Skip to main content

Embedding resilience to manage rising third-party risks

Is your health care organization prepared?

An increasing number of disruptive events involving third parties is driving heightened attention to operational resilience and cybersecurity among government agencies and regulating bodies, thereby increasing pressure on health care organizations to enhance their third-party risk management (TPRM) capabilities.

Integrating resiliency with your TPRM strategy

Resilience is the capability of an organization to be prepared for disruption and to adapt and thrive in an increasingly connected environment. Resilience isn’t purely defensive in orientation. It also progressively builds capacity for agility, adaptation, learning, and regeneration to help organizations capitalize on business advantages while preparing for more complex and severe disruptive events.

A cyber TPRM program could help make hospitals more resilient

Collaborate: What’s critical?

Find out more

Evaluate: Current capabilities

Find out more

Deploy: Design, implement, test

Find out more

Our proposed approach

Learn more about Deloitte’s Third-Party Risk Management Managed Services

Characteristics of leading TPRM programs that incorporate resiliency

Deloitte’s life cycle approach to TPRM addresses all stages of a third-party life cycle with a focus on organizational resilience with these characteristics.

Tier-based approach

Vendors/service providers are risk-tiered based on the nature of services being provided and the severity of impact in case of unavailability.

Resilience-focused language

Third-party contract clauses include language around resiliency and business continuity planning.

Alignment of recovery time objectives (RTOs)

Third parties required for the execution/recovery of critical business services are identified, and the recovery requirements are aligned with the recovery time objectives of critical business services.

Risk assessment and scenario planning

Risk assessment and due diligence over third parties consider business continuity, disaster recovery, and scenario planning to recover critical business services in case a third party is unavailable.

Fourth parties

TPRM program includes consideration of fourth parties and potential disruption related to fourth parties’ unavailability.

Manage and monitor third-party risk continuously by:

  • Utilizing external data sources and Generative AI to automate tracking of key risk indicators (KRIs) for third-party risk
  • Leveraging critical event management capabilities to monitor key assets managed by third parties
  • Integrating with security operations capabilities (threat intelligence, vulnerability management, and incident response)

Continuity of care: The role of resilience in TPRM

In the health care sector, disruptions can mean the difference between life and death. The dependence on third parties makes it crucial to integrate resilience into third-party risk management (TPRM). By modernizing TPRM frameworks, addressing vulnerabilities, and adopting continuous monitoring of cyber risks, organizations can improve patient care and maintain operational continuity.

Is your organization prepared to handle disruptions?

Explore our latest insights

Get in touch