From Questionnaires to Reality: Why Traditional Third-Party Risk Management Is Failing
For years, third-party risk management has been built on a comforting illusion:
if suppliers fill in enough questionnaires, risk is being managed.
The Cyber Security and Resilience Bill exposes just how fragile that assumption has become.
When regulation is triggered by dependency and impact, not by contracts or declarations, traditional third-party risk management (TPRM) collapses under its own weight.
The checkbox problem
Most TPRM programmes still rely on:
-
annual questionnaires,
-
self-attested controls,
-
static risk scores,
-
and contractual assurances.
These mechanisms create documentation, not resilience.
They capture what suppliers say about themselves, not how risk actually propagates through systems, services and dependencies.
Under the new regime, that gap matters.
Why questionnaires don’t survive regulation
The Bill introduces two uncomfortable realities:
-
Criticality is contextual
A supplier can be non-critical in isolation and critical in aggregate. Questionnaires do not capture concentration risk, access pathways or systemic dependency. -
Incidents propagate, not respect boundaries
A single supplier incident can trigger:
-
customer notifications,
-
regulatory reporting,
-
and contractual consequences across multiple organisations.
Static assessments fail in dynamic environments.
The false comfort of “compliance”
Many organisations believe their suppliers are “low risk” because:
-
forms are completed,
-
policies are attached,
-
and scores look acceptable.
But under the Bill:
-
regulators do not care about your scorecard,
-
customers care about impact,
-
and reporting obligations are triggered by effect, not paperwork.
Compliance evidence does not equal operational readiness.
Where traditional TPRM breaks first
The failure points are predictable:
-
no visibility into subcontractors,
-
no understanding of shared infrastructure,
-
no insight into aggregation risk across suppliers,
-
and no live view of who depends on whom.
When an incident occurs, the organisation realises too late that it cannot answer:
-
Which customers are affected?
-
Which suppliers are implicated?
-
Who else is exposed through the same dependency?
What replaces questionnaires
Effective supply-chain risk management under the new regime looks very different.
It focuses on:
-
dependency mapping, not declarations,
-
access and connectivity, not policy statements,
-
concentration and aggregation risk, not vendor counts,
-
continuous insight, not annual reviews.
This is harder — but it reflects reality.
Why this matters to boards
Boards are now exposed in two directions:
-
reliance on suppliers who create unrecognised risk,
-
and being a supplier whose risk is imposed on others.
Traditional TPRM only addresses the first — and poorly.
The Bill forces organisations to confront both.
The uncomfortable truth
Questionnaires did not fail because people were lazy.
They failed because the system they were designed for no longer exists.
Digital services are layered, shared and interconnected.
Risk flows through those layers regardless of contractual boundaries.
Regulation has finally caught up with that reality.
The practical takeaway
If your third-party risk programme cannot:
-
explain dependency chains,
-
identify aggregation risk,
-
or support incident reporting decisions,
then it is not fit for the new regime — no matter how compliant it looks.
Call to action
If your supplier risk management still relies primarily on questionnaires and self-attestation, it is time to pressure-test reality.
Contact Cyber Tzar to assess your supply-chain dependencies, aggregation risk and operational exposure — and move from paper compliance to defensible resilience.
