Managing third-party risk

Most organisations have spent years believing they had a reasonable handle on their third-party risk. They diligently followed well-established processes to assess vendors and have the stacks of audits to prove it. 

 

But more companies are now having that confidence tested, discovering that their picture of risk doesn’t match reality. The reliable frameworks are there, but the information underpinning critical decisions is not as current or as complete as it seemed.

 

The gap isn’t a failure of diligence, but down to the fact that the tools most organisations use to manage third-party risk were built for a slower, more predictable world. That world no longer exists, and the lack of visibility has become one of the most consequential blind spots in enterprise management.

 

 

A process built for a world that no longer exists  

Third-party risk management has followed a familiar pattern for a long time. A vendor is assessed during procurement, questionnaires are completed, certifications are reviewed, and a decision is made. That done, the assumption is that the risk is understood and can be set aside until the next scheduled review.

 

That assumption is increasingly difficult to sustain. Modern vendor relationships extend well beyond the partners named in contracts. Systems connect through APIs, vendors rely on subcontractors, and cloud services continuously move data between platforms. What begins as a manageable list of direct relationships gradually becomes a dense web of dependencies. Unlike the intermittent manual processes designed to oversee it, that web never stops changing.

 

This means the gap between perceived and actual risk gradually widens between audit periods. Platforms update, integrations expand, and access patterns shift in ways the vendor itself is unlikely to fully track, let alone communicate to the organisations that depend on it. By the time evidence is gathered and reviewed, it may no longer reflect how systems actually behave.

 

In addition to the risks inherent in supply chain visibility gaps, the regulatory environment is tightening around this weakness. Under NIS 2, organisations are expected to manage supply chain cybersecurity risk on an ongoing basis, while DORA places comparable third-party risk obligations on financial entities.

 

More broadly, the direction of travel is clear across the European cyber and resilience landscape, including measures such as the EU Cyber Resilience Act and operational frameworks like CyberFundamentals. Together, they reinforce the same basic point: periodic reviews conducted at procurement and revisited infrequently are becoming harder to defend as a serious risk-management model.

 

 

Continuous, agentic evaluation

The organisations moving ahead of this problem are approaching third-party risk differently. Rather than treating vendor assessment as a recurring checkpoint, they are building it into the ongoing rhythm of the business, maintaining continuous visibility into how vendor risk evolves rather than revisiting it at fixed intervals.

 

One of the biggest hurdles is how to achieve this at scale. Manually monitoring vendor relationships in real time is impossible, especially when supply chains include hundreds or even thousands of third parties. 

 

This is where AI is beginning to change the model. AI-powered tools have proven to be ideal for handling the high-volume, repetitive work that currently consumes most of the available capacity.

 

Agentic AI that can autonomously access systems and complete tasks holds even greater potential here, as it can automate the evidence-gathering and initial evaluation stages of vendor assessment. Rather than relying on questionnaires and self-attestation, these systems draw on live vendor documentation - pulling current security artefacts directly rather than working from materials that may be months old by the time they are reviewed. 

 

Evidence is evaluated against structured criteria defined by the organisation, with each control assessed consistently and the outcomes clearly recorded. This introduces a level of consistency that can be just as valuable as the speed and efficiency. 

 

Standardising criteria and applying them uniformly across the vendor ecosystem removes the subjectivity that often surfaces in traditional review processes. Using wholly manual processes, two reviewers could review the same information and reach different conclusions, introducing an additional layer of uncertainty. 

 

However, even with an agentic approach in place, human judgment remains an irreplaceable part of the process. Human oversight remains central throughout: risk teams define the criteria, review the findings, and retain decision-making authority. The goal should be to enhance what risk management teams can do, rather than replace them.

 

 

Risk management as a strategic capability

The case for continuous third-party risk management is often made in operational terms for security and compliance processes.  The focus is on tactical gains such as faster assessments, better coverage, and reduced manual workload. 

 

However, the ability to consistently produce accurate risk data in real time has far-reaching strategic implications. Decisions about which vendors to fast-track through procurement, which relationships warrant closer scrutiny, where contract terms need strengthening, and where concentration risk has quietly built up all become easier to make with confidence. Live, reliable third-party risk telemetry is an extremely valuable business input. 

 

Likewise, compliance is increasingly becoming a core operational issue. Regulators under NIS 2 and DORA are not simply asking whether organisations have assessed their vendors but are demanding evidence of ongoing governance. Customers and partners increasingly look for the same. 

 

Organisations that can demonstrate continuous, evidence-based vendor oversight are better placed in procurement decisions, partnership evaluations, and regulatory discussions. Those that cannot face growing exposure, not only to the direct consequences of gaps in risk visibility, but to the reputational and commercial costs that follow. 

 

---

 

Shane Tierney is Senior Program Manager, GRC at Drata 

 

Main image courtesy of iStockPhoto.com and athakorn tedsaard