Choose your topics

How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Third-Party Risk Management, GRC

Guest Blog: Managing Risk Across Third-party Relationships

Guest Blog: Managing Risk Across Third-party Relationships
Written by

Michael Rasmussen

Published on

2 Jul 2019

Guest Blog: Managing Risk Across Third-party Relationships


uest Author: Michael Rasmussen, GRC Economist & Pundit, GRC 20/20 Research LLC


Michael Rasmussen talks us through the intricacies of third-party risk and the benefits of third-party risk management software


Third-Party Risk Management

When thinking about third-party risk management, we have to consider that organizations are intricate organisms of complex relationships. The modern organization does not operate in isolation, but as part of an ecosystem of interactions with third parties.


The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third-party risk management:


“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[1]


Capra’s point is that biological ecosystems are complex and interconnected, requiring a holistic understanding of the intricacies as an integrated whole rather than a dissociated collection of parts.  Change in one segment has cascading effects and impacts on the entire ecosystem.


This is also true when managing third-party risk. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected mess of third-party relationships and interactions that span traditional business boundaries. 


Layers of relationships go beyond traditional employees to include an array of third-parties, such as suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Third-party risk management complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains.


Business operates in a world of chaos

Dissociated data, systems, and processes leave the organization with fragments of truth that fail to see the big picture of third-party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. 


The organization needs to have holistic visibility and situational awareness of third-party relationships across the enterprise. Complexity of business and the intricacy and interconnectedness of third-party data requires that the organization implement a third-party risk management strategy.


Third-party relationships are non-linear

To maintain the integrity of the organization and execute on third-party risk management strategy, the organization has to be able to see its individual third-party relationships (the tree) as well as the interconnectedness of third-party relationships (the forest). 


Third-party relationships are non-linear. 


They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. 


In a linear system, the effect is proportional to the cause; in the non-linear world of business, third-party risk management is exponential. Business is chaos theory realized. 


The small flutter of third-party risk exposure can bring down the organization. If we fail to see the interconnections of risk in the non-linear world of business, the result is often exponential to unpredictable.


Third-party risks are the organization’s problems

In this context, organizations struggle to identify and govern their third-party relationships with a growing awareness that they stand in the shoes of their third parties. 


Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. 


Third-party problems are the organization’s problems. They directly impact the brand and reputation, while increasing exposure to third-party risk and compliance matters. When questions of business practice, ethics, privacy, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third-party partners behave appropriately.


How to manage your third-party risks effectively

A haphazard department and document-centric approach for third-party risk management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated third-party risk management strategy and team to define and govern third-party relationships.


Organizations need to wipe the slate clean and approach third-party risk management with an integrated strategy, process, and architecture to manage the ecosystem of third-party relationships with real-time information about third-party performance, third-party risk, and compliance and how it impacts the organization.


There can and should be a central core technology platform for third-party management that connects the fabric of the third-party risk management processes, information, and other technologies together across the organization. Organizations suffer when they take a myopic view of third-party risk management software that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time the business operates. 


The third-party risk management software operationalizes information and processes to support an organization’s third-party risk management strategy. 


The right technology architecture enables the organization to effectively manage third-party performance and risk across extended business relationships and facilitates the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.


As Fritjof Capra illustrated, the problems of today require us to understand the third-party risk and exposure that interconnected and interdependent relationships bring. What Capra says in the context of living organisms and ecosystems is directly applicable to the modern organization that needs to strive to understand how operations, processes, and data interconnect and are shared across relationships and the risk and exposure this brings to the organization as well as the opportunity.


[1]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.


Discover SureCloud’s Third-Party Risk Management Software Solutions

The simplest way to manage the intricacies of third-party relationships is through third-party risk management software. Our software offerings enable you to keep ahead of governance, regulations, and compliance, as well as tackle security vulnerabilities before they become an opportunity for malicious attack. 

Find out more about our third-party risk management software solutions, and how they can help you manage your web of valuable collaborators.

[1]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.

Discover SureCloud’s Third-Party Risk Management software and solutions.