Third-party risk has become an increasingly urgent focus for boards and risk leaders, yet many organisations continue to delegate its management to procurement teams. While contracts and onboarding procedures remain necessary, they do not address the core concern: vendors now represent a critical cyber exposure vector, not simply an operational partner.
This shift matters because most businesses are now digitally dependent on suppliers across infrastructure, software, logistics and services. As these third parties gain access to systems, data and networks, they introduce an extended risk surface that traditional procurement-led approaches are poorly equipped to evaluate. In this environment, cyber threats do not stop at the organisational perimeter, they propagate through ecosystems.
Many procurement processes still rely on one-time questionnaires, spreadsheet-based risk scores or basic compliance checks. However, these tools offer little insight into a vendor’s real-time security posture, resilience to attack or incident response capabilities. As a result, organisations may unknowingly onboard vendors with critical cyber weaknesses. This is particularly concerning given that attacks via supply chain channels are growing in volume, sophistication and impact.
To address this, Acuity Risk Management argues for a governance-led model where third-party risk is treated as an integral part of enterprise-wide cyber risk strategy. Effective risk governance requires moving beyond box-ticking exercises towards continuous monitoring, impact-driven assessments and an evidence-based view of each vendor’s role in the business.
Acuity RM Group Plc (LON:ACRM) through its wholly owned subsidiary, Acuity. Acuity is an established provider of risk management services.
