Introduction: The Invisible Weak Link
For years, vendor management has been treated as an administrative exercise. A procurement checklist. A questionnaire at onboarding. A file for the auditors.
But in 2025 and beyond, that mindset is not just outdated, it’s dangerous.
The real story of vendor risk is not a one-off gap in due diligence. It’s a spiral: weaknesses that cascade from one supplier to another, compounding across third, fourth, and even fifth parties. The breach might not start in your organisation, but the accountability will end there.
And regulators are making that point explicit.
Why Now: Regulatory and Market Pressure Collide
The EU’s Digital Operational Resilience Act (DORA), which came into force in January 2025, is unambiguous: financial services firms are accountable for the resilience of their third-party providers. That means continuous oversight, not just due diligence at the contract stage. Contracts must now include ex ante risk assessment, lifecycle monitoring, and clear provisions for material change and exit strategies .
The UK is not far behind. FCA and PRA operational resilience regimes demand that firms prove critical services can withstand disruption, irrespective of whether the weak point sits inside or outside the firm.
While the USA does not have a single overarching directive or framework, relying more on a collection of interagency rules and guidance, the “Sound Practices to Strengthen Operational Resilience” guide issued by the Office of the Comptroller of the Currency (OCC) in 2022 provides a set of established concepts similar to those in Europe. (OCC)
And the market pressure is intensifying. A 2025 survey found that 62% of organisations reported high or very high supply chain risk, with nearly a third of disruptions costing over $5 million (RapidRatings).
Meanwhile, research shows 98% of Europe’s top companies suffered a third-party data breach in the past year (Venminder).
In other words, supply chain resilience is no longer a side concern. It is a frontline governance issue.
The Vendor Risk Spiral Explained
The spiral starts innocuously. A critical service is outsourced to a trusted supplier. That supplier, in turn, relies on another vendor. And so on. Each layer adds efficiency but also fragility.
The problem is visibility. 79% of firms admit they lack oversight of their nth-party ecosystem (Venminder). That means risks are inherited blindly.
When a sub-supplier suffers a cyber incident, misses a patch, or fails operationally, the consequences cascade upwards. The regulated firm only sees the outcome: a system outage, a regulatory breach, a loss of customer trust.
This is the spiral: a weakness at the periphery becomes a failure at the core.
From Due Diligence to Continuous Vigilance
Traditional vendor risk management relies on onboarding questionnaires, annual reviews, and contractual assurances. That model is broken.
Threats evolve daily. Vendors change processes, adopt new technologies, or subcontract without warning. A contract written two years ago is silent on the risks created yesterday.
DORA codifies what leading firms already recognise: due diligence is not an event, it’s a lifecycle. That means monitoring cyber posture continuously, reviewing financial health in real time, and assessing resilience not at a single point, but as an ongoing responsibility.
As one 2025 report put it, 88% of CISOs are “somewhat or very concerned” about escalating supply chain cyber risks (SecurityScorecard). Concern is not enough. Continuous vigilance is the new standard.
Cultural and Governance Blind Spots
The hardest part of the vendor risk spiral is not technical; it’s cultural.
Procurement often views vendors as partners, incentivised to believe in best intentions. Compliance treats oversight as a box-tick. IT assumes contracts reflect reality. The Risk function sees the business as owning and managing the risk. Meanwhile, boards rarely see vendor risk as a standing agenda item.
This creates blind spots: misplaced trust, ownership gaps, and overconfidence in contracts that crumble under pressure.
Governance must catch up. Vendor risk cannot be delegated, assumed, or buried in procurement files. It must be owned, visibly and continuously, at the highest levels of the firm.
Breaking the Spiral: A Governance Framework for 2025
Addressing vendor risk is not about doing more of the same. It’s about rethinking the approach altogether.
First, firms must map and tier suppliers. Not every vendor is equal. Those providing critical services – payment processing, data storage, trading platforms – require far more scrutiny than those providing peripheral tools.
Second, governance must be integrated with regulatory frameworks. DORA is explicit: contracts must include lifecycle oversight, risk assessments, and exit strategies. Contracts must also cover subcontracting. The FCA’s resilience regime demands the same in practice, if not in identical language.
Third, oversight must be continuous, not periodic. Cyber monitoring tools, real-time risk intelligence, and ongoing dialogue with vendors replace static questionnaires. Continuous due diligence is the price of resilience.
Finally, visibility must reach the board. Vendor risk is not a back-office issue. It is a strategic concern, touching financial stability, regulatory compliance, and reputation. That means vendor resilience reporting should be as routine in board packs as capital adequacy or audit findings.
Final Word: Accountability Cannot Be Outsourced
When a supplier fails, regulators will not be satisfied with excuses about contracts or oversight gaps. They will ask why the firm did not see the spiral forming, why it lacked visibility, and why it failed to act. Because accountability cannot be outsourced.
For boards, the sharper questions are:
- Can we map our critical vendors beyond the third party, down to the nth party?
- Do we have continuous oversight of those who matter most?
- Is vendor resilience a standing item at board level, or a footnote in procurement?
The firms that can answer “yes” to all of the above will break the spiral. The rest will discover, too late, that the weakness they overlooked was the one that defined them.
Stay up to date with the latest stories from the world of governance, risk, audit and compliance >>>
