“And the Award for the Most Disastrous Third-Party Risk in 2020 Goes to …”
Article by Atul Vashistha
Without a doubt, 2020 was a blockbuster year for risk and disruption – but by evaluating the shortcomings of risk practices, we can enable proactive strategies that can significantly improve business continuity and resiliency for whatever happens next.
“And the Award for the Most Disastrous Third-Party Risk in 2020 Goes to …”
Imagine if there were an annual award show for risk. Of course, due to the pandemic, the award show would have to be virtual – but if there were such a show, the pinnacle award would be for the Most Disastrous Risk of the Year.
Hands down, the award for 2020 would go to location risk. In case you aren’t familiar with location risk’s body of work, it includes events specific to a geographical location: natural disasters such as hurricanes, earthquakes and disease outbreaks; social unrest including riots and strikes; political instability resulting from high-level corruption or a coup; terror attacks, whether physical or cyber; and macroeconomic conditions like high inflation and high unemployment.
All kidding aside, this is detrimental because most organizations’ third-party risk management programs ignore location risk altogether. During 2020, their almost laser-like focus on financial and cyber risks left businesses uninformed and behind the eight ball, struggling to keep up with the rapidly changing risk landscape. In fact, during the pandemic, financial and cyber risks were actually lagging indicators.
As the pandemic gained steam, there were countless leading indicators, which – if known early enough – could have been used to improve business continuity and resiliency.
Financial and Cyber Risks: Lagging Indicators
Let’s take a look at COVID-19’s cascading risk scenario to further explain why financial and cyber risks were actually lagging indicators during the pandemic. When the crisis started, the first business continuity risks arose as China’s government enacted restrictions to stop the spread of the disease. Next came government regulations risk in other countries from shutdowns, border closures, travel bans, etc. Then entered people risks, as a pandemic is foremost a health risk. Risks of wide-scale absenteeism grew due to individuals either contracting the disease themselves or having to care for family members who were ill. Some locations were significantly more vulnerable due to weak health care infrastructure.
After people risks came remote-work requirements and lockdowns that were stricter and longer in some locations than in others. In many areas, this was a challenge due to poor internet infrastructure and a shortage of laptop computers. With people forced to work from home on unsecured networks and personal computer equipment, cybersecurity risks increased.
As the pandemic continued long-term and economies constricted to different degrees in different locations, financial cracks finally began to show with third parties. With a reactionary approach that relied on monitoring changes in only financial or even cyber risks, businesses were late to prevent a cascading downfall.
The 3 Resiliency Lessons Learned
If COVID-19 has a silver lining, it’s the opportunity to learn from our risk management shortcomings and advance our risk management practices to ensure greater future resiliency. Our experience during the pandemic brought into focus three critical lessons:
- Resiliency requires monitoring location risk. Unfortunately, as many enterprises ignored location risks in their TPRM program, they were left in the dark about the locations from where services were provided. They didn’t understand the inherent weakness and vulnerabilities of each location and were ill-informed when their location’s risk landscape changed, forcing them to manage risk reactively.
- Resiliency requires monitoring risk continuously. During 2020, the foundation of the majority of risk management programs were legacy processes like point-in-time assessments, due diligence and onboarding. Because most organizations lacked continuous monitoring capabilities, they were forced to rely on data collected months before the pandemic. As the risk landscape rapidly evolved and changed with each new day, this stale data was unhelpful and at times counterproductive for risk mitigation efforts during the pandemic.
- Resiliency requires monitoring risk across broad frameworks. A global crisis such as COVID-19 presents the unique challenge of cascading risks. Global business supply chains are hyperconnected, and managing business continuity during the unprecedented disruptions without a guidebook was difficult. There’s only one way to effectively predict what comes next when faced with a cascading risks scenario, and that’s through continuous monitoring of broad risk aperture.
The Risk Horizon for the Rest of 2021
The global effects of the pandemic are far from over. Although some countries are making progress on vaccinating their citizens, many countries are at a financial and health care infrastructure disadvantage. The longer the virus continues, the greater the chance that mutations could result in variants that could reduce the efficacy of our current vaccine protocols. Vaccinated travelers to foreign countries could bring variants home, re-igniting the problems we faced in the early days of the pandemic.
Beyond location risks, others to consider include:
- People risks will continue to remain high. Talent well-being in terms of physical, mental and emotional health should be a high-priority focus in 2021. Talent is always a resource constraint, but it’s especially so in a pandemic.
- Cyber risks will continue to increase as companies adopt more permanent remote and distributed working models.
- Financial risks could rise. As the crisis is prolonged, we could see greater negative impact to revenues. This poses a tremendous financial risk, especially for small- and medium-sized companies without a strong enough balance sheet to get them through the crisis.
- Regulatory and compliance risks will rise as regulators add new regulations to address the distributed and non-physical work environments of “work from anywhere.”
- Supply-chain disruption risks got a lot of attention during the pandemic as enterprises realized they lacked view beyond their third parties. Effective mitigation of supply chain disruption risks requires a deep view to the Nth parties of the supply chain.
- ESG risks have become a hot topic in the last six months. Failure to incorporate ESG risk monitoring will leave companies susceptible to compliance and reputation risks at their own enterprise level and throughout their supplier network.
Advancing Risk Management through Automation
When we are finally able to get COVID-19 under control globally, we must consider the possibility that the virus is only a “practice pandemic.” The next one could be worse in terms of mortality rate and business disruptions.
As it’s impossible to predict with certainty where the next global crisis will come from, enterprises must incorporate continuous monitoring capabilities across a broad risk aperture to enable the early warning system that continuity and resiliency requires. Unfortunately, today’s risk landscape is so vast that continuously monitoring risk is beyond human capabilities. The good news: there are risk solutions in the market that leverage automation to enable continuous monitoring that allows internal risk teams to move away from spending time on risk identification efforts to focus instead on risk mitigation.
For the increased volume of risk findings that may result, cutting-edge risk solutions have leveraged further advances in AI, data science and machine learning to automate a significant portion of risk actions required. Internal risk teams can focus on only the most critical risk mitigation efforts that require human intervention and effort. Incorporating today’s automation in TPRM programs can enable continuous monitoring across a broad risk aperture to provide a current and comprehensive view of an enterprise’s risk landscape.
Looking Ahead, Proactively
Eventually, we will move beyond the pandemic, but our dynamic risk landscape is here to stay. Proactive risk management can achieve continuity and resiliency going forward, but it will require enterprises to move to risk management practices that include continuous monitoring across a wide risk aperture, including location risk.
Fortunately, humans don’t have to do it alone. Today’s automation capabilities enable risk teams to stay ahead of the rapidly changing risk landscape effectively and cost efficiently. Early warning from leading indicators and automated risk-mitigation actions will enable risk teams to do more with less, and enterprises will experience improved business continuity and resiliency facing whatever new risk is next on the global horizon.