Third-Party Risk Management: From Vendor Questionnaires to Continuous Assurance

Third-party risk management is moving beyond annual questionnaires and static due diligence packs. That model is no longer sufficient for the speed, complexity, and dependency levels of modern digital business.

Many organisations now rely on third parties for core services: cloud hosting, payments, identity services, IT support, compliance tooling, customer platforms, analytics, and operational infrastructure. This creates efficiency, but it also creates dependency. A cyber incident at a supplier can disrupt your business, expose sensitive data, trigger regulatory scrutiny, or damage customer trust.

Effective third-party risk management starts with segmentation. Not every vendor requires the same level of oversight. Critical and high-risk suppliers should receive enhanced due diligence, contractual controls, defined service levels, incident reporting obligations, audit rights, data protection requirements, and resilience testing.

The biggest improvement many organisations can make is moving from “point-in-time approval” to “continuous assurance.” This means reviewing changes in supplier risk, tracking security certifications, monitoring incidents, reassessing access privileges, and validating whether suppliers can actually meet recovery expectations.

Boards and executives should ask three practical questions: Which third parties are critical to our operations? What would happen if they failed tomorrow? Do we have evidence that they can protect, respond, and recover?

Key message: Third-party risk management is not about proving that suppliers looked safe at onboarding. It is about knowing whether they remain safe, resilient, and fit for purpose over time.