How to Effectively Communicate TPRM and Supply Chain Risk to Your Board

Managing third-party risk should be an urgent priority for all organisations in today’s world of complex digital supply chains.

But getting such technical matters heard and understood at the top table can be a challenge for CISOs and their teams. Here we offer some key talking points and strategies to help you communicate third-party risk management (TPRM) more effectively to your board – and ensure they understand the significant role it plays in safeguarding the business and achieving core objectives. 

Chief Information Security Officers (CISOs) understand the cyber security risks posed by today’s complex digital supply chains. Businesses and their IT systems are vulnerable to attacks originating from anywhere in these far-reaching supply networks. But while those working in IT security recognise these risks only too well, it has always been a challenge to communicate cyber security issues effectively to company boards. 

It’s the job of the CISO to translate complex technical risks into issues the board can understand, and which relate directly to their areas of responsibility. Such are the potentially devastating financial and reputational impacts of a cyber security breach, it’s essential the board comprehends the level of risk posed by third-party suppliers. 

Board members often focus on larger geopolitical, commercial or financial risks to the business. So CISOs need to present third-party risk management (TPRM) in a way that relates to these top-of-mind issues. 

In this article we’ll offer advice on how you can make your communications with the board more relevant, impactful and effective.

Understand the needs of your board 

Board members cover a diverse range of specialisms, from finance, legal and IT to marketing, sales and operations. When presenting information about TPRM, adapt your messages to address the particular concerns and areas of expertise of your board members. Don’t present TPRM as a stand-alone issue, but instead align it with the company’s broader enterprise risk management efforts. This will ensure it feels integrated with the company’s overall risk strategies and objectives – and therefore highly relevant to the board. 

Always use plain language and avoid technical jargon and acronyms. During a busy board meeting, if members don’t understand your terminology straight-away, they may miss the point. There may not be time for clarifications, so ensure your messages are clear and direct and that you explain any technical challenges in a way board members can relate to. 

When you’re explaining risks to the business, use real-world examples. Talk about any recent security threats that could have impacted your organisation, and how you prevented or mitigated them. Highlight examples of companies like yours that have been impacted and the reputational, financial and potentially legal fallouts. You could point to recent high-profile security breaches that originated from supply chains, such as the MOVEit software exploitation or the EternalBlue data breach.

Education and engagement 

As a CISO, you should educate the board on how to think about third-party risks. Demonstrate that vulnerabilities among third-party suppliers do not only pose a risk to IT systems, but can impact every area of the business – from operations and service delivery to compliance and procurement. Ensure board members understand that, when it comes to TPRM, every department that interacts with third-party suppliers, vendors or partners has a role to play in identifying and managing risks, and preventing security breaches. 

This is a whole-organisation issue that affects the performance, operational efficiency and reputation of the business. If boards appreciate this, they can make the right decisions about implementing targeted risk management tools, processes and systems in relevant areas of the organisation. 

One aspect of TPRM that boards can often identify with is vendor risk management – because it’s clear to see the risks posed by security weaknesses in a direct vendor. To demonstrate the importance of TPRM processes, explain them to the board in terms of vendor risk management. Break this down into three stages: 

  • Onboarding: talk board members through the due diligence work carried out when signing up new vendors.
  • Risk mitigation: outline the systems and processes followed to address any vulnerabilities identified. Explain how you classify vendors according to their criticality to your business.
  • Continuous monitoring: outline your processes for ongoing vendor assessment, explaining the necessity of continuing to validate vendor security controls on an ongoing basis.

Regular, well-structured risk briefings 

CISOs should have regular opportunities to update the board. For greatest impact, focus on a few core items:

  • Strategic impact: Emphasise how TPRM efforts contribute to the organisation’s strategic goals, such as operational resilience, compliance and asset protection. 
  • Metrics and KPIs: Board members want to see facts, measurable data and evidence. Show the results of your most recent security audits. Develop key performance and risk indicators that relate directly to the organisation’s strategic goals. Report on these regularly so board members can assess trends and anomalies. This will give them a clear view of the effectiveness of TPRM, as well as the evidence they need to support their decisions. 
  • Visual aids: Graphs and charts are a great way to illustrate complex data effectively. Powerful visuals will make your data more memorable and meaningful to the board. 
  • Context: Highlight how TPRM supports regulatory compliance and how risk mitigations respond to wider financial and geopolitical issues. Aligning TPRM with the broader issues business leaders are grappling with will help to keep it in the spotlight.
  • Actionable recommendations: End your briefing with recommended TPRM-related actions for the board to take – which are justified by the data you have presented. Actions could include investing in more effective risk assessment technology or adopting new policies for vendor engagement.

Make it relevant, resonant and reportable

The impacts of security breaches originating from third-party suppliers can be devastating. CISOs need to ensure leaders understand the risks. Communicating supply chain risk management in a way that engages board members and gives them the facts they need to make key decisions should be a top priority for any CISO.

It’s also vital to keep decision-makers updated about the ever-changing risk landscape – so they can support you with swift and appropriate actions when needed to protect the organisation.


About the Author

Haydn Brooks is CEO at Risk Ledger. Over 60% of organisations have experienced a cyber incident caused by a compromised third-party. Recent data protection and business resilience laws and regulations globally have included specific obligations for organisations to actively manage supply chain security risks. Risk Ledger provides all the tools you need to run a comprehensive, security-led, third-party risk management programme against your supply chain.

more insights