Third-Party Risk:

Moving Beyond Checklist Compliance

In an increasingly interconnected digital ecosystem, third-party relationships have evolved from convenient outsourcing solutions to critical nodes in an organization's operational and security fabric. A recent panel discussion featuring senior leaders in cybersecurity, operational risk, and privacy highlighted a stark reality: traditional annual vendor assessments are no longer sufficient. As businesses race toward digital transformation, leveraging cloud services and AI-powered tools, they simultaneously expand their attack surface and dependency on external entities.

The conversation, featuring experts like Sharvind Appiah, Ruth Mary Calamba, Jay-Ar Garcia, and Neil Templeman, centered on shifting from reactive compliance to proactive resilience. Their collective insight points toward a future where vendor risk is managed with the same intensity and continuity as internal security—because in the eyes of regulators and customers, the risk is not transferable. It remains firmly on your balance sheet.

The Foundation: Why Third-Party Programs Fail

A common thread emerged early in the discussion: many third-party risk management programs are set up to fail. According to Ruth Mary Calamba, a senior operational risk leader, the fundamental flaw often lies in disconnection. Programs treat vendor assessments as isolated compliance tasks rather than integrating them with core business processes and strategic objectives.

Neil Templeman expanded on this, highlighting a critical tension organizations face: balancing commercial pressure for speed against the need for resilience. He noted that third-party onboarding is frequently tied directly to revenue generation or market expansion. Delays in the risk assessment process can therefore have severe financial consequences, creating internal pressure to cut corners. His solution reframes the entire conversation: "I'd like to see companies start to think about this from the lens of revenue and continuity protection and not just risk reduction." When security enables business velocity rather than hindering it, it gains crucial board-level support and funding.

The AI Imperative: New Risks Demand New Vigilance

The panel dedicated significant attention to the transformative—and risky—role of Artificial Intelligence. Sharvind Appiah outlined several AI-specific risk indicators that barely existed three years ago but now demand scrutiny:

• Model Integrity: Organizations must challenge vendors on the accuracy and failure rates of their AI models. "We have seen a lot of cases recently where AI-generated content was not reliable," Appiah noted, pointing to issues like "hallucination" where models invent false information.

• Data Provenance: The data used to train AI models is often a black box. Risks include the use of data with unclear intellectual property rights, ethically questionable sources, or inherent biases that will be baked into the automated decisions affecting your business.

• Vendor Lock-in: AI platforms can create profound operational dependency. Appiah warned organizations to consider their flexibility to shift providers if a model underperforms or the relationship sours, avoiding a new form of technological captivity.

• Regulatory Alignment: With regulations like the EU's AI Act now in force, vendors must demonstrate ethical development and deployment practices. Organizations are accountable for ensuring their providers' AI systems comply with these emerging legal frameworks.

• 
  

The Contractual Safety Net: What Makes the Difference When Breaches Occur

When incidents inevitably occur, the quality of your vendor contracts determines the speed and effectiveness of your response. Jay-Ar Garcia emphasized that overlooked contractual clauses become painfully apparent during a crisis. Two areas are paramount:

1. Timely Notification: Contracts must specify exact notification timelines and the scope of information required immediately following a breach. Vague language leads to delays that compound regulatory and reputational damage.

2. Investigation Readiness: "We need to make sure that all the information during the investigation process are readily available," Garcia stressed. This includes explicit clauses requiring vendors to promptly produce logs, forensic reports, and root-cause analyses. Waiting days for this data from a vendor can cripple your ability to meet mandatory reporting deadlines to customers and regulators.

The Magic Wand Blueprint: Envisioning the Ideal Program

The panel’s collective "magic wand" wishes form a powerful blueprint for the future of third-party risk management:

• Neil Templeman's Wand: Aligned, Testable, and Evidenced. Neil’s vision calls for a tight alignment between an organization's internal risk scoring and the real-world business impact of a vendor failure. He advocates for establishing the "right scenarios" that can be logically tested—such as simulating a core AI model’s failure or a cloud provider’s outage—and generating concrete evidence of continuous monitoring to prove preparedness, not just intent.

• Ruth Mary Calamba's Wand: Continuous Visibility. Ruth emphasized moving from annual reviews to continuous visibility of a vendor’s security posture, with evidence gathered before an incident to demonstrate proactive oversight.

• Jay-Ar Garcia's Wand: Accountability and Verification. Jay-Ar called for clear, single-point accountability for each critical vendor, moving due diligence from "trust" to "trust but verify" by validating questionnaire answers.

• Sharvind Appiah's Wand: Harmonized Automation. Sharvind wished to eliminate the "painful" overhead of disparate questionnaires by harmonizing and automating due diligence, allowing teams to focus on risk analysis over administrative tasks.

  
  

Building Your Defensible Position

The panel's unanimous conclusion is that third-party risk is not transferable. The accountability rests with you. Building a defensible program means integrating three principles:

1. Business-Integrated Assessment: Link every vendor review directly to the business processes and revenue streams it supports.

2. Proactive, Continuous Monitoring: Especially for AI-driven vendors, implement ongoing checks for model drift, data integrity, and performance against agreed-upon risk indicators.

3. Preparedness Through Testing: Contract for breach response, define decision-makers, and—as Neil Templeman advised—regularly test your logical scenarios through tabletop exercises with key vendors.

The transition from static compliance to dynamic resilience is not just a security imperative; it is a strategic business necessity for 2026 and beyond.

Join us at the Cyber Resilience Summit on 16-17 April 2027 in Manila, Philippines and/or Zoom Events! Together we can strengthen cyber resilience.