Overcoming Risks Associated with Third-Party Engagement: Strategies for Better Management

In today’s business environment, organisations are increasingly reliant on external partners — cloud service providers, SaaS vendors, supply chain participants and contractors. While such an ecosystem can accelerate innovation, it also amplifies risks. According to the International Data Corporation (IDC), almost a third of companies recognise third-party risk management as one of the weakest areas of their operations. This creates additional threats that, in many cases, could have been avoided.

Why are third-party risks increasing?

• Growing interdependence: Each new partner represents an additional “entry point” into your organisation. There are well-documented cases of contractors being the source of large-scale cyberattacks, resulting in financial and reputational losses.
• Global challenges: Geopolitical tensions, supply chain disruption, the aftermath of the COVID-19 pandemic, trade restrictions and regulatory changes disrupt stability in supplier relationships, particularly for companies with an international presence.
• Expanded attack surface: Large-scale data exchange extends beyond the enterprise, which complicates control.

Typical management issues

• Responsibility for risks is often divided among the procurement, IT and security teams without clear coordination.
• Supplier assessments usually only occur during onboarding, while subsequent monitoring is limited to formal questionnaires or annual audits, which are insufficient to address modern threats.

How to build a resilient third-party risk management program?

1. Before onboarding a partner:

• Conduct thorough due diligence and categorise suppliers based on their criticality.
• Include clear requirements in contracts and SLAs, involving the legal and procurement teams to define accountability.
• Train partners on security policies and establish clear expectations.
• Diversify suppliers (e.g., through nearshoring or friendshoring) to reduce reliance on high-risk regions.

2. During collaboration:

• Transition from annual reviews to continuous monitoring using analytics, automation and AI.
• Implement shared standards (ISO, NIST, GDPR, HIPAA) to enhance trust.
• Utilise regular audits, joint training, and outcome-oriented metrics (fewer incidents, faster detection and response).

3. After collaboration ends:

• Revoke access, delete or return sensitive data and ensure all obligations are fulfilled.
• Analyse the collaboration experience and incorporate the lessons into future processes.

  

As business networks expand, third-party risks will continue to increase, but this should not hinder innovation. With effective management, continuous monitoring and robust relationships with partners, companies can protect themselves and strengthen trust among clients and partners. Effective risk management is essential for ensuring growth, innovation and preparedness for future challenges.

Do you need assistance with third-party risk management or cybersecurity? Contact our team at BDO in Ukraine and we will help you develop a robust and secure business model.