Rethinking Third-Party Risk: Why Checkbox Compliance Isn’t Enough

From Compliance to Prioritization: Measuring what you’re Managing

Third-party risk is expanding faster than most organizations can measure. Enterprises are working with more third parties than ever, relying on them for critical operations and handling sensitive data. Yet many third-party risk programs remain anchored in compliance-driven practices and managed in silos across business units, procurement, IT, and risk teams.

It’s incorrect to assume that compliance equals resilience. Screening third parties with point-in-time assessments checks a compliance box, but it doesn’t reveal how an incident could impact your business. Although ERM teams are dedicating more time and resources to third-party risk management, true risk-based prioritization remains elusive. According to Gartner, only 19% of ERM teams say their risk views are effectively prioritized. The problem a lack of meaningful measurement.

A risk-based, quantitative approach to third-party risk enables integrated, de-siloed decision-making, connecting operational, cyber, and business insights around measurable exposure.

The Limits of Compliance for Robust Third-Party Risk Management

Documentation, audits, and security questionnaires remain essential, but they should only be a starting point for your organization. Most third-party risk programs still rely heavily on these compliance tools and security scoring to assess supplier security posture. Procurement teams collect questionnaires and certificates. Security teams analyze scores and control gaps. Once the documentation is reviewed and the box is checked, the process often stops there, or only annually.

These assessments, however, only tell part of the story. Questionnaires are inherently subjective: the quality of questionnaire responses depends on who fills them out, how questions are interpreted, and the level of transparency a supplier is willing to provide. Security ratings and automated scans add valuable objectivity, but they still capture only a snapshot of a vendor’s external posture at a specific point in time.

What these tools don’t measure is how each supplier’s risk connects to your own business, i.e., which vendors have access to critical data, support essential operations, or influence revenue-generating activities. Without that context, an organization may spend as much effort monitoring a low-impact marketing supplier as a key service provider that supports customer operations.

In short, the question you should be asking about a third party is: “How much risk does this vendor represent to us?”

Fragmented Third-Party Oversight

In many organizations, third-party assessments are managed across disparate functions and entities. Procurement oversees onboarding and documentation. Meanwhile, individual business units and subsidiaries often maintain their own supplier lists, assessment criteria, and risk tolerances. Each group captures part of the picture, but no one has a complete view.

Industry research echoes this challenge. Gartner notes that while most enterprises have formal third-party risk programs, fewer than one in five say their risk views are effectively prioritized. The data exists, but it’s simply not organized around exposure or consequence.

The key for organizations to increase the efficiency of the process and scale up is understanding which third parties matter most to the organization in terms of risk or increased profitability. Only by mapping vendors to critical assets, data flows, and processes can organizations transform compliance information into meaningful, actionable insights.

International Regulations Shaping Third-Party Risk Oversight

Over the past decade, regulators worldwide have increasingly focused on third-party risk management. This push reflects not only organizations’ growing dependence on external providers for critical functions. According to the Cyber in Focus 2025 report from WTW, 50% of data breaches originate from third parties.

The regulatory frameworks vary in scope and enforcement power. However, they all share a similar foundation: risk-based oversight, resilience, and demonstrable cybersecurity governance.

Key regulatory or standards frameworks examples include:

• NIS2 Directive: EU directive that extends accountability for supply chain and service-provider risk to operators of essential and important entities across critical sectors.

• DORA (Digital Operational Resilience Act): EU regulation for the financial sector mandating ICT third-party risk oversight and requiring critical ICT service providers to meet supervisory requirements.

• HIPAA (Health Insurance Portability and Accountability Act, US): Establishes security and privacy requirements for protected health information, including obligations for third-party “business associates.”

• PCI DSS (Payment Card Industry Data Security Standard): A global framework requiring organizations handling payment card data to ensure their third-party service providers comply with stringent security controls.

• APRA CPS 230 (Australia): Expands third-party and outsourcing risk management requirements, focusing on operational resilience and critical service continuity for APRA-regulated entities.

Together, these frameworks have raised the bar for third-party risk management. They expect organizations to maintain an enterprise-wide supplier inventory, run a risk-based program, and evidence governance and monitoring across the lifecycle. The practical challenge deciding where to focus your security resources. Regulators consistently steer you to do this proportionately: identify the relationships that are most critical to your business and treat them accordingly.

Prioritizing Third-Party Risk Using a Risk-Based Methodology

Regulatory frameworks have made one thing clear: third-party risk management must be proportionate to the criticality of each relationship. In practice, this means moving away from point-in-time assessments toward a methodology that measures how each vendor contributes to, or threatens, your organization’s resilience and performance.

