“Shifting Left” to Keep Up with Third-Party Risk

Etai Hochman


October 29, 2021

A hand points at a lit up panel of different buttons. The center button is three gears, indicating automation.

In today’s fast-moving global economy, organizations are finding themselves increasingly reliant on third-party partnerships to remain competitive. This is particularly true in financial services, manufacturing, health care and other sectors that are highly interconnected, which makes them susceptible to supply chain risks.

The SolarWinds and Microsoft Exchange breaches revealed that even organizations with the most mature security programs are at risk because of their reliance on third parties. These security events should serve as a wake-up call for companies to strengthen their third-party risk management (TPRM) programs and make them more intelligent and responsive to today’s growing risk environment.

Risk managers can leverage new advanced technologies to apply a greater level of automation and intelligence to highly manual TPRM processes. Cognitive computing technologies like artificial intelligence (AI) and natural language processing (NLP) can be used to augment TPRM and power performance alongside human thought processes and traditional analytics. In fact, risk management lends itself particularly well to these capabilities, as risk issues frequently include unlikely and/or ambiguous events.

Most importantly, risk practitioners should start to think like software developers and adopt a “shift left” approach to third-party risk management. Shift left is a practice used by developers to find and prevent defects early in the software delivery process. The idea is to improve quality by addressing the most vulnerable tasks as early in the lifecycle as possible. 

Bringing Automation and Orchestration to TPRM

Many organizations—particularly financial services institutions—manage their TPRM programs in silos, separating risk into operational units, which are powered by people. The TPRM processes are performed manually by subject matter experts who spend much of their time on data collection and administration. But even with highly automated systems, TPRM teams are often overwhelmed by the sheer volume of data spread across many sources—from questionnaires and related documents to external sources such as cyber posture or financial stability—and by the unceasing pace of monitoring it. The volume of data and the repetitive nature of collecting and monitoring increase the risk of human error, such as missing important details or subtle changes that a machine learning engine can detect.

Compounding this problem is the fact that critical third-party data is collected on disparate spreadsheets located throughout the organization, making it very difficult to connect the data and look across the entire third-party risk landscape.

AI-driven digital TPRM technology can help by orchestrating and automating the TPRM program, from initial assessment to continuous monitoring and mitigation. AI is uniquely able to handle and evaluate unstructured data, enabling these solutions to extract data from questionnaires, evidence documents, financial stability sources, cyber posture or the deep web and turn it into actionable insights about a bank’s risk exposure to online assets, fourth parties, people, locations and other vulnerabilities.

Advanced analytics can also provide companies with real-time visibility into their concentration risk and the domino effects from a manifestation of an event. This enables risk managers to model the potential cascading effects from a risk event across their supply chain by letting them view concentration risk from whatever aggregator they choose such as geographic location, fourth parties or other vulnerabilities.

Adopting a New Strategy to Ensure Resiliency

To manage third-party risk in an increasingly uncertain world, organizations need their TPRM programs to “shift left.” In the data science and intelligence worlds, shift left means obtaining the data in the rawest state possible, before it is digested, since digested data is inherently biased. The same holds true for TPRM—risk managers should get third-party data as raw as possible.

Current methods of data collection like questionnaires provide only a pinhole view of a third party, limited by the questions asked and the third party’s answers at that time. A better source would be the third party’s internal documents, such as business continuity plans (BCP) and other operative documents that contain much more valuable data. For example, a questionnaire may not have asked the third party about its readiness to handle a pandemic like COVID-19—but the company’s BCP probably would have contained relevant details. This might also prove useful for the third parties, since answering a questionnaire takes more time and effort than providing an existing document.

As part of the shift left strategy, companies should also:

  • Establish a “single data lake” to enable the massive volume of data collected (including real-time streamed data) to be stored in and analyzed from a single, centralized place. When all the information is in one place, it is easier to identify problems, connect the dots and understand how everything is related in a wider context.      
  • Adapt processes and workflows to handle new data sources that may not have been designed for TPRM but should be used, such as severe weather alerts, COVID-19 outbreak alerts, cloud provider health dashboards and even open-source vulnerability-monitoring solutions. These sources should be implemented for not only every new third party but also for existing partners to continuously reevaluate the risk they pose to the organization.
  • Accelerate digitization so that the overall TPRM process is more agile and able to keep pace with business and global events, and to respond faster. Digitizing the TPRM process is critical, as it can sidestep slow-moving, lengthy administrative policies as well as labor-intensive processes, thereby making transformations less cumbersome and more agile. Digitization is key for continuous monitoring to keep up with the ever-changing risks third parties pose. Digitization also frees TPRM experts from having to administer data from many sources, allowing them to build mitigation plans more effectively.

A year full of black swan events like 2020 has shown us that current TPRM practices are not enough to handle today’s challenges. Companies need to shift left to a more intelligent, automated approach to TPRM to ensure continued resiliency and growth.

Etai Hochman is CTO and co-founder of Mirato.