This article is sponsored by Aravo and was written, edited, and published in alignment with our Emerj sponsored content guidelines. Learn more about our thought leadership and content creation services on our Emerj Media Services page.

Enterprises lack reliable visibility, control, and accountability over the risks embedded in their third‑party networks, despite being legally and operationally responsible for them.

Across financial services, healthcare, manufacturing, and technology, regulators have made this responsibility explicit.

According to U.S. banking regulators, organizations remain fully accountable for third‑party activities as if those activities were performed internally, with boards and senior management responsible for oversight, control, and outcomes. The FDIC states that examiners directly evaluate third‑party relationships during supervisory reviews, treating vendor risk as an extension of the enterprise’s own operational and compliance posture.

The risk landscape has shifted decisively toward the supply chain. According to the Identity Theft Resource Center, supply‑chain attacks have increased sharply and are now among the fastest‑growing causes of data breaches, frequently impacting multiple downstream organizations from a single vendor compromise.

The U.S. Cybersecurity and Infrastructure Security Agency has warned that software supply‑chain attacks can compromise every downstream user of affected software simultaneously, creating systemic rather than isolated failures.

The scale of modern third‑party ecosystems intensifies the challenge. In a study by St. John’s University’s Center for Excellence in ERM, more than 90% of enterprise risk leaders reported that third‑party risk is increasing, with over 60% ranking it as more significant than other enterprise risks. The same research found that some organizations classify up to half of their third parties as mission‑critical, significantly increasing concentration and dependency risk.

When third‑party risk fails, the financial consequences are often immediate and material. According to the U.S. Cybersecurity and Infrastructure Security Agency, large cyber incidents routinely generate multi‑million‑dollar losses per event, driven by forensic response, legal exposure, system recovery, and business disruption, with costs magnified when a single compromised vendor impacts multiple downstream organizations.

For senior leaders and boards, the consequences are no longer theoretical. Third‑party failures increasingly have a direct business impact, including:

• Revenue loss occurs when supply‑chain or service disruptions halt operations
• Reputational damage, from vendor misconduct or data breaches
• Regulatory exposure, through fines, investigations, and operational restrictions
• Operational fragility occurs when critical services are delivered by external providers

Third‑party risk is no longer a compliance issue to be managed at the margins of the organization. It is a strategic enterprise risk — one that demands the same rigor, visibility, and governance as the organization’s internal operations.

Emerj recently hosted executive conversations with Dean Alms, Chief Product Officer at Aravo; Eric Hensley, Chief Technology Officer at Aravo; and Carey Smith, former CIO and Chief Technology Innovation Officer of Blue Cross Blue Shield of Minnesota and President and CIO of XcelerateHealth. These conversations examined why third‑party risk has become a board‑level issue, how traditional compliance‑driven models break down at scale, and what it takes to operationalize resilience in complex supplier ecosystems.

This podcast series explores how enterprise leaders are using AI to modernize third‑party risk management at scale, with emphasis on:

• Third‑party risk as an enterprise data problem: Treating supplier risk as a unified, enterprise‑wide data challenge enables clear executive visibility, sharper accountability, and board‑level oversight across increasingly complex vendor ecosystems.
• Continuous, risk‑based monitoring at scale: Replacing static surveys and episodic assessments with continuous, exception‑based monitoring preserves visibility as supplier networks grow and allows leaders to focus on material risk signals rather than overwhelming volumes of data.
• Explainable AI embedded in core workflows: Applying deterministic, legible AI to document ingestion, survey validation, and routine risk analysis reduces operational cost and cycle time while maintaining traceability, trust, and regulatory confidence in automated outputs.
• Resilience through automated remediation: Moving beyond risk identification to AI‑driven playbooks and corrective actions shifts organizations toward proactive risk reduction, faster response for critical vendors, and long‑term operational resilience tied directly to business impact.

Listen to the full episodes from the series below:

Episode 1:  Managing Third-Party Risk When You Have 10,000 Suppliers – with Dean Alms of Aravo

Guest:  Dean Alms, Chief Product Officer at Aravo

Brief Recognition: Dean Alms is Chief Product Officer at Aravo, where he leads product strategy for enterprise risk and resilience solutions. He previously served as CPO at Socrates.ai and held senior product leadership roles at Veeva Systems and Rimini Street, shaping enterprise SaaS platforms across life sciences, compliance, and global IT services. Dean holds degrees in Business Administration and Management Information Systems from Boston University.

