Skip to main content
THIRD-PARTY RISK MANAGEMENT

You can outsource the assessment to the supplier. You cannot outsource the responsibility.

A completed questionnaire tests the design at one moment, not whether it still works today. If it goes wrong at your supplier, you are the one standing before the board.

NIST SP 800-161ISO 27001NIS2DORA
ControlsNIST SP 800-161 (C-SCRM), ISO 27001 A.15, NIS2 art. 21, DORA art. 28
For whomCISO, CIO, CFO, security operations, procurement and vendor management
Lead timeFirst critical suppliers in view 2-4 weeks, monitoring cadence in place 6-10 weeks

Key challenges

The problem is not the questionnaire. It is what the questionnaire does not see.

You send the list, get it back filled in, and file the certificate. That evidences due diligence, not whether it works today.

30%

of breaches come via a third party

More and more arrives through a supplier

The share of breaches that runs through a third party has doubled in two years. Your attack surface does not stop at your own edge; it carries on at parties you do not control yourself and that you test only once a year.

Verizon DBIR 2025, from 15 to 30 per cent in two years.

43%

use ratings to track third parties

Monitoring stops at the snapshot

Most organisations collect a certificate or questionnaire and stop there. Only a minority track third parties continuously; the rest miss what changes after the snapshot: a lapsed control, a new flaw, a change at the supplier.

ENISA NIS Investments 2024: 43 per cent use security-rating services; supply chain is the second-biggest concern (47 per cent).

32%

cannot fill their security roles

The work stalls on under-staffing

Security roles stay structurally unfilled and staffing has fallen for years. A supplier programme then runs on a handful of people with manual follow-up, while the number of parties to track keeps growing.

ENISA NIS Investments 2024-2025: 32 per cent cannot fill security roles; the security-FTE ratio fell to 10.6 per cent.

The question for the board

Are we exposed through our suppliers?

Regulators and leadership do not ask whether questionnaires have been sent. They ask whether it is demonstrable which critical suppliers exist, that they are being followed, and that the response is owned. That is the difference between a control that exists on paper and a control that works in practice.

The difference

A completed list, or tested operation.

Not whether the supplier completed the questionnaire, but which suppliers actually matter, and whether you would see it if one of them drifted.

Classic approachWith Radian

Everyone the same list, coverage-first

The same questionnaire to hundreds of suppliers. Volume without priority, where the supplier that truly matters gets the same attention as the coffee supplier.

Scope

Critical-first, long tail scoped out

We decide which suppliers genuinely carry risk and scope the rest out sharply. Attention goes to where the exposure sits, not to the whole portfolio at once.

Wait for the self-report

The supplier fills in the list themselves. You collect what they claim on a moment, and you wait weeks for accurate documentation before you can assess anything.

Evidence

Evidence from existing documents

We harvest control evidence from what already exists: SOC 2 reports, ISO certificates, an SBOM. Not waiting for a completed list, but reading what the supplier has already demonstrated.

Assess once a year

The annual cycle runs behind reality. A control lapses, an exploit appears within days, a supplier puts AI on a platform, and the list only comes back in eleven months.

Cadence

Follow the operation continuously

We set up a cadence that sees drift: a lapsed certificate, a technical anomaly, a change, an incident at the supplier. Operating effectiveness, not a snapshot.

The file proves diligence

Success is measured in completed lists and collected certificates. Whether you acted with care when it goes wrong stays unanswered until it is too late.

Responsibility

A defensible trail

We record the judgement: which supplier we carry, where we intervene, and on what grounds. A trail that holds up for the board and the regulator.

How it works

From a file full of lists to visibility that holds.

On the left, what comes in about your suppliers; in the middle, the order that chooses and follows; on the right, what you keep. Your existing contracts and certificates stay in place.

Your supplier portfolio
Vendor inventory and business criticality
Direct and indirect data flows
Existing compliance documents: SOC 2, ISO, SBOM
Outside-in, external signals
Change and AI feeds
Incident awareness at suppliers
Subcontractors and fourth-party chain
normalises›››
Five steps, continuous
The frameWhich suppliers genuinely carry riskWhat you must be able to demonstrate
01
Tier
Decide which suppliers actually matter, on criticality, and scope the long tail out sharply.
02
Harvest evidence
Take control evidence from existing documents: SOC 2, ISO, SBOM. Not waiting for a completed questionnaire.
03
Follow the operation
Operating effectiveness, continuously: a lapsed certificate, a technical anomaly, a change, an AI feed, an incident at the supplier.
04
Map the chain
The fourth-party exposure of your critical suppliers: the subcontractors behind the supplier.
05
Own the response
An ongoing cadence: escalation, the decision to remediate or switch, and a trail that holds up.
Continuous
delivers›››
What you keep
A supplier portfolio tiered on criticality
Per critical supplier, an operating-effectiveness assessment
Continuous monitoring of drift
A response playbook that is owned
A trail for the board and the regulator
Visibility into the fourth-party chain
Time given back to a 1 to 2 FTE team

The distinction

Diagnosis before product

The sharpest weakness in the usual programme: it measures coverage, how many lists are completed, and not whether it works at the suppliers that genuinely matter.

So Radian starts at the diagnosis: which suppliers truly carry risk, and where the exposure sits. Not a platform rolled out, but a test of where your supply-chain exposure sits, critical-first and operating effectiveness over attestation.

Not a platform, but the discipline around it

Your existing tools, ratings and certificates stay in place. We decide which suppliers actually matter, harvest the evidence from what already exists and follow whether it works. A means is a means, not an end.

An ongoing service, not a project

You get our expertise without building a team and a method yourself. We run the cadence; the decisions on carrying, remediating or switching and the ownership stay with you.

Our seniors also execute

The market delivers a report and leaves the hard supplier conversation with you. The same senior who decides who truly matters has that conversation and sets up the monitoring cadence.

Get started

Would you see it if a critical supplier drifted?

Not a hundred-page vendor programme. One conversation in which we decide which suppliers in your portfolio actually matter, and whether you would see it right now when one of them changes.

Plan a conversation

30 minutes with a senior, no pitch.

Request a conversationCall directly088 - 163 23 25