---
id: "action-probe-high-risk-partners"
type: "action-item"
source_timestamps: ["§ What boards should do:"]
tags: ["third-party-risk", "supply-chain"]
related: ["concept-extraorganizational-risk"]
action: "Identify high-risk partners and verify redundancies exist for critical functions in business continuity plans."
outcome: "Mitigation of extraorganizational cyber risks and supply chain vulnerabilities."
speakers: ["Jeffrey Proudfoot", "Stuart Madnick"]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-cl-83-boards-cybersecurity"
sourceUrl: "https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity"
sourceTitle: "Boards Are Falling Short on Cybersecurity"
---
# Probe High-Risk Partners for Redundancy

## Action

Identify **high-risk external partners** and verify that redundancies exist for critical functions within business-continuity plans.

## Detail

To address [[concept-extraorganizational-risk]], boards must actively probe executives to identify high-risk external partners. They must confirm that external threats are fully integrated into the company's **business-continuity plans** and verify that appropriate **redundancies** exist for critical functions that depend on third parties.

## Expected outcome

Mitigation of extraorganizational cyber risks and supply-chain vulnerabilities — the class of exposure exemplified by SolarWinds, Kaseya, and MOVEit.


## Related across articles
- [[action-vet-vendors]]
- [[concept-extraorganizational-risk]]
