There is a misconception by business leadership that the current approach to Third-Party Risk Management (TPRM)—vetting each third party in isolation—is sufficient to mitigate the risk of a third-party data breach. In reality, there is a large emergent cumulative risk that stems from the sheer number of third parties that have access to large amounts of sensitive data. Failing to measure this cumulative risk not only hampers the organization’s capacity to harness valuable third-party technologies but also undermines its competitive edge.

​

Third-party breaches are not hopelessly random. Their expected frequency can be well characterized with minimal effort using Probability Theory. Regularly calculating the expected frequency as a function of breach size can give leadership confidence in using third parties even though small third-party breaches do occur regularly. These small breaches that might happen every couple of years can be considered the cost of doing business. Simultaneously, leadership can be reasonably assured that a very large breach will never happen by enforcing calculated limits on the number of third parties handling the largest volumes of sensitive data. Business leaders can have confidence in this calculation because it is solidly grounded in Probability Theory and because it is tested through tracking the actual occurrence of small third-party breaches.

​

For a business leader that wants to weigh the value versus the effort, consider that the effort can be focused primarily on identifying the (hopefully) small number of third parties with very large amounts of data. The number of these third parties is typically fewer than one hundred. The value, then, is the confidence to use more third parties without the fear of experiencing an impactful third-party breach.