woman mentally sorting information and forming an idea

Stopping Problems Before They Start

As third-party IT security/cyber risks become more prevalent, IT security professionals continue to look for more efficient and agile approaches to third-party risk management (TPRM) that can help organizations stay compliant with ever-evolving requirements. One of those requirements is the integration of continuous monitoring into TPRM programs. This article from Charlie Miller shares an optimal process for doing just that – it’s called the OODA Loop.

Boards and C-level executives are re-examining their organizations’ risk appetite and TPRM program effectiveness to better support their strategic business goals and to stay compliant with the ever-evolving requirements that have emerged across the globe. One of those requirements is the integration of continuous monitoring into TPRM programs.

Continuous monitoring has rapidly become a critical component of organizational third-party enterprise risk and governance strategies. Although the recent growth in continuous monitoring activities has been largely driven by online risks and threats, the benefits of it are broad and extend to almost all areas of TPRM.

Strategy vs. Tactics

In any third-party risk management program strategy, continuous monitoring is a critical tactical solution. However, there’s a common misunderstanding surrounding the difference between strategy and tactics that often leads to techniques and reporting metrics being selected that may not meet an organization’s strategic TPRM goals. Typically, incident response and management within TPRM programs are tactically focused around a specific event, which results in third-party professionals not leveraging lessons learned from these events and determining how to apply continuous improvement opportunities to TPRM processes program-wide moving forward.

Observe, Orient, Decide, Act

The OODA Loop is an optimal process for implementing continuous monitoring efficiently across the enterprise. A four-stage basis of any decision-making process, the OODA Loop gives a nonlinear, proactive approach for problem solving in real-life situations, including continuous monitoring. These four stages can be seen relative to the parts of third-party continuous monitoring: (1) definition of risk appetite, third-party ranking, incident response planning; (2) assessment and monitoring; (3) incident analysis; and (4) incident response.

Figure 1: The Parts of the OODA Loop

The OODA Loop is the natural flow of human thinking and process; however, it demands forethought, documentation and feedback, plus feed-forward practices to be effective and successful. This means that decisions should be based on data that is pertinent, available, readily analyzed and actionable by third-party risk professionals in ways that require the availability of implicit guidance – in other words, guidance that has already been practiced – that can be followed reliably at a moment’s notice. The availability of implicit guidance eliminates the need to go back to a higher authority during a threat situation, making the response timelier and the risk professionals who are making the decision more confident that their response is the right one.

In the context of third-party continuous monitoring, the use of implicit guidance is two-fold:

  1. The first use is for responsible parties within organizations to ensure that they have the availability of highly experienced analysts who have the ability to recognize a threat and act accordingly.
  2. The second use is for an organization’s leadership to ensure the availability of predefined actions that are linked to specific types of threats (also known as playbooks) that can guide less experienced analysts and allow more experienced analysts to document their actions against policy and playbook processes.

The OODA Loop, Program Governance and Continuous Monitoring

The most robust continuous monitoring program employs strategies that are designed to work across the entire enterprise – a difficult task in any size organization. A strategy that calls for integrating the OODA Loop into continuous monitoring processes provides the type of collaboration throughout enterprise risk management to remedy the lack of coordination that typically constrains the effectiveness and efficiency of TPRM programs.

Because of the level of information required to provide an agile response to near real-time events, embedding the OODA Loop into TPRM programs can improve an organization’s security by providing a more proactive approach to risk identification and management. A governance model that includes the OODA Loop empowers people – in the context of continuous monitoring, it leverages implicit guidance for the third-party risk professionals who receive monitoring control data and reports, allowing them to go through a predetermined loop without having to slow down or stop at key decision points. This approach lets them work through a problem avoiding bottlenecks that can have dire consequences for operations, reputation and organizational resiliency.

A playbook can be constructed that is customized to an organization’s unique needs to provide a predetermined set of rules defining roles, responsibilities, options and guidance for responding to risk indicators, events or incidents. The playbook provides clear guidance and assigns responsibility for in-the-moment action, setting the stage to ensure important decisions are made in a timely manner. Since time is the dominant factor in successfully executing a strategy in the TPRM space, where the threat environment is rapidly evolving, establishing playbook options helps to keep from getting hung up at any point in the process.

To empower each team member, training should be conducted in which team members are able to demonstrate that they understand the goals, strategies and rules of engagement (i.e., the playbook rules). Team members can then better advocate for individual commitment and enforcement by ensuring that those responsible for program management have the authority to execute changes that come to light over time through the feedback, feed-forward process. Strategies for monitoring should be evaluated whenever changes occur to business elements (both internal and external) – such as core mission, risk tolerance or business processes – to ensure that controls function appropriately and that any new gaps are identified.

Effective application of the OODA Loop in a continuous monitoring TPRM setting can:

  1. Improve situational awareness through more effective training and planning enterprise-wide.
  2. Improve ROI in terms of the improved insights (rewards) gained through continuous monitoring and agile decision-making (costs) vs. traditional (point-in-time) periodic assessment practices.
  3. Potentially reduce legal and regulatory compliance costs through demonstrated implementation of defensible risk management practices.


The integration of OODA Loop principles within continuous monitoring and related governance tactics provides more effective risk mitigation and decision-making tools. The benefits of a consistently applied criteria and processes extend to both the outsourcer and the third-party provider, as governance is naturally most effective when the outsourcer and third party work as a team. Planning responses rather than reactions will allow an enterprise to take steps that achieve benefits and reduce both threat impacts and costs.

Want to Learn More?

A white paper provided by The Shared Assessments Program titled, “Innovations in Third Party Continuous Monitoring,” covers the incorporation of the OODA Loop into third-party continuous monitoring and can be downloaded at www.sharedassessments.org/tp-continuous-monitoring/.

Charlie Miller

Charlie Miller is Senior Advisor at The Santa Fe Group, Shared Assessments Program. Charlie’s key responsibilities include expanding the Shared Assessments Third Party Risk Management membership driven program, facilitating thought leadership, industry vertical strategy groups, research studies, regulatory and association relationships.

He joined the Santa Fe Group, Shared Assessments in 2015 and has been in the third-party risk space for over 13 years. Charlie is a frequent speaker and a recognized expert in third-party risk. He  has vast industry experience, having led vendor risk management and financial services initiatives for several global companies. Charlie was the Director of Vendor and Business Partner Risk Management at AIG and implemented third-party risk management programs at Bank of Tokyo Mitsubishi (BTMU). He held multiple leadership roles at Merrill Lynch & Co., Inc. overseeing the company’s global vendor management program and a Director of Technology Audit. He led a financial services practice unit as a consulting partner at Deloitte focusing on technology outsourcing, risk management and cost control. He began his career at IBM as a system engineer.

Charlie is a distinguished Fellow of the Ponemon Institute, Certified International Privacy Professional and Certified Third Party Risk Professional.

Related Post

Got Compliance News?

We do!  Sign up for CCI’s free weekly eBlast to get GRC news, views, jobs & events delivered to your inbox once a week.  Cancel anytime.

Click to Subscribe.