star twitter tiktok facebook envelope linkedin instagram youtube alert-red alert home left-quote chevron hamburger minus plus search triangle x

Why Third-Party Risk Management Matters More Than Ever

By Bill Fortwangler, Adjunct Faculty, Heinz College of Information Systems and Public Policy

Bill FortwanglerWhen it comes to technology and business performance, one truth has become clear: you are only as strong as your weakest vendor.

Third-party risk management isn’t just a back-office function anymore. It’s a strategic priority. Organizations today rely heavily on suppliers, vendors, and partners–and not just them, but also their suppliers. Every one of those relationships carries risk that can affect your customers, your operations, and your reputation.

Customers Don’t See Your Vendors–They See You

When a vendor fails, your customers don’t blame the vendor. They blame you. Whether it’s a data breach, an outage, or a performance issue, it’s your brand that takes the hit. That’s why third-party risk management has become mission-critical.

Cybersecurity threats, business resiliency, and operational performance all depend on vendors meeting expectations. If they fall short, the risk flows directly to your organization.

Why Risk Is Growing

There are a few reasons why this issue is more important now than ever:

  • Reliance on external partners. Companies increasingly buy “best of breed” solutions instead of developing in-house. That means more dependency on external providers.

  • Cyber activity. Vendors are frequent targets of attacks, and any breach in their environment can expose your customer data or disrupt your services.

  • Business resiliency. Supply chain disruptions, geopolitical instability, and even vendor acquisitions can quickly impact your operations.

The bottom line: you can’t afford to treat vendor oversight as optional or occasional. It has to be built into the way you operate.

Make It Strategic

Third-party risk management should be part of your business culture, not just a compliance exercise. That means:

  • Classifying vendors by criticality.

  • Monitoring performance and security on an ongoing basis.

  • Having an exit strategy if a vendor fails, gets acquired, or no longer meets your needs.

The pandemic made this reality painfully clear. Companies that had resiliency built into their vendor strategy adapted quickly. Those that didn’t, struggled.

Final Thought

Every organization depends on third parties. The difference between success and failure is how well you manage those relationships.

If you build resiliency, monitor risk continuously, and treat vendor oversight as a strategic function, you protect not just your supply chain–you protect your business.

Like this content? Download the article

Learn more about the CIDO Program

Bill Fortwangler is Executive Vice President and Chief Information Officer at Dollar Bank and an adjunct professor in Carnegie Mellon University’s Chief Information and Digital Officer (CIDO) Certificate Program. With more than 30 years of IT leadership experience across financial services, manufacturing, and education, he is known for transforming legacy organizations into proactive, value-driven business partners. Recognized as CIO of the Year by the Pittsburgh Technology Council, Fortwangler brings a pragmatic, people-first approach to leading large-scale technology and culture change—expertise he now shares with CIDO participants preparing to elevate their own impact as digital leaders.

Learn from leaders like Bill Fortwangler in the Chief Information and Digital Officer (CIDO) Executive Education Program at Carnegie Mellon University’s Heinz College.

5000 Forbes Ave, Hamburg Hall, Pittsburgh, PA 15213-3890 · 412.268.2159

© 2025 Carnegie Mellon University. All Rights Reserved.