Blog

Rethinking Third-Party Risk: Stories, Surprises, and Strategies for 2025

Posted by Ece Karel on August 27, 2025 at 8:13

maxresdefault.jpg

In a world where businesses increasingly rely on third-party vendors, the risk of data breaches has skyrocketed. Companies like Air France, Allianz Life Insurance, and Adidas have already fallen victim to breaches originating from third-party relationships, highlighting a crucial blind spot in modern risk management. So, how can organizations protect themselves against these vulnerabilities? Let’s delve into the insights shared by Eric Hensley, CTO and CSO at Aravo, during his engaging interview on the Risk Management Show podcast.

Too Many Cooks: When Everyone Owns Risk (But No One Really Does)

In today’s complex business landscape, challenges in third-party risk management are growing rapidly. As organizations expand their networks of suppliers and partners, the responsibility for managing risk often becomes fragmented. Each department—IT, procurement, security, legal—tends to manage its own risks with suppliers, leading to confusion, gaps, and ultimately, increased vulnerability to threats. This “too many cooks in the kitchen” scenario is more than just a cliché; it’s a real and pressing problem.

When Departments Go Solo: The Silo Effect

A classic structure in large organizations is for each department to handle its own slice of risk. IT might focus on cybersecurity, procurement on contract compliance, and security on physical access. While this approach seems logical, it creates silos that prevent a unified view of supplier risk. The result? Blind spots where no one is truly accountable for the big picture.

Consider the all-too-common situation: three different teams send three different risk questionnaires to the same vendor. Not only does this create confusion and embarrassment, but it also signals a lack of coordination. Vendors may become frustrated, and critical risk information can easily fall through the cracks. As one risk manager put it, “We realized three teams were asking the same supplier for the same data, but no one was actually looking at the full risk profile.”

Data Breaches and the Cost of Fragmented Oversight

The consequences of poorly coordinated supplier oversight are not hypothetical. Recent high-profile data breaches involving third-party suppliers have made headlines, underscoring the risks of siloed management. Companies like Air France, KLM, Allianz, and Adidas have all suffered breaches linked to third-party vendors. In each case, attackers exploited indirect relationships—those connections that fall outside the direct line of sight of any single department.

  • Air France & KLM: Sensitive customer data was exposed through a third-party provider, highlighting the risks of indirect supplier relationships.
  • Allianz: A breach traced back to a vendor revealed gaps in oversight between departments responsible for different aspects of risk.
  • Adidas: Attackers leveraged a supplier’s weak security posture, showing how easily threats can slip through when oversight is fragmented.

These examples illustrate a critical point: when vendor risk challenges are managed in silos, some suppliers inevitably “fall through the cracks.” Attackers are quick to exploit these gaps, knowing that no single department is watching the whole chain.

The Expanding Third-Party Ecosystem: More Suppliers, More Complexity

Dependency on third parties is increasing across industries, broadening the risk scope and complexity. Organizations now rely on a vast ecosystem of suppliers for everything from IT services to logistics and customer support. Each new relationship introduces new risks, especially as digital transformation accelerates and supply chains become more interconnected.

Managing these indirect supplier relationships requires more than just departmental oversight. It demands an integrated risk management approach across departments and functions. Without this, the sheer number of suppliers and the complexity of their interactions make it nearly impossible to identify and mitigate all potential threats.

Who Really Owns Supply Chain Risk?

One of the biggest challenges is that nobody in a large organization wants to be “the supply chain person” responsible for the entire risk picture. Ownership becomes diluted as responsibilities are divided among multiple teams. This lack of clear accountability means that critical risks can be overlooked, and when something goes wrong, finger-pointing often replaces action.

“If you have different parts of your company managing different kinds of risks and they're all interacting with your suppliers separately, then you’re going to have one of these data breaches. It’s absolutely going to happen.”
Lessons from Recent Breaches

The stories of Air France, KLM, Allianz, and Adidas are cautionary tales. Each breach was enabled by fragmented oversight and a lack of integrated risk management. These incidents highlight the urgent need for organizations to break down silos and develop unified strategies for managing third-party risk.

In the evolving landscape of third-party ecosystems, integrating risk management across departments is no longer optional—it’s essential for preventing the next headline-making breach.

 

“Old School” Risk Management vs. The New Frontier: Why Point-in-Time Assessments Fail

Traditional third-party risk management was built for a world where companies had a handful of trusted suppliers, and most business-critical data stayed inside the organization. In 2025, that world no longer exists. Today’s enterprises rely on sprawling, interconnected networks of vendors, cloud providers, contractors, and even niche service partners. The supply chain is now a living, breathing ecosystem—one that legacy risk assessment methods simply cannot keep up with.

The Legacy Approach: Point-in-Time Assessments and Their Limitations

Legacy risk management programs focus on point-in-time assessments: a vendor is evaluated once—perhaps annually—against a static checklist of controls. This process is manual, slow, and rooted in a black-and-white mindset: either a supplier meets the required controls, or they don’t. If gaps are found, a remediation plan is set, and the next review might be months away.

  • Manual and resource-intensive: Each assessment demands significant time and expertise, making it impractical to scale as the number of vendors grows.
  • Static snapshots: Risks are captured at a single moment, missing vulnerabilities that emerge between assessments.
  • Binary outcomes: Traditional frameworks often overlook nuanced or evolving risks, especially among medium-priority vendors.

This approach was serviceable when organizations had a handful of high-risk vendors. But as supply chains have exploded in size and complexity, the cracks have become impossible to ignore.

Modern Supply Chains: Every Vendor Is a Potential Risk

Today, even the most innocuous supplier can become a risk vector. Consider the “pencil supplier” scenario: what once seemed trivial now matters, as even office supply vendors may have access to sensitive order data, employee contact details, or networked procurement systems. The wild card? Imagine a breach originating from a janitorial service—perhaps through a compromised scheduling app or shared Wi-Fi. It sounds far-fetched, but in a hyper-connected world, these scenarios are increasingly plausible.

Recent high-profile breaches—such as those affecting Air France, Allianz, and Adidas—didn’t originate from obvious high-risk partners. Instead, they stemmed from CRM providers, whose access to customer data was underestimated in traditional risk models. This highlights a critical flaw: legacy risk assessments create blind spots by focusing only on the “most important” suppliers, leaving a long tail of vendors under-monitored.

Volume Overload: The Scalability Crisis

As organizations grow, so does their vendor list. Large enterprises may have thousands—or even tens of thousands—of third and fourth parties. Legacy processes, designed for a handful of partners, simply cannot scale. The result is a prioritization trap: only the top-tier vendors receive scrutiny, while the majority are assessed infrequently, if at all.

  • Supply chain risk assessment becomes unmanageable without automation and intelligent prioritization.
  • Medium- and low-priority vendors often fly under the radar, despite holding sensitive data or network access.
  • Outsourcing increases exposure to data security risks, requiring robust governance and continuous monitoring.

The New Frontier: Continuous, Automated Risk Monitoring

The future of third-party risk management 2025 is driven by AI and intelligent automation. Instead of relying on static, annual reviews, organizations are shifting to continuous monitoring—tracking vendor risk in real time, across the entire supply chain. AI-powered platforms automate risk scoring, due diligence, and alerting, enabling security teams to focus on emerging threats rather than paperwork.

  • Real-time visibility: Automated tools detect changes in vendor risk posture as they happen, not months later.
  • Scalability: Intelligent automation allows organizations to monitor thousands of suppliers without ballooning headcount.
  • Dynamic prioritization: Risk scoring adapts as vendors’ roles, data access, or threat landscapes evolve.
“Point-in-time risk assessments can’t keep pace with today’s tech stacks. As external partners multiply, old models simply don’t scale—especially when real data flows to suppliers of every shape and size.”

In this new frontier, supply chain risk assessment is no longer a checkbox exercise. It’s a dynamic, ongoing process—one that recognizes every vendor, no matter how small, as a potential risk vector. The organizations that thrive in 2025 will be those that embrace automation, continuous monitoring, and a mindset shift: from static compliance to proactive, adaptive risk management.

