furthermore, the potential for consumer backlash and a quickly developing regulatory environment (see Germany’s Due Diligence Act (LkSG) that holds companies responsible for the nth degree of their supply chains, and the EU’s Digital Operational Resilience Act (DORA)) are upping the ante, increasing the already significant pressures on enterprises to streamline and enhance their risk programs.
The Failure Points
Despite its importance, companies often lack a resilience plan that effectively addresses and manages the complexities of third-party risk. Here’s why:
Lack of leadership commitment: The days of ad hoc risk management are long past. Its complexity and direct ties to strategy execution and success require focused, dedicated leadership and top-level alignment. Without it, companies leave themselves highly vulnerable, waste resources, and gamble their brand, profits, and growth – and the odds aren’t in their favor.
Leaders must advocate for a comprehensive, clearly defined risk management and execution strategy that reflects business needs and goals. Prioritization at the leadership level will help instill a risk-centric, responsive culture that quickly combats new threats as they arise and ensures teams take a proactive, risk-aware approach to assessing third-party engagements.
Overestimated risk maturity: Companies often underestimate their risk exposure and overestimate their risk maturity, a gap that leaves them vulnerable to reputational damage, legal liabilities, and financial consequences. For example, executives may have the sense that they have good programs and reporting in place when, in actuality, as many rely on manual or offline processes, they would have difficulty passing an audit or defending their approach to an agency.
Additionally, siloed data with limited organization-wide sharing, outdated technology, and manual processes hamper effective identification and management of risk and cripple collaboration, introducing room for costly errors.
Scattered focus: Companies looking to take aggressive action against the many risks in their supply chains often tackle too many risk domains at once. However, in the end, scattered efforts that do not effectively address the most imminent threats first simply fail.
The good news is that regulatory agencies understand this. Although regulation is always evolving and can feel like an uphill battle, regulatory agencies often aren’t looking for absolutes, but a reasonable approach and progress. Take things step by step, and make sure to build something auditable and defensible.
How to Better Tackle Risk
A mature risk program is about more than meeting regulatory requirements; it’s a strategic cornerstone, assisting in defining and supporting business growth strategies, helping to answer questions such as whether to launch a new product or step into a new market. It ensures you stay ahead of risks and are prepared for the future, whatever it may bring, while doing business better, with integrity and standards that reflect well upon your brand.
Here are a few strategies to help better tackle risk.
Identify the organization’s risk tolerance – the acceptable level of risk. After you’ve accepted a risk and applied controls and preventative measures, it’s the remaining or residual risk you can reasonably justify to stakeholders and regulators – if or when a risk incident slips through, despite the safeguards and contingency plans in place.
Risk tolerance may be distinct to business categories, divisions or locations, or even by risk domain. Some risks, such as human rights violations, cybersecurity or regulatory compliance, should be zero tolerance from the get-go. Others will be more fluid, evaluated as you go, and perhaps escalated to executives for final decision-making.
Your risk tolerance should be well-defined but also allow for some adaptation as conditions change. We recommend that organizations define and document risk tolerance within their internal policies, outlining acceptable scenarios, like an IT engagement with sufficient controls in place, or unacceptable scenarios, like government sanctions.
Choose a champion: Although the exact structure will depend on the industry, a centralized risk program with a single owner (rather than one led by multiple department heads), supported by a shared data source, enables a more efficacious program.
The best systems are led by a singular champion, an advocate who can communicate urgency, fight for executive buy-in, align stakeholders and ensure risks don’t slip through the cracks. Depending on the industry, risk programs may lie with chief risk officers (CROs), chief information security officers (CISOs) or heads of procurement.
Prioritize your risks: You can’t track everything at once, but it’s important to tackle the right things first, leaving room for adaptation and continuous improvement as the risk landscape, appetite and tolerance evolve. The best way to optimize your risk program for optimal value extraction is to think big, start small, and grow fast.
Start small by establishing a technology foundation that enables you to address one or two key risks, allowing you to deliver immediately measurable business value.
Think big by creating a program that prioritizes key risk areas in the supply chain – such as cybersecurity, modern slavery, and sustainability – while aligning with overall business objectives.
Grow fast by leveraging your foundation and success to rapidly expand the program into additional risk domains, and implement risk-based due diligence, continuous monitoring and supplier performance management, and drive improvements in processes and technology.
Risk isn’t static, and nor should your risk processes be. A mature third-party risk management program involves proactively reviewing and continuously monitoring third-party information and metrics, such as key risk indicators or financial information, to identify potential issues like environmental offenses or human trafficking.
By starting small, thinking big, and growing fast, organizations can begin to deepen the trust that binds their third-party network and shift their focus from governance and administration to cultivating a more collaborative ecosystem that drives innovation, strategic growth and enhanced performance. All while delivering the ultimate strategic value – a brand people can trust.
Loren Johnson is a Risk Evangelist at Aravo, a third-party risk management solution provider. Driven by a passion for innovation and solving business challenges, he is a long-term TPRM advocate with an MBA in International Management from Thunderbird, and more than 30 years working in the technology sector.
Topics: Third Party Risk
