Taking a business-critical approach to supplier nth-party IT risk management

In the modern economy, almost every business is a tech business, with digitization, automation, and data solutions embedded into multiple operations. But with these advancements come risks. One of the most critical risks is that responsibility for technology often does not sit with companies themselves but instead with an array of third-party suppliers, service providers, and subcontractors. By outsourcing IT services, companies can unlock efficiencies and innovation. The downside is that they can also struggle to ensure that their businesses remain secure and resilient.

Modern technology supply chains are not much like chains at all. In fact, they are more like three-dimensional spiderwebs, each strand of which is connected to and dependent on others, and some of which are far removed from the company itself. As such, technology risk management is increasingly concerned not only with immediate supplier relationships but also with distant and sometimes ambiguous third parties, or nth parties, which often sit several layers away from the company’s direct line of sight.

Third- and nth-party supplier cyberincidents are a significant source of risk, in some cases leading to the loss of data for hundreds of millions of people.¹“Looking back at third-party breaches and vendor cybersecurity incidents in 2024,” Tenchi Security, December 10, 2024. Indeed, over the past two years, nearly one-third of cyber breaches has been associated with technology supply chains, and multiple incidents have highlighted the cascading effects that a single compromised supplier can have on organizations and sectors.²Verizon Data Breach Investigations Reports, Verizon, 2023–25. Moreover, despite companies sometimes spending millions on controls, supply chain oversight is often surprisingly basic—comprising unvalidated responses in risk questionnaires or simple clauses contained in contracts. Alternatively, companies spend so much time focusing on supplier cyber risks that they drag their feet and fail to implement a useful, high ROI solution in a timely fashion.

As the number of ransomware incidents, data breaches, and supply chain attacks continues to rise (up 83 percent, 135 percent, and 236 percent, respectively, over the past two years), companies urgently need to ramp up their capabilities.³Verizon Data Breach Investigations Reports, Verizon, 2023–25. To some extent, this is already mandated by regulation. The European Union’s Digital Operational Resilience Act (DORA), the United Kingdom’s Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) operational resilience rules, and Australia’s APRA CPS 230 are among initiatives that lay out strict standards for IT risk management. These vary somewhat in their detail, but one underlying principle holds true: Companies have a duty to ensure that their approaches to supplier risk management reflect both their unique risk profiles and the criticality of the business processes in question.

Traditional third-party risk management (TPRM) frameworks often emphasize the confidentiality and integrity aspects of the CIA (confidentially, integrity, and availability) triad. But the availability—and, more specifically, the resilience of business-critical systems (the ability to withstand an adverse event without interruption)—is equally as important. Indeed, focusing on business-critical nth-party relationships, rather than getting bogged down in hypercomplexity, is an excellent way to get a grip on supply chain risks. At a time of rising cyberthreats, companies that can put this distinction into practice achieve the double win of protecting their vital operations and building competitive advantage.

Beyond traditional supplier risk management

Nth-party risk management programs often fall short in mitigating emerging risks, with companies missing vulnerabilities as simple as phishing emails and seeing impacts reverberate through their operations. Moreover, as supplier inventories grow, ownership shifts and overlapping relationships often obscure dependencies. As a result, risk management programs can quickly become overwhelmed (exhibit). Here are a few of the most widespread challenges:

• High numbers of suppliers. Organizations engage with a vast number of suppliers and service providers. As a result, they struggle to comprehensively evaluate and monitor every supplier in the ecosystem, leaving significant gaps in oversight.
• Lack of in-depth inspection. Traditional programs often rely on periodic assessments and static checklists, characterized by questionnaire-based compliance and security certifications. They do not delve into the operating effectiveness or coverage of the controls in the service providers’ environment. This can give a false sense of security if not validated.
• Cost and resource constraints. Comprehensive risk assessments and continuous monitoring of third-party relationships require financial and human resources. Many organizations face budgetary and staffing limitations, which can hinder their ability to thoroughly vet each supplier.
• Interconnected risks. A breach or disruption at one supplier can have a ripple effect throughout the network. Often, programs may not adequately account for these interconnected risks.
• Blind spots beyond tier one. Most firms map tier-one suppliers but lack visibility into fourth- and fifth-party dependencies, where critical services often reside.
• A dynamic and evolving threat landscape. Traditional frameworks may not be designed to adapt quickly, leaving organizations exposed to new threats.
• Pace of change. Current processes are designed to assess suppliers at specific points in time, such as during a service contract. However, with technologies often seeing continuous updates without formal contracting cycles, oversight processes fail to keep up.
• A lack of automation and real-time alerting. Companies often lack automated solutions and dashboards to monitor complex risks such as the integration of new data into existing work streams. Real-time alerts are also often absent.
• Too many audits. Often, individual business units are auditing separately, despite being served by the same supplier, creating unnecessarily heavy cost and operational burdens.
• No minimum standards. Companies fail to put in place contracted minimum supplier standards to support supplier resilience.
• Concentration risk. There are a relatively small number of suppliers that operate the underlying infrastructure and networks that run most large organizations’ enterprise systems. An outage or attack on one of these could lead to catastrophic consequences for a business without a contingency plan or alternative provider.

Exhibit

A traditional nth-party risk management program consists of nine key elements. Organizations can go above and beyond these capabilities to truly evaluate and mitigate nth-party risk.