Episode 2: Trusted AI Architectures for Risk and Compliance Leaders – with Dean Alms & Eric Hensley of Aravo

Guests:  Dean Alms, Chief Product Officer at Aravo and Eric Hensley, Chief Technology Officer at Aravo

Brief Recognition: Eric Hensley is Chief Technology Officer at Aravo, where he leads the architecture, engineering, and operational scale of enterprise SaaS platforms used by some of the world’s largest organizations. He has spent more than a decade at Aravo in senior technology and product development roles, following earlier leadership positions at Instill Corporation and ShipServ. Eric holds a B.S. in Astrophysics from the University of California, Berkeley, with a minor in Computer Science.

Episode 3: Managing Third-Party Risk at Scale Without Drowning in Surveys – with Carey Smith

Guest: Carey Smith, former CIO and Chief Technology Innovation Officer of Blue Cross Blue Shield of Minnesota, and President and CIO of XcelerateHealth

Brief Recognition:  Carey Smith is President and CIO of XcelerateHealth and CIO of Blue Cross Blue Shield of Minnesota, where she leads enterprise technology, AI, and digital transformation initiatives focused on improving healthcare outcomes and operating performance. She has previously served in senior executive roles, including COO, CIO, and CTO across health insurance, insurtech, and private‑equity–backed organizations, and co‑founded Medplace, a digital platform for expert medical case review. Carey holds a dual-major B.S. in Information Technology and Psychology from Montana State University Billings, and completed executive education programs in leadership and strategy.

Third‑Party Risk as an Enterprise Data Problem

Third‑party risk no longer fits neatly inside a single function. Dean Alms makes the case that it has become an enterprise‑wide concern, shaped by expanding regulatory mandates, increasingly complex supplier ecosystems, and a growing expectation that leadership — not just compliance teams — can account for what sits beyond the organization’s four walls.

As Alms describes it, the pressure is not coming from one direction, but many at once:

“The number of risk exposures and compliance mandates continue to grow, and they grow in very different ways, by industry and by geography. In some cases, it’s not even country by country; it’s state by state, with different expectations around things like privacy and data handling. And at the same time, because of consumer pressure and social media exposure, enterprises are being held accountable for the actions of their suppliers, even when those failures happen several layers removed from the core business.”

— Dean Alms, Chief Product Officer at Aravo, and Eric Hensley, Chief Technology Officer at Aravo

What makes this evolution particularly challenging is how risk data is handled across the organization. Ownership is distributed across procurement, compliance, IT, security, and legal teams, each with its own tools, processes, and perspective. The result is partial visibility at precisely the moment boards are asking for consolidated answers.

Carey Smith extends this point by identifying where traditional approaches start to fail under real scale. When supplier networks reach into the tens of thousands, visibility doesn’t just degrade: it collapses. Risk concentrations become harder to identify, and dependencies across lower‑tier suppliers remain largely invisible until disruption forces them into view.

Across both perspectives, several fault lines consistently emerge:

• Risk data is fragmented across functions, preventing a unified, supplier‑centric view of exposure.
• Survey‑driven, point‑in‑time assessments decay rapidly, creating an illusion of control.
• Lower‑tier and unknown suppliers introduce hidden exposure that often surfaces only after disruption.
• Accountability ultimately sits with the enterprise, regardless of where failure originates.

The shift underway is therefore structural. Third‑party risk management is moving away from a functionally isolated compliance activity toward a data‑driven governance discipline, one expected to support executive decision‑making and withstand board‑level scrutiny as supplier ecosystems grow more complex and interconnected.

Continuous, Risk‑Based Monitoring at Scale

As supplier networks expand and external conditions change more quickly, episodic reviews begin to feel misaligned with reality. Eric and Dean describe a widening gap between how risk is traditionally assessed and how it actually evolves.

Moving to continuous monitoring seems like the obvious answer. But Eric is quick to point out that the transition is often underestimated. Instead of solving the visibility problem outright, continuous monitoring introduces a new challenge: volume.

“When you move to continuous monitoring, the challenge changes completely. Instead of not having enough information, you suddenly have a fire hose of data coming in from many different sources, all the time. The real problem then becomes deciding what actually matters—what changed, why it changed, and whether it’s important enough to act on. If you can’t separate signal from noise, continuous monitoring just creates more confusion, not better outcomes.”

