Managing third party risk: why the traditional model is already broken

A model built on a false assumption

Traditional approaches to TPRM rest on an implicit hypothesis: that risk can be assessed at a given point in time and treated as valid for a significant period. This hypothesis shapes the entire architecture of conventional programmes: one-off due diligence at onboarding, annual questionnaires, fixed risk classifications.

The hypothesis is wrong.

Third-party risk changes constantly. Financial conditions shift, operational incidents occur, technology stacks evolve, subcontracting chains are restructured, regulatory obligations change. A supplier that is fully compliant today can become a critical exposure tomorrow, without generating a single alert in a periodic review system.

This is not a marginal weakness. It is an inconsistency at the core of the model.

The questionnaire trap: self-reported compliance

The questionnaire has become the central instrument of most third-party risk programmes. It has two obvious virtues: it is easy to deploy and it produces formal documentation. But it rests on a structural limitation. It is a declaration.

The third party describes its own controls, at a specific moment, in a standardised format, with no guarantee that the answers reflect operational reality. The programme accepts coherent, complete responses without seeing what is actually happening in the supplier's day-to-day operations.

The result is documentary compliance. Not real oversight.

Supervisory feedback has consistently shown that risk analysis relating to service providers, particularly at the selection stage, is not conducted in a sufficiently thorough or operational manner. The outcome is predictable: an accumulation of documents, a weak ability to detect early warning signals, and difficulty anticipating failures.

Many answers. Very little visibility.

Static maps in a world that never stops moving

Third-party mapping is frequently presented as the backbone of TPRM governance. In practice, these maps are rarely used as genuine management tools.

The reason is structural. Most third-party maps are updated periodically, built from declarative data, and poorly connected to real events such as incidents, contractual changes, or external alerts. They describe a state that was already out of date at the moment of validation. They provide the illusion of a global, structured view of a system that is constantly evolving.

Third-party risk is characterised by:

• speed (cyber incidents, rapid failures, service disruptions),
• complexity (subcontracting chains, cross-dependencies),
• and opacity (indirect dependencies, second and third-tier providers).

A static map cannot capture a system in motion. It freezes the past instead of illuminating the present.

When the scale of managing third party risk becomes unmanageable

While programmes remain static, the operational reality is expanding rapidly. The number of third parties to supervise has grown sharply, driven by the proliferation of technology suppliers, the widespread adoption of cloud infrastructure, the outsourcing of critical functions, and the opening of ecosystems through APIs, fintechs, insurtechs, and regtech partners.

Managing third party risk is no longer a matter of one-off qualification for a contained list of suppliers. It has become a question of scale and continuous dynamics.

Teams must assess hundreds or thousands of third parties, keep information current, monitor risks that evolve over time, and respond to increasingly integrated regulatory requirements. In this context, manual, documentary, and periodic approaches have reached their structural limits.

This is no longer a question of optimisation. It is a question of model.

DORA and the demand for real oversight

Regulatory expectations are moving in the same direction. DORA (Digital Operational Resilience Act) imposes continuous identification of critical ICT service providers, integration of third parties into overall risk management, resilience testing that includes service providers, and an updated register of dependencies.

The direction is unambiguous: third-party oversight can no longer be limited to questionnaires and periodic reviews. It must become dynamic, integrated, and demonstrable.

More broadly, regulators now expect third-party risks to be genuinely embedded in governance frameworks, internal control systems, and business continuity plans. What is required is not just a complete file. It is the ability to demonstrate that risks are identified, understood, and actively managed.

Built for a world that no longer exists

If current TPRM programmes are falling short, it is not because teams are working poorly or because the underlying tools are inherently inadequate. It is because the model was designed for a world that no longer exists.

A world where suppliers changed very little. Where dependencies were simple. Where incidents were rare and localised. Where regulatory requirements evolved slowly.

The environment today is interconnected, fast-moving, heavily dependent on third parties, and exposed to rapid shocks. Attempting to improve the questionnaire or add a scoring layer in this context is to refine a tool that is no longer fit for purpose.

The problem does not lie in the details of the process. It lies in the logic of the model itself.

Managing third party risk as a continuous discipline

The only coherent response is to move from snapshot TPRM to continuous supervision. This means shifting from a periodic logic to a near-real-time one, enriching data from internal sources, operational signals, and external information, connecting events such as incidents, changes, and alerts directly to each supplier's risk profile, and continuously recalculating risk levels.

Third-party oversight then ceases to be an annual ritual. It becomes a monitoring and decision-making system, capable of detecting weak signals, anticipating disruptions, adjusting control levels, and triggering escalations, including formal review or exit procedures.

What is obsolete is not the existence of questionnaires or maps. It is the act of treating them as the heart of the programme. The transition requires moving from a compliance logic to a knowledge logic, from a declarative approach to an observable one, from a static model to a continuous one.

Conclusion

Financial institutions are operating in an environment where third-party dependencies are deeper, faster-changing, and more opaque than at any previous point. The traditional TPRM model was not designed for this reality.

The institutions that recognise this earliest, and rebuild their approach around continuous supervision rather than periodic documentation, will be the best positioned to meet both regulatory expectations and operational reality.

The question is not whether to evolve the approach to managing third party risk. It is how quickly.

Frequently asked questions about managing third party risk

Why is managing third party risk so important for financial institutions?

Financial institutions depend on hundreds or thousands of external suppliers for critical functions. A failure, breach, or compliance lapse at any one of them can trigger regulatory action, operational disruption, or reputational damage. Managing third party risk is therefore not a back-office compliance task. It is a core element of operational resilience, and regulators expect it to be treated as such.

Why are questionnaires not enough for managing third party risk?

Questionnaires are declarations. A third party describes its own controls at a specific moment, in a standardised format, with no independent verification. The programme accepts coherent answers without seeing what is actually happening in the supplier's operations. This produces documentary compliance, not effective oversight. The gap between what a supplier declares and what it actually does can be significant, and periodic questionnaires cannot close it.

What does DORA require in terms of managing third party risk?

DORA requires continuous identification of critical ICT service providers, an updated register of dependencies, integration of third parties into overall risk management, and resilience testing that includes service providers. Periodic reviews and one-off assessments no longer satisfy these requirements. Institutions must be able to demonstrate ongoing visibility, not just a complete file.

What is continuous monitoring in the context of third party risk?

Continuous monitoring means connecting operational signals, external alerts, incident data, and contractual changes to each supplier's risk profile in near-real time, rather than relying on annual questionnaires or point-in-time assessments. The goal is to detect weak signals before they become failures, and to recalculate risk dynamically as circumstances change, rather than waiting for the next scheduled review.

Harmoney offers a cutting-edge digital platform that streamlines intricate onboarding and compliance procedures, featuring automated screening functionalities. Interested in discovering more about our innovative solution? Reach out to us for further details or stay in touch via our newsletter ⬇️.