Building resilience in a hyperconnected world
Most enterprises are operationally dependent on a broad third-party ecosystem that must be equally resilient in the face of disruption.
No business is an island. While that has always been true, the digital transformation race has accelerated corporate interdependence at a faster rate than many organizations’ ability to manage the resulting third-party risk.
Often, companies don’t fully realize how interconnected they are until an IT outage or other disruption freezes their business operations. That’s when they fully appreciate the value of resilience and business continuity—but, as with all risk management, it’s better to proactively plan, prepare, and stay ahead of potential disruptions.
Your business is a complex network
Becoming a digital-first organization today requires sharing data on a near-constant basis throughout a complex and connected ecosystem of third-party companies that often have direct access to your business systems. Key processes are outsourced, regular software updates are made automatically, and edge computing models have decentralized computer architecture to such a degree that it is challenging to keep track of, let alone secure, critical data.
This data fluidity between third, fourth, and fifth parties is efficient and necessary, but it means that your critical processes may be in another company’s hands while multiplying opportunities for systems and data to be compromised. Your security is only as strong as the weakest link in your broader ecosystem of partners, vendors, suppliers, cloud providers, SaaS companies, internet of things (IoT) device manufacturers, and other relationships.
This third-party risk doesn’t suggest abandoning “as a service” solutions—in fact, we’re seeing companies pushing harder than ever into software as a service, platform as a service, and infrastructure as a service to lower their overhead—but it does strongly argue for a parallel need to invest in resilience.
With cloud and digital technologies creating hyperconnected, multi-partner ecosystems, there’s new willingness to proactively address the associated risk. Automation will continue to play an important role in activating appropriate corrective measures in these environments across third, fourth, and fifth parties.
Kyle Kappel
Cyber Security Leader, KPMG US
How do I prevent disasters?
Building resilience is a multi-pronged process. Regulatory standards such as executive orders in the US on supply chains or the EU’s Digital Operational Resilience Act (DORA) can help. Clear security obligations across all participants in these complex ecosystem structures can help. Vetting all potential vendors’ resilience policies at the contract negotiation stage, as well as the resilience built into all accessible products and services, can help. And making better use of resilience-ratings companies to supplement point-in-time assessments can help.
Specifically, businesses need to intensify their scrutiny of third-party vendor practices and integrate resilience into day-to-day operations:
- Risk assessments and monitoring: Perform regular risk assessments of third parties involved in the delivery of business software and services to assess their operational viability, financial health, security practices, compliance history, previous incidents, SOC1/SOC2 audits, and software update and certification processes. Ensure all partners follow a clear path in protecting their own organizations, as well as the broad ecosystems within which they operate—including rigorous testing and validation before deploying software updates.
- Contractual protections: Define clear SLAs that outline performance expectations, uptime requirements, and penalties for noncompliance.
- Artificial intelligence (AI): AI and machine learning technology can help address shadow IT issues, provide better oversight of third-party SaaS products, implement self-service chatbots, and automate many aspects of your third-party risk management processes.
- Continuous controls monitoring (CCM): Encourage vendors to move resilience assessments away from a compliance-based, point-in-time approach that can become obsolete quickly to a more operational focus that allows for continuous monitoring and real-time corrective measures with or without human intervention.
Source: Partners Audits without Anxiety website, “SOC 1 vs. SOC 2 Reports – Do You Know The Difference?” (August 6, 2023)
Many companies are looking at machine-readable assessment formats, which help organizations think about third-party risk assessment as part of continuous controls-monitoring. The mindset here is no longer just compliance-based, it’s now primarily operations-based. Existing third-party risk programs in virtually every industry largely aren’t prepared for this transition.
Marcus Murph
Principal, CIO Advisory, KPMG US
Resilience is more than just security
While prevention is the primary goal, the complexity, decentralization, and interdependence of today’s business ecosystems suggests that some percentage of these situations is inevitable. An open network is inherently a vulnerable network and there will always remain some risks that can’t be anticipated, or the diligence required to manage others may simply be too time-consuming and costly to make business sense.
For those marginal cases, organizations need to focus on business continuity plans that help limit the impact, maintain business operational capabilities, preserve customer trust, recover quickly, and reduce the effects of future incidents. The key goal is sustaining essential functional and core revenue-generating business processes during an incident.
Where resilience is strategic, focusing on the ability to adapt to and weather disruptive incidents, business continuity highlights the processes and procedures an organization follows to maintain operations during an incident when multiple business areas and tangential stakeholders may be in panic mode. That includes determining which business processes truly are mission critical and understanding how they function vis-à-vis your network, testing recovery processes to verify that value chains can be quickly restarted following a disruption, investing in redundancy, enhancing transparency, and preparing coordinated response plans.
We understand data, risk, and relationships
Recent events have highlighted the degree to which companies in today’s digital economy are linked. When a key supplier sneezes, your entire network catches a cold. Every company working within this environment needs rigorous resilience and business continuity plans. But, just as importantly, those plans need to be deployed throughout your entire network.
At KPMG, we understand connections and have experience across the continuum—from the boardroom to the data center—to help you identify sources of risk across business relationships. Our approach is holistic, continuous, and heavily invested in next-generation technology that not only helps us remain a step ahead of threats but also integrates resilience and business continuity throughout the business lifecycle. Because, in a hyperconnected business world, we all have a responsibility to protect our partnership ecosystem.
Explore more
Insight
Navigating the fallout: Lessons from the Crowdstrike outage
Plus 7 key backup and recovery actions
Insight
Make operational resilience your North Star
In a fluid, often uncertain environment, organizations should cultivate a culture of resilience, embedding robust contingency plans that encompass not just IT infrastructure but also key business operations.
Insight
Be organizationally and operationally resilient when — and where — it matters
During an IT outage, cyber-attack, or any significant functional disruption, organizations must focus on restoring critical operations in minutes and hours, not days and weeks.
Subscribe to receive the KPMG Opportunity (In)sight Newsletter
Turn insight into opportunity with unique perspectives and actionable insights addressing the burning issues atop the C-suite agenda. Delivered monthly.
Meet our team
Our professionals bring a combination of technological expertise, deep business knowledge, creativity, and a passion to protect and progress your business.
