Aki Eldar is the CEO and co-founder of lookprovider of an AI-enabled third-party risk management (TPRM) intelligence platform.
From cyberattacks and supply chain crises to rising inflation and the “great resignation,” business disruptions continue to affect organizations around the world. As a result, organizations must be able to effectively plan and prepare for continuity of operations and services. Operational resiliency programs expand on the concepts of business continuity planning, operational risk management, supply chain resiliency, and more to help address this. In addition, they focus on an organization’s tolerance levels for business interruption and its ability to absorb and adapt to a changing environment through risk management, response, and recovery.
This is particularly critical for heavily regulated industries like financial services. However, the increasing reliance on third-party vendors (vendors) to support essential services in today’s hyper-competitive markets presents a difficult question: How can we ensure the resiliency of our operations when we depend on others? The following article will present how to achieve operational resiliency using time-tested third-party risk management approaches and new technical innovations.
Step 1: Discover the operational risks involved
Operational risk occurs when vendor processes that affect the daily activities of an organization are shut down. Therefore, the first step in creating an effective operational resiliency strategy is to complete a risk assessment to discover the potential risks each vendor could bring to the business.
Start by looking at vital business areas to determine which ongoing operations rely on vendors. Then map them according to their criticality and determine to what extent each vendor should be evaluated. This will also help determine where to place the most attention for risk management. For example, suppose accounting functions are down due to prolonged bad weather. That’s problematic, but chances are the business will still be able to open for business the next day. However, for example, if the external login authentication system that allows customers to access their bank accounts is down, then a significant range of banking becomes unattainable.
Step 2: Examine the impact of potential risks and the level of security and resiliency of your partners
Once the suppliers to be evaluated are identified, the probability and impacts of the risks they may present to disrupt the business must be examined. The basis for this information can usually be found during the onboarding process, where vendors are typically required to undergo assessments that help the organization understand their business continuity management practices, as well as the level and type of risk they face. exists in the critical areas of the business. However, it is not enough to simply collect relevant information. The organization must see evidence of the supplier (eg trust and verification systems, certifications such as ISO or SOC 2, etc.).
This allows the organization to have a clear map of compliance and issues that may need to be mitigated.
Step 3: Create and implement plans to mitigate risk
Next, define mitigation actions to prevent or reduce risk if the provider faces an outage (eg, move operation in-house, have a workaround, etc.).
A simple example of these three steps in action is the scenario of an organization that relies on a single physical data center operated by a third-party provider. During the risk assessment, it will be discovered which critical operations depend on the uninterrupted operation of the data center and the risk to the operation based on the dependency that exists. Specific risks that could impact operations should then be defined (taking into account the steps the data center partner has already implemented within their organization to help mitigate these risks) to highlight potential events that could cause the data center goes offline. and to what extent that would disrupt operations. Finally, the mitigation plan would include having an easily and quickly accessible backup available (in another geographic location) that will not be affected by the same physical events to minimize or eliminate the disruption caused by that risk.
The challenges of assessing operational risk
A core component to establishing operational resiliency involves understanding a provider’s operational resiliency. One way organizations can get a sense of this is to look at how they have fared in the past in providing continuous service during periods of outage. However, operational resilience will often be challenged due to new risk events that have not previously occurred.
Many operational risk teams today perform third-party risk management (TPRM) processes manually using subject matter experts who spend significant amounts of time managing massive volumes of data. Unfortunately, these large volumes of data and repetitive monitoring tasks increase the risk of bias or error. This problem is compounded by the fact that data collection methods such as questionnaires provide a limited view of the provider, constrained by the type of questions included and how the provider has chosen to respond.
Unfortunately, this reliance on manual risk management processes makes it difficult to keep up. Additionally, large organizations such as financial institutions have tens of thousands of vendors, so understanding what can impact resiliency is becoming increasingly complex.
In these cases, a risk management platform can help, which can enable risk management programs to be more efficient, effective, and empowered to identify, anticipate, and manage risk throughout the supply chain to achieve operational resilience.
The Forbes Technology Council is an invite-only community for world-class CIOs, CTOs, and technology executives. Do I qualify?