Leverage strategy, alliances, and battlefield awareness for vendor oversight.
Over 2,500 years ago, the Chinese military strategist Sun Tzu wrote The Art of War, a treatise on conflict, intelligence, and victory that still holds influence in modern boardrooms. He believed wars were won before the first arrow flew — through planning, awareness, and knowing both your enemy and yourself.
Today, managing third-party risk is not unlike preparing for battle. Your organization’s success is increasingly tied to the actions, security, and integrity of the vendors, suppliers, and partners you choose to engage with. The battlefield has changed — but the principles have not.
So, if Sun Tzu were leading your third-party risk program, how would he do it?
1. “Know Your Enemy and Know Yourself” — The Foundation of Vendor Risk
Sun Tzu’s most famous lesson is deceptively simple: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” While your vendors aren’t enemies, the sentiment applies perfectly to risk management.
To know your vendors means more than collecting SOC reports or checking for ISO certifications. It requires understanding how deeply they’re embedded in your operations, what data they have access to, what controls they lack, and how their risk posture affects your own.
And to know yourself? That means having clarity about your own critical processes, your appetite for risk, and the internal controls in place to monitor third-party performance.
A Sun Tzu–inspired approach to third-party risk begins with this dual awareness — introspection and investigation, balanced.
2. “All Warfare Is Based on Deception” — Assessing Hidden Risk
Sun Tzu emphasized that the most dangerous threats are the ones you don’t see. When applied to vendor management, that’s a direct warning: the greatest third-party risks often hide beneath the surface.
A partner may present a polished risk profile, but behind the scenes could be subcontracting critical functions, cutting corners on cybersecurity, or suffering from financial instability. Without rigorous, ongoing assessments, your organization becomes vulnerable to risk-by-association.
Sun Tzu would not settle for annual vendor questionnaires. He would insist on active surveillance — continuous monitoring of vendor health, alerts for regulatory non-compliance, and early warning signals for operational disruption.
He’d view third-party oversight as intelligence gathering — not just paperwork.
3. “The Greatest Victory Is That Which Requires No Battle” — Preventive Oversight
Sun Tzu advocated for winning without fighting — preventing problems through foresight. That ethos aligns beautifully with proactive vendor risk management.
Rather than waiting for a vendor breach to trigger a review, Sun Tzu would build structured, preventive frameworks. He would categorize vendors by criticality, enforce tailored due diligence, and create tiered response protocols long before a threat materialized.
He’d argue that a truly strategic TPRM program is invisible when it works well — it prevents crises from erupting and keeps operations smooth through anticipation, not reaction.
4. “In the Midst of Chaos, There Is Also Opportunity” — Strategic Vendor Selection
Third-party risk isn’t just a compliance issue — it’s a strategic differentiator. Sun Tzu would see vendor selection as a battlefield advantage. He would evaluate partners not just for risk, but for their potential to create value, strengthen resilience, and unlock innovation.
He’d ask questions like:
- Does this vendor give us flexibility our competitors lack?
- Are we overly dependent on one supplier, or do we have a diverse, resilient ecosystem?
- Can we shift from risk mitigation to risk optimization — using risk insights to sharpen our strategy?
He would turn the vendor risk program into a source of competitive intelligence.
5. “Victorious Warriors Win First and Then Go to War” — Operational Readiness
Finally, Sun Tzu believed that disciplined preparation was the key to success. He would demand that the third-party risk process be deeply embedded into onboarding workflows, contract management, and procurement decision-making.
He would ensure that all teams — legal, IT, procurement, risk, compliance — operated from a shared framework, with aligned goals and clear communication. Third-party risk would not be a standalone exercise. It would be part of the organization’s DNA.
Third-Party Risk Management, the Sun Tzu Way
To follow Sun Tzu’s guidance is to manage risk with intention — to use information as leverage, to build strength through preparation, and to think beyond the immediate into the long term.
Empowered’s Third-Party Risk Management solution brings that mindset to life. With dynamic assessments, continuous monitoring, and flexible workflows tailored to your vendor ecosystem, you can lead with insight — not just oversight.
In Sun Tzu’s words, “Opportunities multiply as they are seized.”
And with the right third-party risk strategy, so does your resilience.
