Newsroom
Events
Subscribe

Safeguarding value creation

Addressing enterprise continuity risk in PE-backed firms

August 22, 2025

Key takeaways

Third-party risk and cyber continuity can significantly threaten enterprise stability.

Enterprise continuity planning yields benefits essential to sustained value creation.

Targeted risk mitigation strategies and clear metrics can fortify operations for success.

#
Business risk consulting Risk consulting Cybersecurity consulting Technology risk consulting

As private equity firms face longer hold periods, intensifying operational demands and greater scrutiny from stakeholders, safeguarding enterprise value has become just as important as creating it. Operating partners, value creation teams and executives at PE-backed companies are under pressure to fortify portfolio resilience amid an unpredictable risk landscape.

Two areas in particular—third-party risk and cyber continuity—have become defining factors in a portfolio company’s ability to sustain performance and command a premium at exit. Recognizing, managing and monitoring these risks has become essential to protecting the investment thesis and positioning portfolio companies for long-term success.

Understanding enterprise continuity risk and the cost of inaction

Enterprise continuity risk refers to operational and financial disruptions that can compromise a company’s ability to deliver on its strategy. These threats may arise from internal breakdowns, regulatory shifts or external shocks such as cyberattacks or poorly managed third-party relationships. Left unaddressed, they can weaken earnings, erode valuations and undermine exit readiness.

In early 2025, a privately owned global provider of aftermarket services for electronic devices suffered a debilitating cyberattack that compromised 85% of all virtual machines and destroyed critical backups.  Ransomware groups are increasingly targeting virtualized environments to maximize disruption, with the average ransom demand reportedly skyrocketing to $5 million in 2024, according to cybersecurity media platform The Hacker News.

Faced with the potential for six weeks of operational downtime, mounting losses and regulatory obligations, the company ultimately paid a $6 million ransom to restore access. The incident underscores the catastrophic consequences of inadequate continuity planning and the urgent need for robust risk mitigation protocols.

Priority risk area No.1: Third-party management

Third-party providers play a critical role in scaling operations and enhancing capabilities. But without proper oversight and alignment, these relationships can become sources of vulnerability. Gaps in governance, unclear expectations or poor integration with strategic goals can lead to operational disruptions and inflated costs. The risk isn’t in using external partners; it’s in failing to manage them effectively.

Illustrative examples

  1. A $10 million-plus technology transformation failed due to misalignment with the acquisition strategy, leading to unexpected costs and integration delays. Poor alignment around the future-state tech stack, particularly in the core enterprise resource planning (ERP), required significant effort to fix financial reporting issues during the year-end audit. The experience led the PE firm to reassess future investments, prioritizing clear return on investment and stronger oversight.
  2. In a separate incident, attackers intercepted and altered payment instructions from a trusted vendor, redirecting funds through fraudulent invoices. This incident resulted in a loss of approximately $1 million, excluding the cost associated with remediating the issue or the additional diligence procedures performed as the PE firm exited the investment.

Wire fraud, such as business email compromise scams, is rising in private equity, according to the Federal Bureau of Investigation, prompting many funds to delay deal announcements to limit risk. Taking preventive measures—such as dual authorization, out-of-band callbacks, stronger email security and fraud monitoring—and implementing employee training on these protocols is essential.

Key indicators of third-party risk

  • Supply chain disruptions and delivery delays
  • Cost overruns with limited justification
  • Declining product or service quality
  • Poor vendor communication and transparency
  • Noncompliance with regulatory standards

Recommended mitigation strategies  

  • Limit large-scale transformations without demonstrable ROI
  • Define clear requirements and scope in vendor contracts
  • Align vendor selection with critical business processes
  • Monitor performance through key performance indicators (KPIs) and service-level agreements (SLAs)
  • Enforce continuous compliance and conduct risk assessments 

Priority risk area No. 2: Cyber continuity

Cyber continuity risk refers to threats posed by digital disruptions, including ransomware, data breaches and system failures. These incidents can paralyze operations, incur substantial recovery costs and damage stakeholder trust.

Illustrative example

A newly acquired company with internet-connected devices across multiple U.S. states experienced two ransomware attacks due to insufficient preclose due diligence and the absence of a postclose cybersecurity buildout, such as a tested continuity plan. Despite widespread device vulnerabilities, including 1,300 machines all sharing the same simple password, basic controls were not implemented for nearly two years. Consequently, the attacks triggered multistate regulatory scrutiny, exposed major governance gaps and led to over $10 million in recovery costs and prolonged operational disruptions.

Key indicators to cyber risk

  • Frequent phishing incidents and employee vulnerabilities
  • Difficulty securing cyber insurance coverage
  • Delays in responding to third-party security assessments
  • IT strategies lacking integrated cybersecurity components

Recommended mitigation strategies  

  • Conduct regular tabletop exercises simulating various incident scenarios
  • Develop and maintain comprehensive business continuity and disaster recovery plans
  • Ensure all stakeholders understand system restoration priorities and roles
  • Track plan effectiveness and update protocols regularly

The takeaway: Building resilience is a strategic imperative

Effective enterprise continuity planning yields tangible benefits: improved vendor reliability, enhanced data security and greater operational resilience. These outcomes are essential for sustaining value creation and navigating uncertainty.

Organizations must treat continuity risk as a strategic priority. If a plan does not exist, it must be developed. If a plan exists but proves inadequate, it must be remediated immediately—especially as cyber insurance increasingly mandates such controls.

By recognizing the importance of third-party and cyber continuity risks, implementing targeted mitigation strategies and establishing clear performance metrics, PE-backed firms can fortify their operations and position themselves for sustained success.

RSM contributors

Related insights

THE POWER OF BEING UNDERSTOOD

ASSURANCE | TAX | CONSULTING

RSM Canada LLP is a limited liability partnership that provides public accounting services and is the Canadian member firm of RSM International, a global network of independent assurance, tax and consulting firms. RSM Canada Consulting LP is a limited partnership that provides consulting services and is an affiliate of RSM US LLP, a member firm of RSM International. The member firms of RSM International collaborate to provide services to global clients but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmcanada.com/about for more information regarding RSM Canada and RSM International.

© 2025 RSM CANADA LLP. All rights reserved.