The Shift to Enterprise‑Wide Third‑Party Risk Management at Scale

This article is sponsored by Aravo and was written, edited, and published in alignment with our Emerj sponsored content guidelines. Learn more about our thought leadership and content creation services on our Emerj Media Services page.

Enterprises lack reliable visibility, control, and accountability over the risks embedded in their third‑party networks, despite being legally and operationally responsible for them.

Across financial services, healthcare, manufacturing, and technology, regulators have made this responsibility explicit.

According to U.S. banking regulators, organizations remain fully accountable for third‑party activities as if those activities were performed internally, with boards and senior management responsible for oversight, control, and outcomes. The FDIC states that examiners directly evaluate third‑party relationships during supervisory reviews, treating vendor risk as an extension of the enterprise’s own operational and compliance posture.

The risk landscape has shifted decisively toward the supply chain. According to the Identity Theft Resource Center, supply‑chain attacks have increased sharply and are now among the fastest‑growing causes of data breaches, frequently impacting multiple downstream organizations from a single vendor compromise.

The U.S. Cybersecurity and Infrastructure Security Agency has warned that software supply‑chain attacks can compromise every downstream user of affected software simultaneously, creating systemic rather than isolated failures.

The scale of modern third‑party ecosystems intensifies the challenge. In a study by St. John’s University’s Center for Excellence in ERM, more than 90% of enterprise risk leaders reported that third‑party risk is increasing, with over 60% ranking it as more significant than other enterprise risks. The same research found that some organizations classify up to half of their third parties as mission‑critical, significantly increasing concentration and dependency risk.

When third‑party risk fails, the financial consequences are often immediate and material. According to the U.S. Cybersecurity and Infrastructure Security Agency, large cyber incidents routinely generate multi‑million‑dollar losses per event, driven by forensic response, legal exposure, system recovery, and business disruption, with costs magnified when a single compromised vendor impacts multiple downstream organizations.

For senior leaders and boards, the consequences are no longer theoretical. Third‑party failures increasingly have a direct business impact, including:

Revenue loss occurs when supply‑chain or service disruptions halt operations

Reputational damage, from vendor misconduct or data breaches

Regulatory exposure, through fines, investigations, and operational restrictions

Operational fragility occurs when critical services are delivered by external providers

Third‑party risk is no longer a compliance issue to be managed at the margins of the organization. It is a strategic enterprise risk — one that demands the same rigor, visibility, and governance as the organization’s internal operations.

Emerj recently hosted executive conversations with Dean Alms, Chief Product Officer at Aravo; Eric Hensley, Chief Technology Officer at Aravo; and Carey Smith, former CIO and Chief Technology Innovation Officer of Blue Cross Blue Shield of Minnesota and President and CIO of XcelerateHealth. These conversations examined why third‑party risk has become a board‑level issue, how traditional compliance‑driven models break down at scale, and what it takes to operationalize resilience in complex supplier ecosystems.

This podcast series explores how enterprise leaders are using AI to modernize third‑party risk management at scale, with emphasis on:

Third‑party risk as an enterprise data problem: Treating supplier risk as a unified, enterprise‑wide data challenge enables clear executive visibility, sharper accountability, and board‑level oversight across increasingly complex vendor ecosystems.

Continuous, risk‑based monitoring at scale: Replacing static surveys and episodic assessments with continuous, exception‑based monitoring preserves visibility as supplier networks grow and allows leaders to focus on material risk signals rather than overwhelming volumes of data.

Explainable AI embedded in core workflows: Applying deterministic, legible AI to document ingestion, survey validation, and routine risk analysis reduces operational cost and cycle time while maintaining traceability, trust, and regulatory confidence in automated outputs.

Resilience through automated remediation: Moving beyond risk identification to AI‑driven playbooks and corrective actions shifts organizations toward proactive risk reduction, faster response for critical vendors, and long‑term operational resilience tied directly to business impact.

Listen to the full episodes from the series below:

Episode 1:  Managing Third-Party Risk When You Have 10,000 Suppliers – with Dean Alms of Aravo

Guest:  Dean Alms, Chief Product Officer at Aravo

Brief Recognition: Dean Alms is Chief Product Officer at Aravo, where he leads product strategy for enterprise risk and resilience solutions. He previously served as CPO at Socrates.ai and held senior product leadership roles at Veeva Systems and Rimini Street, shaping enterprise SaaS platforms across life sciences, compliance, and global IT services. Dean holds degrees in Business Administration and Management Information Systems from Boston University.

Episode 2: Trusted AI Architectures for Risk and Compliance Leaders – with Dean Alms & Eric Hensley of Aravo

Guests:  Dean Alms, Chief Product Officer at Aravo and Eric Hensley, Chief Technology Officer at Aravo

Brief Recognition: Eric Hensley is Chief Technology Officer at Aravo, where he leads the architecture, engineering, and operational scale of enterprise SaaS platforms used by some of the world’s largest organizations. He has spent more than a decade at Aravo in senior technology and product development roles, following earlier leadership positions at Instill Corporation and ShipServ. Eric holds a B.S. in Astrophysics from the University of California, Berkeley, with a minor in Computer Science.

