.png)
Blog
The Cyber Achilles’ Heel: Why TPRM is Broken and Leaving You Blind
Most TPRM problems are presented as tooling problems. The assumption is that with better software, tighter integration, and more automation, supplier risk will become manageable. The evidence does not support this view.
Attacks on supply chains continue to grow in frequency and impact. Verizon's most recent Data Breach Investigations Report records that the proportion of breaches involving a third party has doubled year-on-year, now sitting at around 30 percent of all incidents. Cipher's 2026 supply chain analysis puts the aggregate annual cost of supply chain attacks at more than $53 billion globally, with an average of $5.08 million per incident and 254 days to detect and contain.
As a response, investment in TPRM has, understandably, expanded substantially. Yet the gap between what organisations spend on managing supplier risk and what their programmes actually deliver in terms of assurance has widened, not narrowed.
The issue is not the absence of tools. Rather, it is the assumptions those tools are built on.
Most TPRM programmes still operate as if they can get a coherent picture of supplier risk by each organisation assessing its own suppliers in isolation. They treat point-in-time questionnaires as evidence of control, while assuming that direct supplier oversight is sufficient to manage exposure across an extended ecosystem.
These assumptions were defensible a decade ago. They are not defensible now.
The traditional TPRM model rests on three assumptions that no longer reflect how supply chains operate.
In static environments with stable suppliers, this was a reasonable starting position. In current conditions, where suppliers continually adopt new infrastructure, onboard their own subcontractors, and respond to a shifting threat landscape, a point-in-time snapshot describes a moment that has already passed by the time it is filed. The case for continuous monitoring of supplier risk is, at this stage, well rehearsed. Most TPRM programmes have not been restructured to deliver it.
Two organisations assessing the same supplier on the same controls regularly reach different conclusions, not because the supplier's control environment has changed, but because the assessment lens has. Aggregating inconsistent outputs into a coherent risk picture requires interpretive effort that the underlying data does not actually support.
The cascading incidents of recent years, where a single compromise at a file-transfer provider, identity service, or shared software supplier has propagated to hundreds or thousands of downstream organisations, are not anomalies. They reflect the structure of modern supply chains. Standard questionnaires do not surface this. Nth party risk remains structurally outside the assessment process, regardless of how diligently that process is followed.
The cumulative effect is a TPRM programme that produces volume without insight. Assessments are completed. Records accumulate. The board receives reports. Yet the actual control environment of the supplier base remains substantially opaque.
The operational burden of conventional TPRM is significant and consistently underacknowledged.
Security analysts spend a substantial proportion of their time on manual questionnaire review, much of which duplicates work being conducted by procurement, legal, or compliance teams in the same organisation. The same supplier is assessed multiple times against overlapping frameworks.
For suppliers, the burden compounds across their client base.
A typical supplier responds to dozens of substantively similar questionnaires from different buyers each year, each with its own format, scoring approach, and submission process. Compliance resource is absorbed in completing forms rather than improving security posture. The data that comes back is often less complete, and less accurate, than the effort expended would suggest.
For security leaders, the strategic cost is more consequential than the operational one.
When TPRM cannot scale, it stops functioning as a risk management discipline and starts functioning as an administrative one. Resources are committed to maintaining the process rather than improving the outcome. Board reporting reflects activity rather than assurance. Strategic conversations about supplier resilience are constrained by data that is incomplete, inconsistent, and out of date by the time it is presented.
Automated risk assessment is sometimes positioned as the answer to this. Automation alone does not resolve the underlying problem. An automated vendor risk assessment built on the same fragmented assumptions produces flawed results faster, not better results. The binding constraint is not processing speed. It is the quality, currency, and comparability of the data being processed.
The alternative to fragmented, isolated assessment is not a single organisation working harder. It is a model in which supplier risk data is verified once and shared across the organisations that need it.
