Third party risk programs today are underfunded and under resourced. This results in only 2-10% of third parties being actively monitored. Third party risk management is audit and compliance control centric when it needs to be risk analysis and financial focused. The result of this approach is an output that is subjective, prone to bias, inconsistent and limited. Third party reports generally identify a risk rating (high medium or low) for a partner which has limited practical value.

A new approach (what we're calling TPRM 2.0) is required that evolves the third party engagement process from controls documentation to risk scenario analysis which provides financial impact visibility. Identifying and executing specific risk scenarios like external threat actors targeting business disruption drive critical conversations around resilience and ultimately joint resilience testing.

Following the 2017 NotPetya malware attack, global industries experienced >$10B in losses. In the research note below, you can find our expert analysis on what occurred as well as lasting fallout in the form of the “Cyber War” exclusion in insurance claims.

While it’s certainly true that it’s not possible to predict every attack vector, by applying the principles of quantitative analysis it’s possible to put a number on risk and make your organization safer at the outset.