← All insights Third-Party Risk

Third-Party Risk: The Questions Boards Actually Ask

Boards rarely ask about your vendor count. They ask what happens when a critical supplier fails, and how quickly you'd know. Those are different questions.

Ask most technology or risk teams what their third-party risk programme covers and you'll usually hear about the number of vendors onboarded, questionnaires completed, and assessments closed out. Those are activity metrics. They're useful for running a programme day to day. They are not, in our experience, what a board is actually asking about when third-party risk comes up as an agenda item.

Boards ask narrower, sharper questions, and they tend to cluster around a small number of themes regardless of industry.

What happens if this supplier fails tomorrow? Not "have they been assessed," but what's the actual operational and commercial impact if a critical vendor has an outage, a breach, or simply stops trading. Do we have a continuity plan for that specific relationship, has it been tested, and how long would recovery realistically take.

How would we know? Detection matters as much as planning. If a supplier is compromised, or a fourth-party in their own supply chain is compromised, how does that information reach us, and how quickly? A tiering framework that stops at direct suppliers has a blind spot the moment risk originates one or two steps further down the chain.

How current is this assessment, really? A questionnaire completed eighteen months ago tells a board very little about a vendor's posture today. The question underneath this one is usually about process, not paperwork: is assurance something we do once at onboarding, or something we maintain.

What's our exit plan? Concentration risk is a board-level concern in its own right. If a small number of suppliers underpin a disproportionate share of critical operations, the question isn't whether they're currently well-managed. It's what the organisation's options are if the relationship needs to end, voluntarily or otherwise.

None of these questions are answered by a vendor count or a completion percentage. They're answered by a programme that treats third-party risk as an ongoing operational discipline: tiering that reflects actual criticality, assurance that's refreshed rather than filed, and visibility that extends beyond the first tier of the supply chain. Building that programme is a different exercise from running a questionnaire process, and it's usually the gap a board's questions are quietly pointing at.

Not confident your third-party risk programme would hold up under board-level questioning?

Start a conversation