Traditional nth-party risk management program and enhancement opportunities

Scope and segmentation

Control element

Governance framework

	Element	Definition		Enhancements
	Scope	Methodology for prioritizing 3rd parties engaged in software development
	Segmentation	3rd-party segmentation based on criticality		Standard segmentation defines nth-party risk tiers. An enhanced program identifies the top-tier nth parties that are critical to the business (ie, business could come to a standstill without them)
	Due diligence	Best practice–driven 3rd-party assessments; tiered based on risk
	Control system	Controls to monitor and enforce compliance with policies and standards; driven by 3rd-party type
	Scorecard and risk assessments	Risk assessments tied to an objective standard		Questionnaires and external monitoring scorecards are the baseline. Top-tier nth parties require additional scrutiny in the form of a holistic business impact assessment of the supplier
	Governance	Appropriate escalation criteria for risk acceptance and reporting requirements for risk owners (business leadership): cross-functional/geography committees		Governance for top-tier suppliers means that the business has identified alternative strategies (eg, manual work-arounds, alternate suppliers) in case a critical supplier goes down
	Organization	Cross-functional collaboration between procurement, cybersecurity, the business, and multiple geographies		True business resilience requires ongoing, mutual collaboration between your organization and its critical nth parties to address and mitigate risks effectively
	Policy framework	Policies and standards that extend to 3rd parties
	Tools and data	Integration of 3rd-party risk data to enterprise risk register for assessment components; automation of vendor scorecards

To address shortfalls in oversight of IT supply chains, leading companies are taking an alternative approach. Rather than try to keep tabs on every party in their supply chains, they prioritize their most strategically important relationships. Thus, instead of the traditional focus on “cyber critical” suppliers, they focus on “business critical” relationships that enable their most critical processes. The summation of these form what is known as the “minimum viable company”: the smallest set of people, processes, technologies, and suppliers required to run the core functions of the company even when upstream nth-party links fail.

A strategic approach to nth-party risk management

By being selective, a modern approach to fostering resilient IT supply chains gives companies scope to go beyond the checklist-based paradigms of the past. Leading companies are showing that three guiding principles can create a solid foundation on which to move forward (see sidebar, “Building nth-party resiliency with the Blue Cross Blue Shield Association”).

Principle 1: Focus on business criticality

When it comes to risk, not all suppliers are equal. The most significant danger lies in third parties whose failure could derail essential business processes, cause revenue shocks, or tarnish a brand’s reputation. Thus, a good place for companies to start is to establish a system of risk tiers based on variables such as the level of the third party’s access to data, the nature of that data, and their criticality to business operations.

• Action: Document the organization’s critical business processes to identify single points of failure and then map and rank suppliers based on their potential operational impact to the most important processes. Ensure finite resources are channeled to deeper, more frequent assessments of the riskiest partners, leaving lighter evaluations for those in lower tiers.
• To get started: Assemble a cross-functional team that includes people from procurement, IT, and operations. Identify any overlap or concentration risk (for example, multiple processes reliant on a single supplier or subcontractor) around the critical business processes.

Principle 2: Elevate availability and resilience through rigorous business impact assessments

Formulate a clear view of the operational, financial, and reputational consequences of a supplier being compromised or going offline.

• Action: Go beyond routine questionnaires to support prioritization of high-impact scenarios and set a baseline for supplier accountability:
  

   

  • Pinpoint the operational, financial, regulatory, and brand damage (for example, hourly revenue at risk, customer trust) if a critical supplier cannot deliver.
  • Consider risk exposure based on business preparedness (that is, the ability to maintain operations through a third-party outage and third-party preparedness, meaning the ability to recover and communicate updates while safeguarding data).
  • Define the metrics and thresholds that would trigger escalation (for example, maximum allowed downtime).
  • Elevate expectations for the most critical suppliers. Embed conditions into contracts, making sure security controls, service-level agreements, and incident-reporting expectations are explicit and enforceable.
• To get started: Select one high-impact supplier and perform a tabletop exercise simulating a major cyber breach or operational failure. Document who must be involved, escalation thresholds, and the supplier’s communication and recovery timeline. Use these insights to refine contract terms and internal response protocols.

Principle 3: Collaborate and make fallback plans

Real resilience is built on twin pillars: trusted relationships and viable fallback measures. When disruptions happen, collaboration and ready-made plans can be the difference between chaos and continuity.

• Action: Foster executive-level ties (CEO to CEO, chief information security officer [CISO] to CISO) to accelerate threat intelligence sharing and collaboration with critical third parties. Develop fallback strategies for critical supplier disruption. This may mean identifying secondary providers, standing up in-house failover capacity for the most critical workloads, or designing manual work-arounds (for example, batch processing, paper-based fulfillment) that keep critical support flows running. Incorporate real-time alerts so small issues are flagged and can be addressed quickly. This integrated approach will ensure nth-party risk management is a practical shield against real-world failures.
• To get started: Invite the CISOs of the most critical suppliers to a collaborative risk roundtable. Focus on identifying potential single points of failure/concentration risk, agreeing on escalation channels and scheduling joint-incident response drills.

In a world where supply chain vulnerabilities frequently make headlines, being prepared is not just a “nice to have”—it’s an imperative. Decision-makers who speedily identify high-priority areas, clarify contractual obligations, and establish deeper collaborations with their most critical suppliers not only embed resilience into their most critical operations but also create competitive advantage. Moreover, the process doesn’t need to be onerous. Leading companies have shown that a risk-based approach can significantly improve third-party risk resilience in less than 12 weeks, as they move from merely identifying risks to actively mitigating business-critical risks across the organization.