Colin Fraser
Director at i-confidential
Firstly, third-party risk management is not just about ‘suppliers’ anymore. It’s about all third, fourth, fifth etc. parties interfacing with an organisation.
Secondly, third-party risk is not merely data loss. It’s now operational resilience and it’s existential. Organisations are at risk of completely losing their IT systems, rendering them unable to operate.
With the stakes so high, non-executive directors should ask the executive management team an important question. It’s one we impress upon our clients:
“Would our third-party risk assurance methodology discover our significant known weaknesses, if we applied it to ourselves?”
If the answer is “no”, it’s time to change things.
At i-confidential, we have made substantial enhancements to our third-party risk management solutions, because we had to. We believe many organisations still have to make the necessary changes.
Third-party risk management is about culture, roles and responsibilities, continuous assurance, and systemic risks. It’s every bit as important as managing in-house risks.
If you ask yourself the question and don’t like the answer, please get in touch.