Episode 3: Managing Third-Party Risk at Scale Without Drowning in Surveys – with Carey Smith

Guest: Carey Smith, former CIO and Chief Technology Innovation Officer of Blue Cross Blue Shield of Minnesota, and President and CIO of XcelerateHealth

Brief Recognition: Carey Smith is President and CIO of XcelerateHealth and CIO of Blue Cross Blue Shield of Minnesota, where she leads enterprise technology, AI, and digital transformation initiatives focused on improving healthcare outcomes and operating performance. She has previously served in senior executive roles, including COO, CIO, and CTO across health insurance, insurtech, and private‑equity–backed organizations, and co‑founded Medplace, a digital platform for expert medical case review. Carey holds a dual-major B.S. in Information Technology and Psychology from Montana State University Billings, and completed executive education programs in leadership and strategy.

Third‑Party Risk as an Enterprise Data Problem

Third‑party risk no longer fits neatly inside a single function. Dean Alms makes the case that it has become an enterprise‑wide concern, shaped by expanding regulatory mandates, increasingly complex supplier ecosystems, and a growing expectation that leadership — not just compliance teams — can account for what sits beyond the organization’s four walls.

As Alms describes it, the pressure is not coming from one direction, but many at once:

“The number of risk exposures and compliance mandates continue to grow, and they grow in very different ways, by industry and by geography. In some cases, it’s not even country by country; it’s state by state, with different expectations around things like privacy and data handling. And at the same time, because of consumer pressure and social media exposure, enterprises are being held accountable for the actions of their suppliers, even when those failures happen several layers removed from the core business.”

— Dean Alms, Chief Product Officer at Aravo, and Eric Hensley, Chief Technology Officer at Aravo

What makes this evolution particularly challenging is how risk data is handled across the organization. Ownership is distributed across procurement, compliance, IT, security, and legal teams, each with its own tools, processes, and perspective. The result is partial visibility at precisely the moment boards are asking for consolidated answers.

Carey Smith extends this point by identifying where traditional approaches start to fail under real scale. When supplier networks reach into the tens of thousands, visibility doesn’t just degrade: it collapses. Risk concentrations become harder to identify, and dependencies across lower‑tier suppliers remain largely invisible until disruption forces them into view.

Across both perspectives, several fault lines consistently emerge:

Risk data is fragmented across functions, preventing a unified, supplier‑centric view of exposure.

Survey‑driven, point‑in‑time assessments decay rapidly, creating an illusion of control.

Lower‑tier and unknown suppliers introduce hidden exposure that often surfaces only after disruption.

Accountability ultimately sits with the enterprise, regardless of where failure originates.

The shift underway is therefore structural. Third‑party risk management is moving away from a functionally isolated compliance activity toward a data‑driven governance discipline, one expected to support executive decision‑making and withstand board‑level scrutiny as supplier ecosystems grow more complex and interconnected.

Continuous, Risk‑Based Monitoring at Scale

As supplier networks expand and external conditions change more quickly, episodic reviews begin to feel misaligned with reality. Eric and Dean describe a widening gap between how risk is traditionally assessed and how it actually evolves.

Moving to continuous monitoring seems like the obvious answer. But Eric is quick to point out that the transition is often underestimated. Instead of solving the visibility problem outright, continuous monitoring introduces a new challenge: volume.

“When you move to continuous monitoring, the challenge changes completely. Instead of not having enough information, you suddenly have a fire hose of data coming in from many different sources, all the time. The real problem then becomes deciding what actually matters—what changed, why it changed, and whether it’s important enough to act on. If you can’t separate signal from noise, continuous monitoring just creates more confusion, not better outcomes.”

— Eric Hensley, Chief Technology Officer at Aravo

Carey Smith approaches the issue from a posture perspective, shifting the focus away from frequency and toward relevance:

“Continuous, risk‑based monitoring is about understanding your risk posture in real time, not filling out more paperwork. Point‑in‑time surveys give you a snapshot that starts going stale the moment it’s completed. What leaders need instead is an ongoing view of where risk is concentrated and how it is changing. Without that, visibility erodes just as complexity increases.”

— Carey Smith, former CIO and Chief Technology Innovation Officer of Blue Cross Blue Shield of Minnesota, and President, and CIO of XcelerateHealth

Dean adds an operational nuance that distinguishes more mature programs from early adopters. Continuous monitoring is not simply about reassessing vendors more often. It increasingly blends scheduled reviews with event‑driven intelligence — geopolitical disruptions, cyber incidents, adverse media, financial distress — that can alter a supplier’s risk profile long before the next formal checkpoint.

What emerges is a different operating model:

Continuous monitoring shifts the problem from d

[truncated for AI cost control]