Blog

Third-Party Risk Management in 2026: Beyond the Questionnaire

Your vendor risk programme is built on self-reported spreadsheets that are stale within weeks. There's a better way.

Back to Blog
15 March 2026 7 min read TPRM Vendor Risk

Here is the state of third-party risk management at most organisations in 2026: a procurement team sends a spreadsheet to a vendor. The vendor fills it in — ticking boxes, writing "yes" next to questions about encryption, access controls, and incident response. The spreadsheet comes back. Someone files it. The vendor is approved. Twelve months later, the cycle repeats.

In between, the vendor suffers a ransomware attack, lets a TLS certificate expire, or gets acquired by an entity on a sanctions list. Nobody notices until it's a headline.

This isn't a hypothetical. The pattern behind every major supply chain breach of the last five years is the same: a trusted third party with a clean questionnaire on file turns out to have had serious, verifiable security weaknesses that nobody checked. The questionnaire said they were compliant. Reality said otherwise.

The questionnaire measures intent, not reality

Vendor risk questionnaires — whether you call them SIG, CAIQ, VSA, or your own bespoke 300-row Excel masterpiece — share a fundamental flaw. They measure what a vendor says they do, not what they actually do.

Ask a vendor "Do you enforce MFA on all administrative accounts?" and you'll get "Yes" every time. But does anyone verify that? Does anyone check whether their admin portal is exposed on Shodan with password authentication enabled? Does anyone look at their DNS records to see whether they've implemented SPF, DKIM, and DMARC correctly? No. Because the questionnaire isn't designed for verification. It's designed for documentation.

The result is a third-party risk programme that gives you a filing cabinet of self-assessed compliance and zero actual assurance. You know what vendors intended their security posture to be at the moment they completed the form. You know nothing about what it looks like today.

And the economics are broken. A mid-size enterprise with 200 vendors spends thousands of hours per year chasing, reviewing, and filing questionnaires. The GRC team is buried in spreadsheet logistics instead of analysing actual risk. Critical vendors get the same annual review cycle as low-impact SaaS tools, because the process itself consumes all the capacity.

What modern TPRM should look like

If you started from scratch today — no legacy processes, no inherited spreadsheets — you wouldn't design vendor risk management around annual self-assessment. You'd design it around three principles:

  • Continuous, not periodic. Vendor risk changes constantly. Corporate filings change. Certificates expire. New vulnerabilities are disclosed. Your programme should reflect reality in near real-time, not once a year.
  • Evidence-based, not self-reported. Don't ask a vendor if they have a firewall. Scan their attack surface and see for yourself. Pull their Companies House filings. Check whether they've appeared on breach databases. Verify their certifications against issuing bodies.
  • Automated, not manual. The collection, correlation, and scoring of vendor risk data should happen without human intervention. Your analysts should spend their time on judgement calls, not data entry.

This is the difference between vendor risk management and vendor risk theatre. One produces decisions. The other produces paperwork.

How Corvus approaches third-party risk

We built Corvus Security IQ with vendor risk management as a core capability, not a bolt-on module. The system pulls from nine independent assurance feeds and runs an eight-probe attack surface scan on every vendor in your portfolio — automatically, continuously, without sending a single questionnaire.

Nine assurance feeds: real data, not self-assessment

Instead of asking vendors about their corporate health, certifications, and security posture, Corvus goes and checks:

  • Companies House — Filing status, overdue accounts, active/dissolved status, officer changes. A vendor six months behind on filings is a different risk proposition than one that's current.
  • Sanctions screening — Continuous checks against OFAC, EU, UN, and UK HMT sanctions lists — not a one-time onboarding check.
  • Have I Been Pwned (HIBP) — Breach history for the vendor's domain. Credentials in three breaches last year tells you more than any policy document.
  • Shodan — Internet-facing services, open ports, exposed admin panels, outdated software. What the vendor's infrastructure actually looks like from the outside.
  • Cyber Essentials — Certification status verified against the NCSC-backed scheme. Not "do you have it?" but "does the issuing body confirm it?"
  • LEI (Legal Entity Identifier) — Global entity verification via GLEIF, confirming legal identity and corporate structure.
  • PSC (Persons of Significant Control) — Beneficial ownership data — who actually controls the vendor entity.
  • Certificates — TLS/SSL validity, expiry, certificate authority, and chain of trust verification.
  • Geographic risk — Country-level scoring based on geopolitical stability, rule of law, cyber threat landscape, and data protection regime.

Every one of these feeds returns verifiable, objective data. None of it relies on the vendor's own assessment of their posture.

Eight-probe attack surface scanning

Beyond the assurance feeds, Corvus runs a comprehensive external scan of each vendor's attack surface. Eight probes, completing in under two minutes:

Attack surface probes
  • TLS configuration — Protocol versions, cipher suites, certificate validity, HSTS enforcement
  • DNS security — DNSSEC status, zone configuration, record hygiene
  • Email authentication — SPF, DKIM, and DMARC policy validation and alignment
  • HTTP security headers — CSP, X-Frame-Options, CORS, referrer policy, permissions policy
  • Subdomain enumeration — Discovery of subdomains, identifying shadow IT and forgotten infrastructure
  • Technology stack detection — Frameworks, CMS platforms, server software, CDN providers, known vulnerable versions
  • RDAP/WHOIS — Domain registration details, registrar, expiry, registrant changes
  • Certificate Transparency logs — CT log monitoring for newly issued certificates, detecting potential domain impersonation

The result is an evidence-based picture of each vendor's externally observable security posture. Not what they told you on a form. What their infrastructure actually looks like.

Six-dimension risk scoring

Corvus synthesises all of this data into a single weighted risk score across six dimensions:

25% Cyber
20% Sanctions
15% Corporate
15% Certification
15% Threat Intel
10% Geographic

Cyber posture carries the heaviest weight because it represents the most dynamic, exploitable risk. Sanctions is second because regulatory consequences are severe and immediate. The remaining dimensions each reflect genuinely distinct risk factors. Every score is traceable to its underlying evidence — when a vendor's risk changes, you see exactly which feed or probe drove the change.

Portfolio-level analytics

Individual vendor scores are necessary but not sufficient. Corvus also provides portfolio analytics across your entire vendor estate:

  • Concentration risk — How many critical vendors share the same hosting provider, certificate authority, or jurisdiction? Single points of failure across multiple vendors are invisible to individual assessments.
  • Review backlog — Which vendors haven't been scanned recently? Automated scanning eliminates staleness, while the dashboard tracks it for audit evidence.
  • Evidence gaps — Where is data missing? Which vendors couldn't be fully scanned? Knowing what you don't know matters.

Questions to ask your current TPRM vendor

Whether you're evaluating new tools or auditing your existing programme, these questions separate real TPRM from questionnaire management software:

  1. What data sources do you pull from that the vendor doesn't control? If the answer is "none" or "rating agencies only," you're still relying on intermediated self-assessment.
  2. How often do you re-assess each vendor? If the answer is "when the user triggers a review," you have periodic assessment with extra steps, not continuous monitoring.
  3. Can you show me the evidence behind a vendor's score? If the score is a black box derived from undisclosed methodology, you can't defend it to auditors or regulators.
  4. Do you scan the vendor's actual attack surface? There is a material difference between scoring a vendor based on their questionnaire responses and scoring them based on what their TLS configuration, email authentication, and exposed services actually look like.
  5. How do you handle vendors who refuse to participate? A system that depends on vendor cooperation isn't a risk management system. It's a collaboration tool. The best vendor risk data is the data you can collect without asking.

Third-party risk management has been stuck in the questionnaire era for too long. The data is available. The technology to collect and analyse it automatically exists. The only question is whether your programme is built around documentation or around evidence.

Corvus Security IQ is $200/month with full TPRM capability included — nine assurance feeds, eight-probe attack surface scanning, six-dimension risk scoring, and portfolio analytics. No questionnaires required.

Learn more about Corvus Security IQ

Replace questionnaires with evidence.
See Corvus TPRM in action.

Nine assurance feeds, eight-probe scanning, six-dimension scoring. Under two minutes per vendor.

Explore Corvus View Pricing