Third Party Risk Management: The Evolution

The Evolution of Third Party Risk Management, from spreadsheets to ecosystems.

Most third-party risk programmes fail not because organisations lack tools, but because supplier risk changes faster than their operating model. Effective TPRM is continuous, contextual, and actively owned.

Third Party Risk Management (TPRM) is evolving rapidly, and not a moment too soon, as understanding your suppliers and the risks they present has never been more important.

As organisations become more reliant on complex supplier ecosystems, traditional approaches based on questionnaires, spreadsheets, and point-in-time checks are struggling to keep pace. Supplier landscapes change constantly, risk shifts over time, and confidence erodes when visibility is lost.

Despite these risks, many organisations still overlook their supply chains. The 2025 Security Breaches Survey shows that only a small proportion of UK businesses set minimum security requirements for their suppliers.

Recent high-profile cyber attacks have exposed just how vulnerable supply chains can be. These incidents prove that attackers have both the capability and determination to exploit weaknesses in third-party security and that this threat is increasing. The message is unmistakable: organisations must act now.

The next phase of third party risk management is about building trust between supplier and customer through connected, integrated, automated ecosystems that provide continuous visibility and meaningful assurance.

Why onboarding checks no longer tell the full story

Our perspective: The suppliers involved in serious incidents are rarely the ones that scored the highest risk at onboarding.

Most organisations already carry out some level of supplier due diligence. A questionnaire during procurement, a review at contract signature, perhaps a formal sign-off before onboarding completes. On paper, this looks reasonable.

The problem is what happens next.

Suppliers rarely remain static. Over time, access increases, services broaden, new data is introduced, and sub-processors are added. Business dependency deepens, often without a corresponding reassessment of risk.

Initial supplier due diligence still matters, but on its own, it no longer reflects reality. Over time, suppliers change in ways that are rarely captured formally.

In practice, we regularly see suppliers that were originally classed as low or medium risk quietly become business-critical, without any trigger to reassess the original decision. This typically happens because:

Services expand beyond the original scope
Access to systems and data increases gradually
New data types or processing activities are introduced
Sub-processors are added without clear visibility
Business dependency deepens quietly

So what does this mean in practice? We see high-risk suppliers with access to data and systems, or running business-critical services, with little to no ongoing management. This increases the likelihood of an incident, and the disconnect between you and the supplier makes responding to a breach even more difficult.

Supplier environments do not stand still

Our perspective: In most organisations, supplier change happens faster than risk reviews are triggered, leaving assessments permanently one step behind reality.

In most mid-to-large organisations, the supplier landscape is in constant motion. New vendors are onboarded to support growth or transformation. Existing suppliers take on additional responsibilities. Legacy providers are phased out. Integrations multiply.

Trying to keep pace with this level of change using spreadsheets or periodic reviews is difficult, even with strong intent. Risk management inevitably lags behind what is actually happening.

Effective third party risk management in this environment depends on having a clear process, enough automation to handle change at scale, and continuous visibility as the ecosystem evolves. Without those foundations, supplier risk quickly becomes outdated.

Why tools alone rarely solve the problem

Our perspective: Tooling only becomes effective when ownership, decision-making, and follow-through are already clear.

Many organisations already own GRC or vendor risk tools, yet still struggle to run effective TPRM programmes. The issue is rarely the platform’s capability.

Running a programme involves a set of ongoing activities that sit outside most tools.

For example:

Engaging suppliers consistently and pragmatically
Interpreting risk in the context of the business
Tracking remediation in a way that reflects reality
Maintaining momentum over months and years

Without clear ownership for these activities, even capable platforms tend to fade into the background. This is why so many TPRM initiatives stall. The technology may be sound, but the operating model is incomplete.

If you’re a senior leader, the practical question is not which tool to buy, but who owns supplier risk end-to-end, how decisions are made, and how progress is monitored over time.

From assessments to GRC engineering

Our perspective: Sustainable TPRM requires engineered processes and data flows, with a continuous assessment cycle rather than isolated events.

As a result, third-party risk management is increasingly looking less like a periodic assessment exercise and more like an operational engineering problem.

Modern organisations are increasingly focused on evidence pipelines. These are automated, repeatable flows of risk, control, and assurance data that replace static documents and manual collection. When those pipelines extend beyond internal teams and into the supplier ecosystem, visibility improves significantly.

This shift enables a more connected GRC ecosystem. One that links internal risk and compliance views with supplier security posture through integration and automation. Risk information becomes easier to contextualise, act on, and evidence.

When implemented well, this approach reduces manual effort while improving decision-making. It also changes the role of TPRM from an administrative burden into a shared operating model.

Why context matters more than scores

Our perspective: A supplier risk score is only useful when it is directly connected to business impact, systems, and data.

One of the persistent weaknesses of traditional TPRM approaches is isolation. Supplier risk is assessed and recorded, but rarely connected to the systems suppliers support, the data they access, or the controls they rely on.

When supplier risk is viewed in isolation, it is difficult to prioritise. When viewed alongside internal cyber risks, vulnerabilities, and compliance obligations, it becomes far more actionable.

At Blackfoot, we integrate third-party risk management directly into our Clarity GRC platform. This allows supplier risk to be understood as part of the wider cyber risk picture, rather than as a standalone activity. That context is what turns assessment into decision-making.

The real cost of traditional Third Party Risk Management

Our perspective: The highest cost in traditional TPRM is not tooling or licences, but effort spent maintaining processes that never quite reflect reality.

