How to Prepare Your Third-Party Risk Management Program for a Recession

2. Consolidate Overlapping Toolsets to Reduce Costs, Improve Efficiencies, and Close Risk Gaps

Vendor risk management professionals understand that one-and-done third-party assessment approaches fail to capture all supplier risks in a timely fashion. Although point-in-time assessments are essential for capturing internal controls data, a continuous approach to monitoring for changes to a vendor’s cyber posture, business events, financial position, and reputation is required for additional context and to fill gaps between those point-in-time assessments.

Yet, organizations often address this problem with an expensive, disjointed mishmash of tools that can’t be integrated or deliver context for assessment results. If your organization is going into 2023 with flat or decreased budgets, consider a continuous third-party risk monitoring strategy that:

• Consolidates external cybersecurity, data breach, business update, reputational, and financial risk feeds into a single picture of a supplier’s risk posture
• Enables coordinated action based on whether findings validate assessment results
• Includes best-of-breed data feeds for each dimension of risk
• Offers the ability to integrate existing data sources into a central platform for a single view of risk

A consolidated monitoring approach yields much better economies of scale, improves efficiency, and reduces coverage gaps.

3. Communicate the Financial Impact of a Third-Party Risk Assessment to Maintain Organizational Priority

Third-party risk assessments can be taxing and expensive if you are using manual methods such as spreadsheets. Automation can help, but how do you quantify how much risk can be reduced by automating the assessment process? Consider calculating the value of risk that can be eliminated from the business by automating risk assessments. Here’s an example:

1. Start with the number of higher-risk third-party vendors and suppliers your organization works with. For illustration purposes, let’s say that number is 500.
2. Factor in the average cost of a third-party data breach, which is about $4.59 million according a recent study from Ponemon Institute and IBM. One critical approach to reducing data breach costs is through technology automation, such as the automation of risk assessments. With automation, the average cost of a data breach drops by a third to around $3 million. In both cases, actual breach costs will vary based on company size.
3. Consider the inherent likelihood of a breach happening in the next two years. According to Ponemon, the probability that an organization will experience a data breach over the next two years is nearly 30%. With automation, that number is halved to 15%.
4. Calculate total risk exposure by multiplying the average cost of a third-party breach by the likelihood of a breach. Without automation, that comes to about $1.4 million. With automation, it drops to $450k.
5. Calculate risk exposure per vendor by dividing risk exposure by the number of higher-risk vendors. In this example, that amounts to $2,754 per vendor without automation and $900 per vendor with it.
6. To calculate the value of each automated risk assessment conducted, simply compare the numbers calculated in step 5. Here, the value is $1,854 in risk reduction per assessment.

In this example, we eliminated $1,854 in potential data breach costs for each third party assessed. Multiply this across 500 critical vendors, and you can reduce your potential risk by almost $1 million!

The bottom line is that a robust, automated third-party risk assessment process can reduce the cost, impact and likelihood of a breach.

Note: This model applies only to cyber breaches. Automating third-party assessments can also head off costs from operational disruptions, but those numbers can vary greatly across different scenarios.

Next Steps

Given the ever-increasing number of third-party data breaches and supplier disruptions, your organization can’t afford to let economic conditions distract it from ensuring supplier resilience. Download the Value of a Third-Party Risk Assessment Calculator, assess your suppliers against business resilience requirements, or contact us today for a demo to learn how we can help you reduce risk assessment costs with consolidation and managed services expertise.