How to Prepare Your Third-Party Risk Management Program for a Recession

Use these three recommendations to maintain your organization’s focus on third-party vendor and supplier resilience in the face of labor shortages, flat or declining budgets, and shifting business priorities.
By:
Scott Lang
,
VP, Product Marketing
October 04, 2022
Share:
Blog recession 1022b

Although there is currently no single consensus on whether the economy is slipping into a recession, many central banks and policymakers are recommending that governments and organizations around the world take proactive steps in preparation for one, such as anticipating wage-related labor constraints and expanding their supplier bases.

Economic instability isn’t a new phenomenon, however. In the last two years the global economy went from boom to short-term COVID shock, and it remains unsettled by constant supplier disruptions and the tightest labor market in decades. This turmoil emphasizes the need for organizations to focus on business resilience – and, for the third-party risk management professional, this means ensuring supplier resilience.

In the face of so much economic uncertainty, how can security, risk management and procurement teams ensure their organizations maintain their focus on third-party risk and resilience? Here are three recommendations:

1. Outsource Third-Party Risk Management Tasks to Address Labor Challenges and Rising Costs

If your organization is facing challenges brought on by wage pressures, labor shortages, or employee turnover and burnout, then consider offloading some lower-level TPRM activities to a domain expert. Third-party risk management managed services can perform tasks on your teams’ behalf, including:

  • Contract management: Uploading contracts, extracting key attributes, and configuring automated reminders for follow-up
  • Vendor management: Creating vendor profiles, onboarding and offboarding vendors, maintaining contacts, and serving as first-line support
  • Assessment management: Creating and managing assessment schedules
  • Response management: Chasing and tracking responses; reviewing responses and notes for red flags, contradictions, applicability, and evidence freshness
  • Fourth and Nth party management: Identifying fourth parties and creating relationship maps based on business dependencies and attributes
  • Continuous monitoring for emerging risks: Identifying and reviewing cyber, business, reputational, financial and data breach events – and escalating critical events for triage
  • Incident management: Proactively engaging with third-party vendors impacted by specific cyber or disruptive physical events

Outsourcing the day-to-day tasks of managing a third-party relationship will free your team to focus on high-value tasks, like managing risks instead of updating vendor contact lists. In turn, this will make your organization more resilient against vendor and supplier disruptions.

Studies show that shifting the day-to-day work of supplier management to a managed services provider results in time savings, efficiency improvements, and faster discovery and mitigation of risks. With outsourced managed services, TPRM teams can instead focus on:

  • Managing supplier performance and risk against agreed-upon service levels, KPIs and KRIs
  • Remediating risks and compliance problems to an acceptable level
  • Predicting supplier problems by gaining visibility into the complete spectrum of third-party risks (e.g., cyber, business, financial, etc.) and understanding how they contribute to enterprise risk

Operational and Financial Resilience Questionnaire

Determine whether your vendors and suppliers are prepared to handle business challenges with this free, customizable assessment.

Access Now
Feature operational financial resilience questionnaire

2. Consolidate Overlapping Toolsets to Reduce Costs, Improve Efficiencies, and Close Risk Gaps

Vendor risk management professionals understand that one-and-done third-party assessment approaches fail to capture all supplier risks in a timely fashion. Although point-in-time assessments are essential for capturing internal controls data, a continuous approach to monitoring for changes to a vendor’s cyber posture, business events, financial position, and reputation is required for additional context and to fill gaps between those point-in-time assessments.

Yet, organizations often address this problem with an expensive, disjointed mishmash of tools that can’t be integrated or deliver context for assessment results. If your organization is going into 2023 with flat or decreased budgets, consider a continuous third-party risk monitoring strategy that:

  • Consolidates external cybersecurity, data breach, business update, reputational, and financial risk feeds into a single picture of a supplier’s risk posture
  • Enables coordinated action based on whether findings validate assessment results
  • Includes best-of-breed data feeds for each dimension of risk
  • Offers the ability to integrate existing data sources into a central platform for a single view of risk

A consolidated monitoring approach yields much better economies of scale, improves efficiency, and reduces coverage gaps.

3. Communicate the Financial Impact of a Third-Party Risk Assessment to Maintain Organizational Priority

Third-party risk assessments can be taxing and expensive if you are using manual methods such as spreadsheets. Automation can help, but how do you quantify how much risk can be reduced by automating the assessment process? Consider calculating the value of risk that can be eliminated from the business by automating risk assessments. Here’s an example:

  1. Start with the number of higher-risk third-party vendors and suppliers your organization works with. For illustration purposes, let’s say that number is 500.
  2. Factor in the average cost of a third-party data breach, which is about $4.59 million according a recent study from Ponemon Institute and IBM. One critical approach to reducing data breach costs is through technology automation, such as the automation of risk assessments. With automation, the average cost of a data breach drops by a third to around $3 million. In both cases, actual breach costs will vary based on company size.
  3. Consider the inherent likelihood of a breach happening in the next two years. According to Ponemon, the probability that an organization will experience a data breach over the next two years is nearly 30%. With automation, that number is halved to 15%.
  4. Calculate total risk exposure by multiplying the average cost of a third-party breach by the likelihood of a breach. Without automation, that comes to about $1.4 million. With automation, it drops to $450k.
  5. Calculate risk exposure per vendor by dividing risk exposure by the number of higher-risk vendors. In this example, that amounts to $2,754 per vendor without automation and $900 per vendor with it.
  6. To calculate the value of each automated risk assessment conducted, simply compare the numbers calculated in step 5. Here, the value is $1,854 in risk reduction per assessment.

In this example, we eliminated $1,854 in potential data breach costs for each third party assessed. Multiply this across 500 critical vendors, and you can reduce your potential risk by almost $1 million!

Without Automation With Automation

Step 1: Number of higher-risk or critical vendors

500

500

Step 2: Average cost of a third-party data breach

$4,590,000

$3,000,000

Step 3: Inherent likelihood of a breach in the next two years

30%

15%

Step 4: Risk exposure (Average cost x likelihood)

$1,377,000

$450,000

Step 5: Risk exposure per vendor (exposure / # of high-risk or critical vendors)

$2,754

$900

Step 6: Value of Assessment (risk reduction per vendor)

$1,854

The bottom line is that a robust, automated third-party risk assessment process can reduce the cost, impact and likelihood of a breach.

Note: This model applies only to cyber breaches. Automating third-party assessments can also head off costs from operational disruptions, but those numbers can vary greatly across different scenarios.

Next Steps

Given the ever-increasing number of third-party data breaches and supplier disruptions, your organization can’t afford to let economic conditions distract it from ensuring supplier resilience. Download the Value of a Third-Party Risk Assessment Calculator, assess your suppliers against business resilience requirements, or contact us today for a demo to learn how we can help you reduce risk assessment costs with consolidation and managed services expertise.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo