Notifications
Clear all
Topic starter
06/06/2026 11:19 am
TL;DR: Third party risk management programs fail when organisations treat vendor oversight as a one-time review instead of a lifecycle discipline spanning onboarding, monitoring, and offboarding, according to SecurEnds. The real governance gap is not visibility alone but whether access, accountability, and review processes stay aligned as vendor relationships change.
NHIMG editorial — based on content published by SecurEnds: how to start a third party risk management program from scratch
Questions worth separating out
Q: How should security teams start a third party risk management programme from scratch?
A: Begin with a complete vendor inventory, then classify vendors by data access, service criticality, and regulatory exposure.
Q: Why do vendor risk programmes fail after the initial assessment?
A: They fail when organisations treat onboarding as the finish line.
Q: What breaks when vendor offboarding is handled as an administrative task?
A: Access, approvals, and accountability remain in place after the relationship ends.
Practitioner guidance
- Centralise the vendor inventory Create one system of record for vendors, services, access scope, risk tier, and business owner so assessments and reviews operate from the same data set.
- Link assessments to lifecycle events Trigger reassessment when a vendor changes service scope, handles new data, or shows a security or compliance signal that changes its risk tier.
- Assign explicit stage owners Name accountable owners for onboarding, approval, monitoring, remediation, and offboarding so findings do not disappear between teams.
What's in the full article
SecurEnds' full guide covers the operational detail this post intentionally leaves for the source:
- A step-by-step vendor risk management workflow for onboarding, assessment, monitoring, and offboarding
- Examples of policy language for defining roles, responsibilities, and governance structures
- Practical guidance on building a centralized vendor inventory and risk-scoring process
- Continuous monitoring and review steps that help reduce manual effort and inconsistency
👉 Read SecurEnds' guide on building a third party risk management programme →
Third party risk management: where do vendor controls break down?
Explore further
06/06/2026 12:02 pm
Third party risk management fails when organisations confuse initial due diligence with ongoing identity governance. The article correctly emphasises onboarding, monitoring, and offboarding, but the deeper issue is that many programmes stop at a vendor assessment questionnaire. That leaves a gap between declared policy and actual access control. The implication is that vendor governance should be treated as a lifecycle control problem, not a documentation exercise.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who should own third party risk management across security, legal, and procurement?
A: One accountable owner should coordinate the end-to-end vendor lifecycle, even if multiple functions perform different checks. Security can validate technical controls, procurement can manage commercial terms, and legal can govern contract language, but a single owner is needed to ensure findings become action.
👉 Read our full editorial: Third party risk management starts with vendor lifecycle control
