How to Respond to the Evolving Nature of Enterprise Risk


Businesses are more reliant than ever on third-party relationships to achieve their goals. In fact, the third-party supplier ecosystem for most enterprises regardless of industry is only getting more complex. Companies need third-party vendors, but – in doing so – they expose themselves to a great deal of risk.

The rapid adoption of digitization and software-as-a-service technologies allows companies to move quickly, adapt to the market, and – on the most basic level – compete. But the nature of these technologies is that they require the exchange of data between the business and the third-party providers. The pressure from consumers and businesses for better protection of their personal and confidential information is growing. Every data breach in the news – and every new regulation (i.e., GDPR, CCPA, NYDFS, OCC, PCI, HIPPA) with a potentially hefty fine – raises the urgency.

For some time, enterprises have simply monitored their supplier landscape and conducted periodic, point-in-time risk assessments, which has been more or less effective for simpler ecosystems. Today, this is no longer enough. Fragmentation of third-party risk management programs is insufficient in giving companies a holistic view of their provider relationships and threats to supply-chain integrity.

In many enterprises, multiple risk-domain support groups are running independent, parallel provider-risk management efforts. Companies often lack a centralized repository for contextual relationship information – including everything from contract terms and conditions to contract deliverables, contract metadata, subcontractor information and service delivery location information – contributing to inefficiencies and ineffectiveness. On top of that, there is typically inconsistent use of technology to provide continuous information to stakeholders regarding third-party-related threats and a lack of adequate third-party risk management resources to manage the growing demands associated with expanded organizational and regulatory requirements.

Enterprises today must proactively monitor their entire landscape, including both operational performance and financial viability of their suppliers and a range of other internal and external risks, including data security, regulatory issues, adverse environmental, health and geopolitical events, and social responsibility, diversity and inclusion considerations.

Monitoring suppliers in real-time can bring important insights and spur preemptive action. For example, an enterprise that is testing a software-as-a-service (SaaS) application to incorporate into a consumer-facing service should monitor the financial viability of the SaaS provider. If the provider has over-extended its financial position, it would bring significant risk to the longevity of the SaaS application. In another example, public enterprises in Australia and Europe must monitor their supply chain to comply with new regulations regarding modern slavery. “Was not aware” is no longer a viable response and the companies are being held financially culpable for any infractions. This means they must monitor adverse news on all their suppliers to reduce the risk of financial penalties and maintain their own social responsibility.

CIOs and CSOs can lose sleep over the many red flags that are missed in the deluge of data that is generated every day. They need a more effective way to automate and manage their ever-growing portfolio of software and services contracts and understand potential risks to their supply chain, which have been amplified by the COVID-19 pandemic. They need the right information sent to the right team with a clear record of accountability and follow-through. But many companies are struggling to augment “point in time” supplier risk management methods with external monitoring services that provide continuous market intelligence. Only this can help them mitigate risk and prove to regulators and other stakeholders they have evaluated and acted on information in a timely way.

ISG GovernX® is the industry’s only vendor compliance and risk management platform that integrates contract information, strategic relationship management and real-time risk monitoring and alerts to pro-actively mitigate business risk – as they happen. Users can now add a variety of external data feeds to the platform for an unparalleled view of all potential risks, both within their specific supplier ecosystem and from the broader marketplace. Intelligent workflows identify and categorize each risk, alert the appropriate functions, and trigger automated responses, including targeted risk assessments to the suppliers involved.

Combined with our internal supplier performance monitoring, ISG GovernX clients now have a complete inside-out and outside-in view of each supplier’s operational performance, how it is meeting its contractual obligations, and how risks in the supplier’s business and in the broader marketplace can impact overall service and supply chain integrity.


About the author

Lois Coatney

Lois Coatney

What she does at ISG

Lois Coatney has been the ideal guiding advocate for her Fortune 500 clients, whom she has consistently helped get the most value out of their service providers and supply bases. That’s because, for more than two decades, Lois was the service provider. Today, as Partner and President EMEA Sales and Consulting, she is central to driving the firm’s revenue and growth.

Past achievements for clients

Throughout her career, Lois has advised clients on the operating models and organizational designs that will enable them to work most effectively. She brings that experience to her current role, where she considers how the firm can put its best foot forward to sell its services across the European market. Pairing her expertise in contracting and supplier management and her deep understanding of clients’ needs with the unique breadth and depth of ISG capabilities, Lois works to strengthen client relationships and enhance the firm’s offerings.