As Third-Party Risk Management (TPRM) is flawed at an architectural level, ‘TPRM best practices’ do not exist. Instead, you need Active Supply Chain Security (ASCS): a network-first, continuous operating model for supply chain security built on standardisation, visibility, shared intelligence, and collective defence.
‘TPRM best practices’ are like financial advice for Deutsche Marks — outdated guidance for a system that no longer exists.
From adopting a fourth-party focus to automating risk assessments, a quick Google search or LLM prompt generates an endless list of ‘Third-Party Risk Management best practices.’ While often pointing in the right direction, these ‘TPRM best practices’ are simply ill-prepared for today’s threats. Why? Because the current TPRM approach is fundamentally flawed.
Today’s interconnected supply chains require proactive, collective defence, not siloed TPRM point-solutions. Even if you pour billions into your TPRM programme and adhere to all the TPRM best practices, your organisation will still be vulnerable.
Solving this problem isn’t about replacing one tool with another. It’s about moving toward a new operating model for supply chain security: Active Supply Chain Security (ASCS).
So instead of blindly following outdated best practice guidance, here’s what you actually need.
Everyone knows TPRM risk questionnaires are not fit for purpose. They’re tedious to fill in, time-consuming to review and lead to huge wasted effort both for you and your suppliers. Many 2026 TPRM best practices advise automating these questionnaires, but while this helps streamline the process, it’s worthless without standardisation.
Forcing suppliers to return endless questionnaires is not just an efficiency problem - it also generates uncomparable and inaccurate security data. Without a standardised assessment framework, every organisation creates their own definition of ‘what good looks like.’ This fragmentation not only confuses suppliers (leading to error-filled responses), but makes it impossible to objectively compare and assess suppliers’ security postures at scale.
The real best practice? You need standardised assessments. Aligned to relevant regulations that affect your organisation, standardised risk assessments create a common language of risk, improve the quality and consistency of risk data, simplify due diligence and accelerate supplier onboarding — at scale.
Supply chain attacks do not respect contractual boundaries, so focusing on direct third-party relationships leaves you blind to the real sources of risk you face. TPRM best practices therefore encourage you to focus on your suppliers’ suppliers (fourth-parties), but this does not go far enough either.
In our modern economy - where software and infrastructure depend on external APIs and cloud services - true risk is lurking further down the supply chain, beyond the reach of a TPRM risk questionnaire. Without visibility of these obscure nth party vulnerabilities, you’re not only at risk of cascading supply chain disruptions (e.g. the Log4j cyber incident cascaded through 60% of corporate networks in 72 hours), but also concentration risks (70% of organisations cannot currently identify concentration risks).
The real best practice? You need nth-party visibility. By mapping the entire supply chain to the nth degree, you see supply chain risks as they truly exist, uncover shared dependencies, track changing supplier relationships, and can take action to avoid cascading failures before they happen.
This is why organisations are shifting toward network-first supply chain security models.
Traditional point-in-time TPRM assessments only offer a temporary snapshot of supplier security, which can be outdated merely a day later. Current TPRM best practices therefore encourage continuous monitoring of your suppliers’ changing security posture, but this is only one battle in a wider fight.
Yes, suppliers should maintain a single, standardised and constantly updated security profile, but you also need real-time notifications when their security changes and when new threats emerge deeper in the supply chain. Without an alerting mechanism, you only find out about new supply chain risks after there’s been a breach.
The real best practice? You need continuous network monitoring and insights. By receiving continuous updates about changes in your network, including cyber security incidents or compliance lapses, you can pinpoint emerging threats and respond before any damage is done.
This shift is driving demand for continuous supply chain security approaches.
Getting your board, departments and front-line employees all aligned on your TPRM strategy is great, but pales in comparison to network-wide alignment and intelligence sharing. Modern supply chain security is a collective defence problem - one that requires organisations and suppliers to Defend-as-One. Yet traditional TPRM prioritises self-protection over network resilience, failing to recognise that one weak link in the system is a threat to everyone.
Instead of trying to solve the exact same problem, at the exact same time, in total isolation, supply chain ecosystems need collaboration, continuous dialogue and intelligence sharing. This helps you collectively mitigate threats and coordinate effective responses when an incident occurs.
The real best practice? You need collective defence. By creating a connected community of clients and suppliers, you can share intelligence with network partners, reduce systemic risk across the ecosystem, and move from reactive independent firefighting to proactive united response.
How can there be any TPRM best practices if the approach itself is fundamentally flawed?
Traditional TPRM is broken at an architectural level; a structural design flaw that cannot be fixed with incremental improvements. Instead, organisations need to move toward a whole new cyber security approach: Active Supply Chain Security (ASCS).
Active Supply Chain Security is the evolution of TPRM for the modern era. It is not an add-on or a nice-to-have, but a new operating model for supply chain security that moves beyond static, siloed and compliance-focused TPRM toward continuous visibility, shared intelligence, and systemic risk reduction across interconnected ecosystems.
The result? Organisations progressively move toward collective defence — strengthening resilience across the entire ecosystem.
Platforms like Risk Ledger are helping organisations take practical steps toward this shift — moving from fragmented assurance toward continuous, network-first supply chain security.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
.png)
.svg)