TPRM has also earned a reputation for being expensive and resource-heavy, often for good reason.

Clients we speak to about TPRM consistently highlight high licence costs before seeing value, long implementation timelines, and significant internal effort just to keep programmes running. Supplier engagement can be low when the process feels repetitive or unclear.

Over time, this combination of cost and complexity has led some organisations to reduce TPRM to a minimal exercise, rather than a meaningful capability. The opportunity now is to move away from that model altogether.

Suppliers are part of the solution

Our perspective: Supplier engagement significantly improves when expectations are clear, and assessments are consistent, proportionate, and transparent.

An often-overlooked aspect of third party risk management is the supplier relationship itself.

In practice, many suppliers want to do the right thing. Security is increasingly a differentiator, not just a cost. What is often missing is clarity around expectations, assessment criteria, and what good looks like in practice.

A transparent, consistent, and collaborative TPRM approach tends to improve engagement on both sides. It reduces friction, helps suppliers focus on the right controls, and positions security as an enabler rather than a blocker.

The role of AI in next-generation TPRM

Our perspective: AI adds the most value when it reduces manual effort and sharpens prioritisation, not when it replaces human judgement.

AI and automation are increasingly playing a practical role in modern TPRM programmes. Used well, they can accelerate gap identification, map issues to relevant frameworks, and help prioritise remediation more effectively. It also reduces friction for both clients and suppliers.

Importantly, this augments human judgement rather than replacing it, making continuous third-party risk management achievable at scale.

What effective Third Party Risk Management looks like today

Our perspective: Effective TPRM programmes are actively run, continuously updated, and clearly owned rather than periodically reviewed.

Across organisations maturing their approach, some common characteristics are emerging.

Ongoing oversight rather than periodic reviews
Clear prioritisation of suppliers based on business impact
Automation used to handle scale and change
Supplier risk is understood alongside enterprise cyber risk
Clear ownership for keeping the programme moving

Most importantly, these programmes are actively operated rather than simply implemented.

From compliance to confidence

Our perspective: Confidence doesn’t come from passing audits, but from being able to explain supplier risk decisions clearly at any point in time.

Third party risk management still supports audits and compliance, but that is no longer the end goal. The real objective is confidence. Confidence that suppliers are understood, that risk is prioritised, that change is detected, and that evidence exists when required.

That confidence comes from continuity, context, and ownership.

In practice, good TPRM means leaders can clearly explain which suppliers matter most, why they matter, which risks are being accepted, and what is actively being improved right now.

If those answers are not immediately clear, third-party risk is likely being managed retrospectively rather than actively.

Is your Third Party Risk Management programme up to scratch?

If you cannot answer these questions clearly, your organisation is likely lacking effective third party risk management.

Which suppliers matter most to the business right now, and why?
What has changed in our supplier risk landscape in the last year?
Who owns supplier risk decisions end-to-end?
Which supplier risks are we knowingly accepting today, and why?
If a key supplier had an incident tomorrow, would we have the information we need to respond effectively?

How Blackfoot helps

Blackfoot delivers third party risk management as a managed, platform-led service, integrated into our wider Cyber.OS ecosystem. We help organisations reduce operational burden, gain meaningful visibility into supplier risk, and build a TPRM capability that scales with their business.

You can learn more about our third-party risk management services here: Continuous Third Party Risk Management Service

Share this Article:

Insights

PCI DSS: Why Employee Churn Matters

When staff leave, knowledge often leaves with them. This article explores how high staff turnover quietly undermines PCI DSS compliance, where the risks appear, and how organisations can strengthen resilience despite change.

News

Blackfoot Turns 17

Blackfoot has spent the last 17 years supporting organisations to manage cyber risk, meet regulatory requirements and adapt to an evolving threat landscape. Privately owned and fully independent, our longevity ensures our focus remains firmly on our clients.

News

Blackfoot Returns to PCI London 2026

Join Blackfoot at PCI London 2026. As a long-standing sponsor and partner, Blackfoot brings nearly 15 years of involvement and experience supporting the PCI community.

Speak to an Expert

Call us on +44 (0) 203 393 7795

We value what our customers think of us

Blackfoot are authentic, hard-working, flexible and committed. Finding a partner who has our best interests at heart, one who tries to find solutions that work for us as a customer is like gold-dust. I now consider Blackfoot as part of my trusted partner network for any future projects.

"As our business has expanded so quickly, we have had to learn and implement new policies, processes, controls internally and externally, upskill staff and manage 3rd parties differently, it’s been a heck of a learning curve. During the onboarding and kick off meetings the support exceeded what I was expecting. The support from Blackfoot was amazing."

I was very impressed with your project managers persistence and attention to detail. She clearly understood the technical side of the testing and was very patient and polite when chasing up due to slow / delayed responses on our side. Overall, the approach gave me confidence that the testing was being planned carefully and that Blackfoot were helping us get the best out of the plan.

"I’m pleased to have seen the account progress, I know your consultants have dedicated a lot of time to the project and I’m excited to report back to their transformation director in the new year around their latest level of data security and privacy maturity based on the investment they have made"

“ I would like to add my thanks as in previous years you have really supported us and helped us to renew our certification and the entire process has been smooth and painless, we are most grateful."

Get The Latest Industry News

We’ll keep you informed about potential risks and vulnerabilities that could impact your digital assets.