[MTE] [May 2026] [P2] Third-Party Risk, Resilience and Regulation: Building A Stronger Operational Framework

Part 2: Building Resilience Beyond Due Diligence: Why Backup Plans Matter

Introduction

“Third-Party Risk, Resilience and Regulation: Building a Stronger Operational Framework,” Anthony Lim continues his sharing on the importance of due diligence. Outages, cyber attacks, and vendor failures continue to happen despite certifications and controls. What separates resilient organisations from vulnerable ones? 

Many organisations assume that robust due diligence will prevent third-party incidents.

Experience suggests otherwise.

Despite extensive assessments, certifications, controls, and regulatory oversight, outages continue to occur. Cloud failures, ransomware attacks, vendor cyber breaches, technology migration failures, and service disruptions regularly impact organisations around the world. The lesson is straightforward:

Risk assessments alone do not create resilience.

Preparedness does.

The presentation highlighted that organisations increasingly depend on a concentrated ecosystem of service providers. Whether cloud platforms, operating systems, AI services, or technology infrastructure, dependency concentration creates unavoidable systemic risk.

Even highly resilient providers may fail.

Therefore, resilience planning becomes the final line of defence.

A major theme throughout the presentation was that due diligence should never become a checklist exercise. Certifications alone do not guarantee security or resilience. Organisations must move beyond collecting reports and begin evaluating underlying details.

Questions organisations should ask include:

• Does the vendor maintain tested Business Continuity Plans?
• When was the last Disaster Recovery exercise performed?
• Are Recovery Time Objectives (RTO) aligned with organisational requirements?
• Are crisis management protocols established?
• Are unresolved audit findings addressed?

Particular attention should be given to emerging AI-related risks.

As AI becomes embedded within business applications, due diligence now extends beyond traditional cyber controls. Organisations should assess:

• AI governance and accountability
• Data lineage and quality
• Training data usage practices
• Explainability and transparency
• Dependency on AI providers
• Compliance with emerging AI regulations and standards

Beyond due diligence, crisis preparedness remains essential.

The presentation introduced four stages of crisis-resilient vendor management:

1. Prevention

Pre-event planning, criticality mapping, and joint preparation.

2. Detection

Real-time monitoring and impact assessment.

3. Response

Rapid decision-making supported by vendor coordination.

4.  Recovery

Post-incident review and reassessment of risk posture.

Organisations should also strengthen resilience through:

• Integrated vendor mapping linked directly to Business Impact Analysis
• Joint tabletop exercises involving key vendors
• Contract clauses defining crisis notification windows
• Tested crisis management communication playbooks

The presentation concluded with one of its strongest observations:

Resilience fails when a vendor crisis becomes your crisis.

Customers do not differentiate between your systems and your vendors.

When disruptions occur, accountability remains with your organisation.

True resilience, therefore, is not built by trusting third parties.

It is built by preparing for their failure.

This is Part 2 of the two-part summary of Anthony Lim's presentation during BCM Institute's Meet-the-Expert webinar.  The webinar is summarised by Dr Goh Moh Heng, President of the BCM Institute.

Dr Goh Moh Heng, President of BCM Institute, summarises this webinar. If you have any questions, please speak to the author.