Building a Third-Party Program that Fosters Resilience
How do you measure resilience?
- Risks are managed collectively via a singular workstream
- The business has a shared risk appetite and definitions
- The prioritization of risk aligns with set business objectives
- The risk appetite is always in agreement with business goals and growth plans
For true operational resilience, organizations need to rethink how they set up their vendor programs – starting with realigning who manages the program. Operating models for third-party programs differ heavily based on a company’s size, culture, and organizational structure. Realistically, the program could live with the risk assessment team, the cyber team, the procurement team, and so forth. There is no wrong place for a program to live – so long as each team’s role is communicated so that the entire organization knows who is responsible for vendor management and security.
Once ownership is settled, an organization should determine its risk appetite—in other words, how much risk it is willing to take on. This step includes a thorough review of third parties currently in use, their importance to business operations, and what data…
