Lady Speak 2

[MTE] [May 2026] [P2] Third-Party Risk, Resilience and Regulation: Building A Stronger Operational Framework

New call-to-actionThis is Part 1 of our summary for the Meet-the-Expert May 2026, reflecting insights from the recent webinar that concluded on May 14, 2026, featuring guest speaker Anthony Lim.

New call-to-actionAnthony brings 28 years of experience in the financial services sector with a strong focus on risk management and compliance.

This is Part 2 of the summarised presentation for the Meet-the-Expert Webinar.

Part 2: Building Resilience Beyond Due Diligence: Why Backup Plans Matter

MTE May 2026 [Website Banner]Strong due diligence is important—but it is not enough. Outages, cyber attacks, and vendor failures continue to happen despite certifications and controls. So what separates resilient organisations from vulnerable ones? Explore why resilience is built not by trusting vendors, but by preparing for their failure.

This is Part 2 of the summarised presentation from the Meet-the-Expert Webinar, featuring insights from Anthony Lim.

Moh Heng Goh

MTE May 2026 [Website Banner]

Part 2: Building Resilience Beyond Due Diligence: Why Backup Plans Matter

Introduction

New call-to-action
New call-to-actionThird-Party Risk, Resilience and Regulation: Building a Stronger Operational Framework, Anthony Lim continues his sharing on the importance of due diligence. Outages, cyber attacks, and vendor failures continue to happen despite certifications and controls. What separates resilient organisations from vulnerable ones? 

Many organisations assume that robust due diligence will prevent third-party incidents.

Experience suggests otherwise.

Despite extensive assessments, certifications, controls, and regulatory oversight, outages continue to occur. Cloud failures, ransomware attacks, vendor cyber breaches, technology migration failures, and service disruptions regularly impact organisations around the world. The lesson is straightforward:

Risk assessments alone do not create resilience.

Preparedness does.

The presentation highlighted that organisations increasingly depend on a concentrated ecosystem of service providers. Whether cloud platforms, operating systems, AI services, or technology infrastructure, dependency concentration creates unavoidable systemic risk.

Even highly resilient providers may fail.

Therefore, resilience planning becomes the final line of defence.

A major theme throughout the presentation was that due diligence should never become a checklist exercise. Certifications alone do not guarantee security or resilience. Organisations must move beyond collecting reports and begin evaluating underlying details.

Questions organisations should ask include:

  • Does the vendor maintain tested Business Continuity Plans?
  • When was the last Disaster Recovery exercise performed?
  • Are Recovery Time Objectives (RTO) aligned with organisational requirements?
  • Are crisis management protocols established?
  • Are unresolved audit findings addressed?

Particular attention should be given to emerging AI-related risks.

As AI becomes embedded within business applications, due diligence now extends beyond traditional cyber controls. Organisations should assess:

  • AI governance and accountability
  • Data lineage and quality
  • Training data usage practices
  • Explainability and transparency
  • Dependency on AI providers
  • Compliance with emerging AI regulations and standards

Beyond due diligence, crisis preparedness remains essential.

The presentation introduced four stages of crisis-resilient vendor management:

1. Prevention

Pre-event planning, criticality mapping, and joint preparation.

2. Detection

Real-time monitoring and impact assessment.

3. Response

Rapid decision-making supported by vendor coordination.

4.  Recovery

Post-incident review and reassessment of risk posture.

Organisations should also strengthen resilience through:

  • Integrated vendor mapping linked directly to Business Impact Analysis
  • Joint tabletop exercises involving key vendors
  • Contract clauses defining crisis notification windows
  • Tested crisis management communication playbooks

New call-to-action

The presentation concluded with one of its strongest observations:

Resilience fails when a vendor crisis becomes your crisis.

Customers do not differentiate between your systems and your vendors.

When disruptions occur, accountability remains with your organisation.

True resilience, therefore, is not built by trusting third parties.

It is built by preparing for their failure.

New call-to-actionEmail to Dr Goh Moh HengThis is Part 2 of the two-part summary of Anthony Lim's presentation during BCM Institute's Meet-the-Expert webinar.  The webinar is summarised by Dr Goh Moh Heng, President of the BCM Institute.

Dr Goh Moh Heng, President of BCM Institute, summarises this webinar. If you have any questions, please speak to the author.

New call-to-action

For Parts 1 & 2 ...

Click the icon below to continue reading parts of Anthony Lim's presentation. 

 

Third-Party Risk, Resilience and Regulation: Building a Stronger Operational Framework
New call-to-action New call-to-action New call-to-action New call-to-action New call-to-action Email to Dr Goh Moh Heng

More Information About Operational Resilience Courses

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

BL-OR-3 Register Now BL-OR-3_Tell Me More BL-OR-3_View Schedule
BL-OR-5_Register Now BL-OR-5_Tell Me More [BL-OR] [3-4-5] View Schedule
[BL-OR] [3] FAQ OR-300

If you have any questions, click to contact us.Email to Sales Team [BCM Institute]

 FAQ BL-OR-5 OR-5000
OR Implementer Landing Page

New call-to-action

 New call-to-action

 

More Posts

New call-to-action
BCMIWhiteLogoSmall.png
All rights reserved. Copyright 2026