 

Automation, AI, and Breaking the Silos: Toward Real Supply Chain Resilience

In 2025, the landscape of third-party risk management is undergoing a profound transformation. The days of isolated risk reviews and manual checklists are fading fast. Instead, organizations are embracing holistic, integrated risk programs that share data and processes across IT, finance, legal, and procurement. This shift is not just about efficiency—it is about survival. As supply chains become more complex and interconnected, every link, from the largest strategic partner to the smallest vendor, can introduce critical risks to the business. The realization that even a humble pencil supplier may hold more sensitive company data than the HR department is both sobering and urgent—a lesson many organizations have learned the hard way.

The first step in building real supply chain resilience is recognizing that risk is not confined to a single department or function. It is a shared responsibility that must be driven across the entire organization. This means breaking down silos and ensuring that IT, finance, legal, and procurement teams are not just aware of supply chain risks, but are actively collaborating to address them. Integrated risk management processes are essential, enabling organizations to scale their risk assessment strategies across the full breadth of the supply chain—not just the so-called 'major' vendors. In this environment, passing the buck is no longer an option. Every stakeholder must be engaged, and risk awareness must be elevated to the boardroom. Suppliers are now as critical to business continuity as core internal functions, and their risks must be treated with the same level of scrutiny and urgency.

This is where AI in risk management and intelligent automation in risk management come into play. Modern systems leverage automation and AI-powered insights to enable continuous, exception-based monitoring. Unlike traditional manual reviews, which are time-consuming and often reactive, AI-driven tools provide proactive, real-time risk identification and monitoring. These systems can ingest vast amounts of risk intelligence data from across the supply chain, analyze it against established controls frameworks and best practices, and surface only the most relevant exceptions for human review. This approach not only reduces the burden on risk teams but also ensures that emerging threats are identified and addressed before they can escalate into major incidents.

However, automation in supply chain resilience is not a silver bullet. Without reasonable workflows and clear processes, even the most advanced automation can create more problems than it solves. A flood of alerts and notifications, without the ability to triage and respond effectively, can quickly overwhelm teams and obscure real risks. The key is to design systems that support exception-based reviews, allowing organizations to focus their attention where it matters most. By integrating AI-powered insights into risk management processes, companies can move beyond static assessments and embrace dynamic, continuous risk assessment strategies that adapt to the evolving threat landscape.

One of the most significant changes in recent years is the scaling of risk management processes to encompass the entire supply chain. No longer is it sufficient to focus only on major suppliers. Every third party, regardless of size, must be included in the risk assessment process. This requires systems that can handle the scale and complexity of modern supply chains, leveraging automation and AI to provide comprehensive coverage without sacrificing depth or accuracy. The result is a more resilient supply chain, capable of withstanding disruptions and adapting to new challenges as they arise.

Ultimately, the only way forward is to break down organizational silos, integrate risk thinking across all functions, and deploy smart automation that delivers real-time insight and enables rapid response. Supply chain risk must be managed at scale, with the understanding that every vendor and partner is a potential source of vulnerability. By embracing AI in risk management, intelligent automation in risk management, and holistic supply chain risk assessment strategies, organizations can build the resilience they need to thrive in an increasingly uncertain world.

The lesson is clear: resilience is not just about having the right tools or processes—it is about fostering a culture of shared responsibility, continuous improvement, and proactive risk management. As the boundaries between internal operations and external partners continue to blur, the organizations that succeed will be those that break down silos, harness the power of AI-powered insights, and elevate supply chain risk to the highest levels of decision-making. In the end, real supply chain resilience is not just a goal—it is a necessity.

TL;DR: Old ways won’t cut it—2025’s third-party risk management is about integrated thinking, automation that actually works, and keeping your eyes open to risks hiding in plain sight (like that humble pencil supplier).

Views: 18
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by Ece Karel

Ece Karel - Community Manager - Global Risk Community

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

FEATURED BLOG POSTS

LATEST BLOG POSTS

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead