Ask the Expert: How has third-party risk changed in the last year?
Dawn Ward, Senior Solution Consultant at Iceberg Networks and Chris Murphey, VP Advisory Services at Iceberg Networks, discuss how the third-party risk landscape has evolved in the last year. The following is an edited transcript of the conversation.
Dawn Ward: The global events have made it very evident how much impact getting third-party risk management wrong can have. As things have unfolded with the pandemic and many other factors, organizations are looking at their programs that used to be somewhat piecemeal and taking a step back and saying we need to have a holistic program. We need to look further out than just our third-party vendors to 5th-party vendors, 10th-party vendors. Now that there’s less of a tactical dependence on the critical third-parties and more of a strategic dependence, they’re really looking at supply chain, they’re looking at support services, sales, distribution. There’s a lot more in that risk landscape than just the immediate vendors and what those vendors are doing. It’s clearly demonstrated that a stronger, holistic, integrated approach is very important for managing these third-party risks because if you’re not looking at the program in it’s entirety and what your risks are related to those vendors, if you’re looking at them independently as a vendor, you’re missing the big picture and how that all comes together.
Understanding the nature and criticality of those relationships and how they’re impacted by the risks and the changes to those risks that are happening are a component of a strong program, so it’s something that you really have to look at as part of a bigger picture.
Chris Murphey: I think you’re spot on, Dawn. One of the things we’ve seen, and we’ve seen it for years, that people believe that a high maturity practice included procurement and other stakeholders of the third-party risk ecosystem inside an organization, but like you said about expanding to broader horizons in the supply chain, risk has really brought a new focus to the need to interplay across the organization to manage for third-party risk.