Skip to content
FortaRisks
Back to blogThird-Party Risk

Building a third-party risk management program that works

November 28, 2025 · 4 min read

Many organizations believe they have a third-party risk program. They send a security questionnaire to new vendors, file the responses, and consider the risk managed. Then a supplier is breached, an attacker moves through a trusted integration, or a critical service goes dark, and it becomes clear the questionnaire was never a program at all.

Third-party risk management (TPRM) is not a form you send once. It is a lifecycle: knowing who your third parties are, how much they matter, how they perform over time, and what happens when the relationship ends. Here is what a program that actually works looks like, and where the most common gaps hide.

Start with an inventory you can trust

You cannot manage what you have not listed. The foundation of any program is a live inventory of your third parties and, for each one, the data it processes and the systems it touches. A vendor that only receives a monthly invoice PDF carries very different risk from one with an API key into your production database or administrative access to your identity provider.

This inventory has to be maintained, not built once and forgotten. New suppliers arrive through procurement, through a business unit signing up for a SaaS tool, or through a marketing team connecting an integration. If your list is a spreadsheet last touched a year ago, your program is already blind.

Tier by criticality, not by convenience

Treating every vendor the same wastes effort on low-risk suppliers while under-scrutinizing the ones that could hurt you. Tier your third parties by the impact a compromise would have: the sensitivity of the data they hold, the access they have, and how much your operations depend on them.

Concentrate real due diligence on the critical tier. A handful of vendors usually account for most of your exposure, and they deserve deeper review, tighter contracts, and closer monitoring than the long tail.

Due diligence beyond the questionnaire

Point-in-time questionnaires are self-reported and go stale quickly. They tell you what a vendor claims about itself on the day they filled the form, which is a starting point, not evidence. Combine them with external signals: the vendor's internet-facing attack surface, its breach history, and independent certifications such as SOC 2 or ISO 27001. Where the stakes justify it, ask for the actual report rather than the logo.

Contracts are where diligence becomes enforceable. Make sure agreements include concrete security requirements, breach-notification clauses with a defined timeline, a right to audit, and clear exit terms covering data return or destruction. A control you cannot enforce contractually is a hope, not a safeguard.

Monitor continuously, not once a year

A vendor's security posture changes between reviews. Certificates lapse, new vulnerabilities appear on exposed services, and companies get acquired or breached. An annual review captures a single snapshot and misses everything in between. Continuous monitoring of your critical tier, watching for posture changes, exposure, and public incidents, closes that blind spot.

Do not forget fourth parties and concentration

Your vendors have vendors. The cloud host, the payment processor, and the support tool your supplier relies on are your fourth parties, and a failure there can reach you just the same. On top of that, many organizations quietly depend on the same few providers, so a single outage or breach at a major platform can hit an entire sector at once. Understanding this concentration risk is part of knowing your true exposure.

Why the exposure is real

  • Problem: TPRM is often reduced to a static questionnaire sent once, with no tiering and no follow-up.
  • Impact: a breached or failed vendor becomes your incident. You inherit the exposure, the downtime, and often the regulatory and customer fallout, even though the failure happened outside your walls.
  • Action: run TPRM as a continuous lifecycle, inventory, tiering, evidence-based assessment, monitoring, and offboarding, focused on the vendors that matter most.

Close the loop with offboarding

Programs love to onboard vendors and forget to offboard them. When a relationship ends, revoke access, disable credentials and API keys, and recover or destroy the data the vendor held. Orphaned access and forgotten data stores are exactly the quiet gaps attackers look for.

Take stock in a few minutes

Before building out a full program, gauge where you stand today. Our free third-party risk self-assessment walks through the lifecycle above, computes a maturity score, and highlights your priorities. No sign-up, no data sent: everything is calculated in your browser.

Once your gaps are identified, the TPRM module turns them into a prioritized action plan, with a live inventory, tiering, and continuous monitoring rather than a once-a-year form.

This self-assessment is a starting point to help you prioritize, not a full program on its own. It tells you where the biggest gaps are so you can decide what to fix first.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.