Conversations Around Where Third-Party Risk Starts to Break in Practice
Expert discussions, podcast conversations, operational observations, and research focused on third-party risk, operational resilience, supplier dependency, and governance.
Watch the key clips
Short on time? Get the highlights from this episodes in minutes.
Meet Arina Razmyslovich
Most third-party risk programmes are built around structured assessments, security ratings, and documented controls.
But what if some of the most valuable risk indicators sit outside those traditional sources?
In an upcoming episode of the Extended Supply Chain Conversations Podcast, I sat down with Arina Razmyslovich from DN Institute to discuss public signals in Third-Party Risk Management and how organisations can identify early warning signs before they become incidents.
The conversation explores operational signals, workforce indicators, organisational stress, and why some risks become visible long before they appear in formal assessments.
A fascinating discussion and one that challenged several assumptions we have about vendor monitoring.
More to come soon.
Intro to Public Signals in TPRM
What if we’re measuring the wrong things in TPRM?
Most organisations have access to security ratings, assessment results, control evidence, and monitoring platforms.
Yet major third-party incidents still catch firms by surprise.
One of the more interesting observations from my recent discussion with Arina Razmyslovich was that many warning signs are often publicly visible long before a breach occurs.
The challenge isn’t always data availability.
It’s knowing where to look and recognising which signals matter. That raises an uncomfortable question.
If the warning signs were already visible, why didn’t we act on them?
We’ll explore that in more detail in the upcoming episode.
Importance of Public Signals in TPRM
A vendor can maintain excellent security ratings and still be heading towards operational failure.
That’s one of the strongest takeaways from my recent conversation with Arina Razmyslovich.
Employee reviews describing security team burnout. Discussions about slow incident response. Operational complaints appearing across public forums.
The signals can be visible, documented, and freely available months before a major incident occurs.
The question isn’t whether the information exists. The question is whether our current TPRM models are designed to see it. Perhaps the biggest challenge isn’t a lack of data. Perhaps it’s that we’re still measuring the wrong things.
Full discussion coming soon.
Meet Elizabeth Dunsmoor
One of the recurring themes in third-party risk is that some of the biggest disruptions don’t originate inside the vendor relationship itself.
In an upcoming episode of the Extended Supply Chain Conversations Podcast, I sat down with Elizabeth to discuss geopolitical risk, supply chain exposure, and why organisations are increasingly being affected by events that sit far outside traditional TPRM frameworks.
From sanctions and trade restrictions to data residency and geopolitical instability, we explored how external events can quickly create operational consequences for critical services.
A fascinating discussion and one that challenges how many organisations should be thinking about resilience.
More to come soon.
The Blind Spot
A vendor appears as “low risk” in the register. Controls were reviewed. Due diligence was completed. Risk rating was approved.
Then, sanctions hit the region they operate in. Nothing changed about the vendor. But your service was disrupted overnight. And here is where that blind spot sits.
Most TPRM frameworks are designed to assess vendors. Far fewer are designed to assess the environment around them.
And increasingly, that’s where some of the biggest risks are emerging. Unfortunately, the IRQ approach that you hold so close to your heart, isn’t reflecting the real world. And the real world – as discussed in the podcast – is #armed, #dangerous and doesn’t care about your #SLAs.
We’ll be exploring this in an upcoming discussion on geopolitical risk and operational resilience.
The World Doesn't Care About Your Vendor Register
The real world doesn’t care how your vendor inventory is organised.
A political decision made thousands of miles away can impact a critical service overnight. A trade restriction can disrupt a supplier dependency.
A change in data sovereignty rules can alter where information can legally be stored.
None of these events start with the vendor. Yet they can still become your problem.
One of the strongest themes from my recent discussion with Elizabeth was that resilience increasingly depends on understanding the broader ecosystem around suppliers, not just the suppliers themselves.
Full conversation coming soon.
The Resilience Question
Most organisations can identify their critical vendors.
The harder question is understanding what happens when the environment around those vendors changes unexpectedly.
A) Jurisdictions. B) Supply chain dependencies. C) Concentration risk. D) Data residency. E) Geopolitical exposure.
These factors rarely appear neatly inside a risk register, yet they increasingly influence operational resilience.
A question we explored during a recent podcast discussion: If a geopolitical event affected one of your critical vendors tomorrow, could you identify which services would be impacted within the first hour?
That’s where resilience starts to become very real. Full discussion coming soon.