When suppliers maintain a single, continuously maintained profile that buyers across the ecosystem can access, several things change at once. Duplicated effort on the supplier side is removed. Comparability of risk data improves, because assessments are conducted against a consistent framework rather than reinvented for each buyer. Patterns become visible at a system level that no single organisation working in isolation could surface.
Convergence and divergence in supplier risk perceptions become observable. When multiple buyers assess the same supplier and reach materially different conclusions, that variability is itself a signal worth examining. When a specific control weakness appears across a cluster of suppliers serving the same sector, that pattern is detectable in aggregate and invisible in any single bilateral relationship.
This is what system-level visibility provides. The supply chain stops being a collection of isolated bilateral relationships and starts behaving as a connected ecosystem that can be analysed as one. Concentration risk, which is functionally invisible to point-in-time bilateral assessments, becomes legible. Nth party dependencies, which are typically excluded from direct supplier reviews, can be mapped through the network of supplier-of-supplier relationships.
For board reporting, the difference is substantive. Briefings move from a description of assessment activity to an account of supplier risk exposure as it currently stands. The data underlying that account is shared, current, and consistent rather than fragmented, historical, and locally framed.
Compliance and resilience are not the same objective. Conflating them is one of the more consequential errors in current TPRM practice.
A compliance-oriented programme is designed to demonstrate that a process was followed. Assessments are completed within scheduled cycles. Documentation is filed. Evidence is available for audit. The programme can be shown to have run, regardless of whether the supplier base is actually more secure as a result.
A resilience-oriented programme is designed to reduce the probability and impact of supply chain disruption. The questions it asks are different. Where is concentration exposure accumulating. Which suppliers depend on the same critical subcontractors. How is the control environment of key suppliers shifting between assessments. None of those questions can be answered by a questionnaire reviewed annually.
The check-box version of TPRM is not without value. Regulatory obligations are real, and demonstrating that a process exists is a legitimate requirement. The problem arises when compliance becomes the ceiling rather than the floor. Programmes that optimise for audit readiness consistently underperform on the outcome that actually matters, which is whether the organisation can absorb a disruption originating in its supplier base without material impact.
The direction of regulatory travel reinforces this point. The PRA and FCA's Critical Third Parties regime, in force since January 2025, and the EU's Digital Operational Resilience Act, now in application, both shift the centre of gravity from periodic assessment toward continuous operational resilience, including explicit obligations to identify and manage supply chain and Nth party dependencies. The regulatory framing has moved on. The TPRM models in many organisations have not.
Distance from the risk does not eliminate the risk. An incident originating four tiers down from a regulated organisation can still produce a regulated outcome at the surface. Compliance frameworks rarely require visibility at that depth. Resilience does.
The TPRM model organisations need is the one that fits how supply chains actually operate now. Continuous rather than point-in-time. Shared rather than duplicated. Network-aware rather than bilateral.
For security leaders, the implication is a shift in what TPRM can contribute strategically. When the underlying data is current and comparable, supplier risk becomes something that can be managed against measurable objectives rather than something that is reported on retrospectively. Conversations with the board move from process description to risk position. Investment decisions can be grounded in evidence about where exposure is actually concentrated, not where attention has historically been focused.
For analysts and operational practitioners, the change is more immediate. Time previously spent reissuing questionnaires, chasing responses, and reconciling inconsistent outputs is freed for work that requires judgement. Prioritisation becomes clearer because the data supporting it is consistent across the supplier base. The work becomes more analytical and less administrative.
The broader point is that scale in TPRM is not achieved by adding tools to an existing model. It is achieved by changing the assumptions the model is built on. An organisation that continues to assume each supplier should be assessed independently, in isolation, against a bespoke framework, will not reach scale regardless of how much automation is layered onto the process.
The future of TPRM is not more questionnaires sent faster. It is fewer assumptions, better data, and visibility across the ecosystem rather than within a single bilateral relationship. Organisations that make this transition early position themselves to manage supply chain risk as the connected, dynamic problem it actually is.
Contact us to see how Risk Ledger's shared, continuous assessment model brings system-level visibility to supplier risk.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
.svg)
