Third-Party Risk Management: When Behaviour Shapes Resilience
Part 2: The human dynamics behind third-party incident response.
In Part 1 of this series, we explored the human behaviours that contribute to persistent third-party risk exposure, from misplaced trust and compliance fatigue to commercial pressure and organisational silos.
However, these behavioural dynamics become even more visible during real-world disruption.
Whether caused by a cyber-attack, operational outage, supplier compromise, or systemic failure, incidents involving critical third parties rarely fail solely because of technology. More often, the severity of disruption is shaped by how organisations respond under pressure.
This is where operational resilience moves beyond governance frameworks and becomes a test of communication, decision-making, leadership, and preparedness.
The illusion of preparedness
Many organisations believe they are resilient because governance structures exist on paper. Supplier due diligence has been completed, risk assessments are documented, and contractual obligations are in place.
But disruption often reveals a different reality.
Third-party incident response plans may never have been exercised collaboratively. Escalation processes can become unclear during fast-moving incidents, and organisations frequently discover that their operational dependency on suppliers is deeper than initially understood.
In some cases, suppliers that appear compliant from an assurance perspective may still struggle operationally when under pressure. The challenge is that preparedness is often assessed through documentation rather than demonstrated capability.
The Jaguar Land Rover (JLR) incident is one example of how a supplier can look secure on paper yet still expose an organisation to enormous risk. Although JLR’s suppliers appeared fully compliant by meeting standards and providing assurance supported by documented evidence, a cyberattack on one upstream partner in September 2025 resulted in a knock-on failure across JLR’s global manufacturing network. Production ground to a halt in the UK, Slovakia, India, and Brazil for weeks, ultimately costing the company an estimated £1.9 billion ($2.5B) and forcing layoffs throughout the supply chain.
Behaviour changes under pressure
When disruption occurs, organisational behaviour changes rapidly.
Decision-making can slow down as teams seek additional approvals or avoid accountability. Commercial concerns may influence disclosure timelines, while reputational pressures can create hesitation around transparency.
At the same time, internal priorities often compete:
- Security teams focus on containment
- Operations teams prioritise service restoration
- Legal teams assess liability exposure
- Executive leadership manages customer and regulatory pressure
Without alignment, even relatively manageable incidents can escalate unnecessarily.
Importantly, these behavioural responses are rarely intentional failures. They are natural reactions to uncertainty, pressure, and incomplete information.
An effective approach for managing stakeholders starts with clear, consistent communication that provides information in the form that they have requested and expect. When stakeholders understand why something matters, not just what is happening, there is a greater chance they will feel included in the conversation. Trust is built by doing exactly what you say you will do, doing it as you said you would, and being transparent about risks and constraints rather than hiding them. Buy‑in comes when stakeholders feel heard, see their input reflected in decisions, and understand how the outcome aligns with their objectives and the organisation’s goals.
Communication often becomes the real failure point
One of the most common challenges during third-party incidents is not the initial disruption itself but the communication breakdown that follows.
Organisations may receive inconsistent updates from suppliers, unclear recovery timelines, or limited visibility into root causes. Internally, fragmented communication between risk, legal, IT, and leadership teams can further delay coordinated response efforts. For customers, regulators, and stakeholders, uncertainty can quickly erode trust. This becomes particularly challenging in highly interconnected environments where a single supplier outage can affect multiple business functions simultaneously.
The effectiveness of communication during disruption often determines whether an incident becomes a contained operational event or a broader reputational crisis.
An effective way to communicate with stakeholders is to use a simple, structured model that clearly lays out the opportunities, consequences, and available choices. Industry standards often require a comprehensive communication plan that outlines what will be communicated, how often, through which channels, to whom, and for what purpose. Organisations may also use a Benefits-Risks-Choices Model to a similar effect. By framing information this way, you help stakeholders see both the upside and the risks without overwhelming them with detail. It turns communication into a shared decision‑making process rather than a one‑way update, which is ultimately what drives alignment and long‑term support.
Operational dependency is often underestimated
Many organisations do not fully understand the extent of their dependency on third parties until services become unavailable.
Modern businesses rely heavily on interconnected suppliers, cloud providers, managed service partners, and outsourced operations. In many cases, these dependencies extend beyond direct suppliers into fourth-party ecosystems that organisations have limited visibility over. During disruption, this hidden criticality becomes highly visible. An outage affecting a single provider can quickly disrupt operations, customer service, regulatory obligations, and revenue.
The challenge is not simply identifying suppliers; it is understanding how operational resilience is affected when those suppliers fail.
Compliance alone does not create resilience
Regulatory frameworks such as DORA and NIS2, as well as operational resilience requirements, are increasing expectations for third-party risk management. However, compliance alone does not guarantee resilience.
Organisations can meet regulatory obligations while still lacking effective coordination, tested response capabilities, or clear accountability structures during incidents.
True resilience requires organisations to move beyond static assessments and towards continuous operational validation. This includes:
- Joint resilience exercises with critical suppliers
- Cross-functional crisis simulations
- Clear escalation pathways
- Executive involvement in incident preparedness
- Ongoing reassessment of operational dependency
Resilience is ultimately built through practice, collaboration, and organisational maturity, not documentation alone.
More resilient third-party relationships
Improving resilience requires more than stronger controls. It requires stronger relationships.
Organisations that respond most effectively during disruption are often those that have already established trust, communication pathways, and shared expectations with critical suppliers before incidents occur.
This involves creating environments where issues can be escalated early, dependencies are openly understood, and resilience is treated as a shared responsibility rather than a contractual obligation.
As third-party ecosystems continue to grow in complexity, resilience will increasingly depend on how organisations collaborate under pressure – not simply how they govern during stability.