Skip to main content

About the author

Andrew Wright

Head of TRPM Product

Andrew Wright is Head of TPRM Product, and first joined Thomas Murray in 2002 as a Business Analyst. Andrew is responsible for working with our clients and developers to research the market for TPRM solutions, and to drive the roadmap for our leading Orbit Risk platform for monitoring third and fourth parties through due diligence, cyber security, and risk intelligence capabilities.

You could be forgiven for thinking that modern business security is, by default, a high-tech affair. Any number of films and TV shows would have us believe that even the humble high street bank protects its valuables and data with retinal scans and servers locked away in rooms rigged with motion-sensitive booby traps.

The truth, of course, is less exciting – and a lot less reassuring. Most firms are vulnerable to threat actors who don’t even come close to having the skills and tools at the disposal of the Mission: Impossible team.

No matter how good a firm is at managing its own data and IT security, one of its third parties could be an unlocked back door. That’s why, for most firms, the vulnerabilities in their attack surfaces come from their lack of proper third-party due diligence.

Some of the more common barriers to getting third-party due diligence right include:

  • Reliance on legacy systems When your team is comfortable using a system that (barely) continues to serve its intended function, it can be tempting to stick with it for the sake of familiarity – even as it becomes increasingly difficult to integrate with other systems, and the cost of maintaining it starts to mushroom.
  • Failing to use automation There is only so much that a spreadsheet and an emailed questionnaire can do. Even small organisations will have many third parties to deal with, so it’s easy to lose track of who knows what about them, and where that knowledge is recorded. In the right (or wrong) circumstances, a simple question like, “Who owns that file, and when was it last updated?” can assume grave significance. Which brings us to…
  • ‘Hidden’ outsourcing Third-party suppliers are one of the easiest things for a firm to lose sight of, particularly those engaged with on an irregular or as-needed basis. Complicating this picture are so-called ‘fourth parties,’ or the providers that a firm’s own third parties use. And those fourth parties will have their own vendors – and so on, and so on. It might be time to start talking about “multi-party risk management” instead.
  • Regulation In regulated industries, it can be tough to stay on top of all the rule changes in each market and what’s needed to remain compliant. It is therefore essential that onboarding questionnaires are often revised to ensure that they are always fit for purpose, and that the third-party network is continuously and accurately monitored.

Third-party risk management – Mission: Possible

Fortunately, there is technology available that can assist you in all these areas, and no rock-climbing experience or parachutes are required. Talk to us today about how Orbit Diligence can improve the efficiency and effectiveness of your third-party risk management.

Orbit Diligence

Orbit Diligence

Automate your DDQ and RFI processes for a wide range of use cases, accessing a library of off-the-shelf questionnaires and risk frameworks.

Learn more

Contact an expert

Sarah Nelson

Sarah Nelson

Senior SaaS Sales Executive | SaaS sales

Phoebe Jordan , Managing Director | TPRM

Phoebe Jordan

Managing Director | TPRM