Why Third-Party Risk Has Grown
The expansion of third-party dependence reflects a fundamental strategic shift in how organisations operate. Outsourcing, cloud adoption, platform economy participation, and supply chain specialisation have all increased the proportion of critical business capabilities that are delivered by parties outside the organisation's direct control. This is not inherently problematic — but it creates risk concentrations and governance challenges that organisations have often been slow to address.
The risk created by third-party relationships is multi-dimensional. Operational risk arises from the possibility that a key vendor suffers an outage, financial failure, or service degradation that disrupts the organisation's operations. Cybersecurity risk arises from the access that third parties typically have to organisational systems and data — and the possibility that a vendor's compromised environment becomes the vector for an attack on the organisation. Regulatory and compliance risk arises from the fact that outsourcing a function does not outsource the regulatory obligation — the organisation remains responsible for ensuring that third-party processing of regulated data meets applicable standards.
The Common Gaps in Vendor Risk Programmes
Most organisations have vendor risk management programmes that address the obvious — contractual provisions, initial due diligence, and some form of periodic review. The common gaps are typically in ongoing monitoring, in the depth of due diligence for critical vendors, and in the comprehensiveness of the vendor inventory itself.
Incomplete vendor inventory: Many organisations do not have a comprehensive, current inventory of all third-party relationships with access to organisational systems or data. Shadow IT and decentralised procurement create vendor relationships that are invisible to the central vendor risk function until an incident reveals them.
Inadequate tiering: Effective vendor risk management requires proportionality — critical vendors warrant significantly more rigorous oversight than low-risk commodity suppliers. Organisations that apply uniform due diligence procedures across all vendors either over-invest in low-risk relationships or under-invest in high-risk ones.
Paper-based due diligence: Vendor questionnaires that are self-completed by the vendor provide self-reported information that may not reflect the vendor's actual control environment. Critical vendor relationships warrant independent assurance — typically through SOC reports, penetration test results, or third-party security assessments — rather than relying solely on vendor representations.
Absence of concentration risk management: Organisations that have multiple critical processes dependent on a single vendor — or on vendors sharing a common infrastructure provider — have concentration risk that may not be visible in standard vendor risk assessments.
A vendor breach or failure that disrupts your operations is your risk, not your vendor's. The regulatory penalties, the reputational consequences, and the business continuity costs land with you. Third-party risk management that does not account for this reality is not managing risk — it is managing paperwork.
What Internal Audit Should Assess
An internal audit of the third-party risk management programme should examine the comprehensiveness of the vendor inventory, the adequacy of the vendor tiering and risk assessment methodology, the depth of due diligence for critical vendor relationships, the robustness of ongoing monitoring mechanisms, and the organisation's contingency planning for failure of critical vendors. For the highest-risk vendor relationships, the audit should also examine the specific contractual provisions for security, data protection, audit rights, and breach notification — and whether the organisation is actually exercising its audit rights and receiving the assurance information it is contractually entitled to.