Rather than treating all third parties equally, a risk-based method maps each third party to the assets, data, and processes they support. This mapping creates the foundation for prioritization: understanding which relationships could cause material financial, operational, or reputational impact if disrupted.

To determine where to focus resources, organizations must first map their third parties to the business assets, systems, and processes they support. This mapping connects each supplier to the potential business impact of a disruption, whether it affects critical customer-facing operations, regulated data, or revenue-generating activities. Once these dependencies are clear, prioritization becomes data-driven: you can distinguish suppliers that are essential to resilience from those with limited operational significance.

That risk-based lens leads to a few possible paths for action:

1. Prioritize strategic partners and third parties where collaboration can materially improve resilience.
   Build an ongoing dialog, share expectations, and monitor changes on a regular basis. This approach reflects guidance from national cybersecurity centers that emphasize continuous monitoring over point-in-time audits.

2. For systemically important providers (e.g., AWS, Microsoft 365, or Google Clous), design compensating controls around their baseline security.
   This reflects the shared-responsibility model: you can’t change the provider’s stack, but you can harden your own environment.

3. Exit or limit relationships that remain too risky.
   If compensating controls can’t adequately protect your crown jewels, the prudent path is to reduce dependency or terminate the relationships.

A clear risk threshold, in business and financial terms helps make these decisions objective and defendable.

From Triage to Quantification: Objectively Measuring What Matters Most

The initial triage identifies which suppliers are critical. Quantification reveals how much those relationships could cost you if disrupted.

Cyber Risk Quantification (CRQ) enables cross-functional teams to align their strategies because cyber risk can be considered. Rather than relying on subjective labels like “high” or “medium,” you can express risk in financial terms that align with your business priorities and risk appetite.

CRQ using the FAIR model (Factor Analysis of Information Risk) provides a consistent, data-driven framework to model risk scenarios such as third-party data breaches, service outages, or ransomware incidents. It estimates two key dimensions:

• Loss Event Frequency (LEF): how often the event is likely to occur

• Loss Magnitude (LM): the expected financial impact when it does

Quantification often challenges our assumptions.

For example:

A large cloud provider may represent a high dependency but with relatively low residual risk because of mature controls, redundancy, and transparency. Its modeled annualized loss exposure might sit around €800,000.

Meanwhile, a small marketing agency, with a small contract value of €50,000, could expose your organization to around €3 million in annualized loss exposure due to the personally identifiable information (PII) it processes for customer campaigns.

Under a traditional, contract-based prioritization, the marketing agency might receive limited scrutiny. A quantitative approach using FAIR highlights that data sensitivity and business impact, not spend size, determine risk. This allows CISOs to ensure that oversight and control allocation is proportional to exposure.

Operationalizing Third-Party Prioritization and Risk Management

The challenge with cyber risk quantification (CRQ) is maintaining a quantified view of third-party exposure that keeps pace with the organization’s ecosystem. Third-party risk management must evolve from periodic assessments to a continuous, data-driven process that connects with other risk disciplines and produces actionable insight for risk managers and executives.

Building a Continuous and Quantified Risk Approach with FAIR

To operationalize FAIR-based third-party risk management, the CRQ process must link to the organization’s broader risk strategy, including enterprise risk management tools. This integration makes quantification repeatable and measurable, keeping prioritization aligned with the organization’s operational and risk environment.

FAIR extensions support this integration by standardizing how risk is quantified and maintained.

• FAIR-TAM (Third Party Assessment Model) applies the FAIR methodology to third-party ecosystems, enabling consistent, risk-based prioritization across suppliers.

• FAIR-CAM (Controls Analytics Model) and FAIR-MAM (Materiality Assessment Model) complement this by aligning control effectiveness and materiality with exposure modeling, ensuring that quantified results remain comparable and relevant to enterprise risk appetite.

Together, these models help sustain a measurable, continuously updated view of third-party exposure without adding complexity to the TPRM workflow.

ROI and Business Benefits of a Quantitative TPRM Approach

Measuring Effectiveness: Performance Indicators and Quantifiable Gains

A quantitative approach allows organizations to measure the effectiveness of their third-party risk management program. By translating exposure into financial terms, CRQ provides a baseline for performance tracking: how much expected loss has been reduced, how efficiently controls mitigate risk, and how overall resilience improves over time.

Some key indicators include:

• Reduction in third party-related incidents or loss events

• Decrease in modeled annualized loss exposure over a 12 to 24-month period

• Improved allocation of assurance and monitoring resources toward high-impact suppliers

• Demonstrable return on security investment (ROSI) through avoided losses and optimized spend

Organizations applying FAIR-based quantification report improved prioritization, faster remediation cycles, and measurable efficiency gains, all evidence that TPRM can evolve from compliance oversight to a driver of operational resilience.