Karina Volvovsky, Senior Vice President, Business Control Officer for Entertainment, City National Bank

Below is an insight into what can be expected from Karina’s session at Vendor & Third Party Risk USA.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

1. Why is it important for organizations to evolve third-party risk management programs to effectively address emerging strategic risks, such as those related to geopolitics, cloud concentration, resilience, and data protection?

Strategic third-party risks (risks that can impact the achievement of strategic objectives), such as geopolitical, concentration and cloud adoption, cannot be addressed by a traditional, process-driven Third Party Risk Management Program. The process-driven approach (screening, due diligence, ongoing monitoring, etc.) is necessary but not sufficient. To gain clarity on strategic risks, there is a need to step back from the process and determine the types of trade-offs your organization is willing to take when engaging third parties as a whole. Third party risk management programs need to evolve in a manner that allows for these broader, holistic risk conversations to happen, outside the process-driven, vendor-by-vendor risk assessment approach.

2. What are some key ways in which emerging strategic risks impact third-party risk management, and how can organizations identify and prioritize these risks effectively?

Usually, strategic risks only surface when it is too late: either the risk has materialized (e.g., realizing you have a concentration risk only after an outage) or they are discovered’ during the procurement process, causing disruptions to timelines, or requiring costly workarounds. To effectively manage these risks proactively there are certain prerequisites, which include a data driven view of your vendor risk profile, alignment to the organization’s outsourcing strategy and the right governance in place to make balanced, risk-informed decisions on your organization’s approach to third party risk.

3. Why is it important to approach strategic risks in third-party relationships holistically, and how does this comprehensive perspective enhance risk management effectiveness?

Strategic third party risks need to be approached holistically because they are not risks limited to specific vendors. As a result, they are difficult to identify and manage in isolation because they exist in relationship to the third party environment as a whole, both inside and outside the organization. For example, the question is not simply if a particular third party’s cloud environment is secure, but does this third party’s use of cloud introduces potential concentration risks in relation to other cloud service providers used by the organization. The ability to articulate your organization’s approach to these risks as overarching principles to the organization’s outsourcing strategy (i.e. Risk Appetite) effectively informs both procurement and the downstream risk assessment processes.