Managing the rise of third-party risk: strategies for better oversight

Why third-party risk is rising

Third-party risk is growing rapidly, driven by global and digital pressures. Geopolitical tensions, fragmented supply chains, and the lingering effects of COVID-19 have disrupted what was once predictable. Trade restrictions, regulatory changes, and regional instability now make vendor relationships less stable, especially for mid-market organisations with international exposure.

At the same time, the attack surface has expanded. Every new vendor represents another doorway into the business. High-profile breaches have shown how attackers exploit trusted partners to cause major financial, operational, and reputational damage. Data sharing at scale adds to the challenge, as sensitive information flows beyond the enterprise perimeter.

Many leaders admit they are not prepared. The same survey from IDC showed supply chain risk ranking second among the risks business leaders felt least prepared for. IDC shows that while supply chain attacks are among the top three cyber threats, they often rank much lower on executives’ stated priorities. The issue is not awareness, but execution.

Oversight practices often remain outdated. Responsibility for third-party risk is frequently fragmented across procurement, IT, and security, with no clear accountability. Vendor assessments are still largely treated as one-off events at onboarding, and too often, companies rely on static questionnaires and annual audits rather than the real-time monitoring needed to keep pace with today’s threat environment.

Building a resilient third-party risk programme

Recognising the challenges is only the first step. The real opportunity lies in building a third-party risk management (TPRM) programme that is resilient, collaborative, and intelligence-led. Rather than treating vendor oversight as a checklist, resilience comes from embedding risk management throughout the entire vendor lifecycle—from selection to active collaboration, to secure exit.

Before onboarding: Setting the foundation

• Conduct thorough due diligence and apply risk tiering to identify high-criticality vendors.
• Include clear requirements in contracts and SLAs, and align with procurement and legal to set accountability from day one.
• Educate third parties on your security policies and standards, and set clear expectations. · Diversify through flexisourcing (nearshoring and friendshoring) to reduce reliance on high-risk regions and strengthen supply chain continuity.

During the relationship: Active monitoring and collaboration

• Move from annual reviews to continuous monitoring using analytics, automation, and AI for real-time insights.
• Work with vendors to adopt shared standards (ISO, NIST, GDPR, HIPAA) to build trust and consistency.
• Use regular audits, joint exercises, and outcome-focused metrics (such as fewer incidents, faster detection, quicker remediation) to measure success.

After the relationship: Secure exit

• Revoke access, return or delete sensitive data, and confirm obligations are met.
• Conduct post-engagement reviews and feed lessons learned back into governance and procurement processes.

Conclusion

Third-party risk will continue to grow as business networks become more interconnected, but this does not have to hinder innovation. With the right governance, continuous oversight, and resilient vendor relationships, organisations can flip the narrative. By adopting proactive oversight strategies, leveraging technology, and embedding cybersecurity into vendor relationships, organisations can build resilience and foster trust.

In a world of interconnected risks, the ability to manage third-party relationships effectively is key to scaling securely, innovating confidently, and staying ready for what’s next.

To explore the full findings and insights:

• Download the IDC report
• Register for our webinar to hear from experts on building third-party resilience. 
• Explore our tools to assess your organisation’s third-party risk posture.