TPRM Checkbox Blog Header
  • Third-Party Risk
  • 3rd Jul 2026
  • 1 min read

Third-party risk is still a checkbox exercise. That is about to get expensive.

In Short..

Most TPRM programmes are built to pass audits - not to manage risk. A vendor onboards, a questionnaire gets filed, and the relationship runs for years on a snapshot that aged the moment it was saved. That is not risk management. It is paperwork with a deadline. And with DORA, NIS2, and the UK's Cyber Security and Resilience Bill now demanding continuous oversight, the cost of that distinction is rising fast. Nick Rafferty will be unpacking exactly where this breaks - and how to fix it - in a live session with CSA Cyber on 8th July.

  • Ownership is fragmented across procurement, security, and compliance - and breaches live in the gaps between them.

  • A static assessment is no longer defensible. Regulators are asking whether you can show, today, that the relationship is still under control.

  • Most GRC tooling records decisions. It does not enforce them, chase evidence, or tell you when a control has lapsed.

  • Programmes built around risk pass audits as a by-product. Those built around audit compliance tend to fail at both.

Introduction

I have spent more than twenty years building GRC products and watching how organisations actually run third-party risk management. The pattern rarely changes.

A vendor joins, someone sends a questionnaire, the answers come back, get filed, and the relationship runs for years on a snapshot that aged the moment it was saved.

That is not risk management but paperwork with a deadline.

Why TPRM keeps breaking

The problem is not effort or expertise. The teams I meet are skilled but stretched thin.

The real challenge is structural, and it shows up the same way almost everywhere.

Ownership is split. Procurement owns contracts, security owns assessments and compliance owns the evidence. Work falls between the gaps, and these gaps are where breaches live.

The motion is reactive. You assess a vendor when they onboard, then move on. The library grows, the process does not, and assessment quality quietly collapses under the weight of more and more onboarding.

It sits in a silo. Third-party risk runs on its own scoring, its own spreadsheets, its own reporting. What you learn rarely feeds back into your wider risk and compliance picture, even though your supply chain is now one of the largest attack surfaces you have.

The tooling cannot enforce anything. A spreadsheet records a decision. It does not apply a process, chase evidence, or tell you when a control has lapsed. You are left trusting that everyone did the thing, with no way to prove it. TPRM solutions work better, but on their own they exacerbate the silo challenge.

None of these breaking points are new. What's new is that the cost of getting it wrong has changed.

Why a snapshot no longer passes

A static assessment used to be defensible but now the rules assume you are running a continuous third-party programme.

DORA has been in force since January 2025. This states financial entities must maintain an accurate register of their ICT third parties and hold those relationships to specific contractual and oversight standards. A drawer full of last year's questionnaires does not meet that bar. What DORA and NIS2 now require from your supply chain goes well beyond the periodic assessment model most programmes still run.

NIS2 has also reshaped supply chain obligations across the EU. The transposition deadline passed in October 2024, so most member states have now enacted their national laws, and 2026 is the year that supervision turns into enforcement. Supply chain security is written into the directive and failure comes with corresponding fines.

The UK has not adopted NIS2, but the Cyber Security and Resilience Bill was introduced to Parliament in November 2025. This widens obligations to managed service providers and designated critical suppliers, with the substance arriving through secondary legislation.

The direction is the same on both sides of the Channel. Regulators have stopped asking whether you assessed a vendor once. They are asking whether you can show, today, that the relationship is still under control and why.

From systems of reporting to systems of action

The fix is not a different questionnaire.

Most GRC tooling helps you write things down. They document the vendor, then leave the rest to people who do not have the hours for due diligence. The result is a programme that knows about its third-party risk and never quite acts on it.

Moving to a 'system of action' inverts that.

If you were able to automate the manual parts of third-party reassessment as a continuous process, then risk would not just be an onboarding discussion, but a critical part of both the vendor management and your supply chain posture. Evidence would be collected not chased.

This is where a virtual GRC team changes the maths. Gracie AI carries the repeatable load, helping you tier vendors, map evidence and perform repeat assessment with ease, so your specialists can spend their time making decisions on risk rather than admin. Skills help even the most junior team member work to your best specialist's standard whilst those knowledge gaps you do have can be questioned against a knowledge base of 20 years of SureCloud expertise.

With Gracie AI extending your reach and skills codifying your knowledge, the virtual team now lets the human team scale with the vendor library instead of falling behind it.

What changes when you stop treating it as a form

Most TPRM programmes are built to pass an audit. The ones that hold up are built to focus on risk, and they pass the audit as a by-product.

That is the shift worth making this year, before a regulator, a customer, or an incident makes it for you.

Your business assured.

Latest articles:
  • Compliance Management

7 Business Continuity Management Software Compared

  • Internal Audit Management

Internal Audit Software Tools Compared (2026): 7 Honest Reviews

  • Business Continuity
  • DORA

FCA Operational Resilience 2026: What Firms Must Evidence

Share this article

Going deeper

CSA Cyber Webinar Logos

On the 8th July, I am joining CSA Cyber for a live session on building third-party risk programmes that hold up under regulatory scrutiny. We will get into where TPRM breaks, what the new obligations actually demand, and how to move from reactive assessment to continuous control.