— Eric Hensley, Chief Technology Officer at Aravo

Carey Smith approaches the issue from a posture perspective, shifting the focus away from frequency and toward relevance:

“Continuous, risk‑based monitoring is about understanding your risk posture in real time, not filling out more paperwork. Point‑in‑time surveys give you a snapshot that starts going stale the moment it’s completed. What leaders need instead is an ongoing view of where risk is concentrated and how it is changing. Without that, visibility erodes just as complexity increases.”

— Carey Smith, former CIO and Chief Technology Innovation Officer of Blue Cross Blue Shield of Minnesota, and President, and CIO of XcelerateHealth

Dean adds an operational nuance that distinguishes more mature programs from early adopters. Continuous monitoring is not simply about reassessing vendors more often. It increasingly blends scheduled reviews with event‑driven intelligence — geopolitical disruptions, cyber incidents, adverse media, financial distress — that can alter a supplier’s risk profile long before the next formal checkpoint.

What emerges is a different operating model:

• Continuous monitoring shifts the problem from data scarcity to data overload.
• Exception‑based models prioritize meaningful change over background activity.
• Event‑driven signals complement, rather than replace, scheduled reviews.
• Without governance and response readiness, volume erodes insight instead of strengthening it.

When done well, continuous monitoring preserves relevance. It keeps leaders oriented as conditions change, without requiring constant intervention or overwhelming attention.

Explainable AI Embedded in Core Workflows

Not all uses of AI are created equal—especially in regulated risk environments. Eric and Dean draw a clear line between exploratory tools that help users interact with data and AI that operates inside core workflows, where accuracy, accountability, and auditability are non‑negotiable.

In these contexts, opacity quickly becomes a liability. Eric is direct about the risks of black‑box automation:

Carey Smith reinforces that explainability is not a feature to be debated later, but a baseline requirement for trust:

“Black box AI automation solutions don’t work in highly regulated environments. If you can’t see what data went in, how the decision was made, and what came out the other side, you can’t govern it. That lack of visibility becomes a risk in itself, especially when auditors, regulators, or executives ask how decisions were reached. In this world, automation only works if it’s legible and explainable.”

— Eric Hensley, Chief Technology Officer at Aravo

Dean grounds these principles in day‑to‑day execution. Document ingestion and survey validation, longstanding bottlenecks in third‑party risk programs, are now areas where AI can deliver measurable impact. By extracting verified information from independently audited documents and automatically populating questionnaires, organizations reduce cycle time while improving consistency and data quality.

The value compounds when AI supports structured issue identification. Comparing expected controls to supplier responses surfaces discrepancies quickly, with corrective actions generated automatically. Routine analysis accelerates, while human oversight remains firmly in place.

In practice, several patterns consistently define effective use:

• AI delivers value when embedded directly into core workflows.
• Deterministic outputs sustain regulatory and audit confidence.
• Rote analysis is automated; judgment remains human.
• Explainability keeps automation contestable, not opaque.

Applied this way, AI becomes a force multiplier: absorbing repetitive work so risk teams can focus on decisions that actually require experience and context.

Resilience Through Automated Remediation

Once risk is visible and understood, the question becomes operational: what happens next? Carey Smith returns repeatedly to this inflection point, noting that many programs stall after identification and confuse awareness with protection.

“Detection on its own is just diagnostic — it tells you something is wrong, but it doesn’t fix anything. Real resilience comes from what you do after risk is identified. If alerts pile up without triggering action, organizations end up with alert fatigue instead of protection. That’s why resilience depends on pre‑approved responses and automated pathways that move you from insight to action quickly.”

— Carey Smith, former CIO and Chief Technology Innovation Officer of Blue Cross Blue Shield of Minnesota, and President, and CIO of XcelerateHealth

Left unattended, surfaced risk accumulates. Alerts multiply, attention fragments, and response slows. Resilient organizations avoid this trap by embedding action into the same systems that detect risk.

In this model, AI‑driven playbooks translate signals into movement. When thresholds are breached — due to cyber events, financial distress, compliance gaps, or geopolitical disruption — automation triggers predefined responses such as contract reviews, compensating controls, or alternate supplier activation. These actions are designed in advance, governed deliberately, and executed consistently.

Materiality shapes everything. Not every supplier warrants the same scrutiny or response. Depth of remediation aligns with business impact: revenue exposure, operational dependency, and data sensitivity.

The distinction becomes clear:

• Monitoring without action creates fatigue.
• Playbooks convert detection into execution.
• Pre‑approved paths enable speed without chaos.
• Automation accelerates response; humans set direction.

Resilience, in this framing, is not about eliminating risk. It is about meeting disruption with prepared pathways, clear ownership, and the ability to act decisively when conditions change.