TPRM

Development of Third-Party Risk (Part 1): Vendors Are Containers, Not Risks

4 min read

You approved the vendor. But did you approve what they're actually doing?

This is the disconnect I see constantly: a business unit wants to onboard a new product or service from an existing vendor and pushes back with "but they're already approved!"

They are. What you're buying from them today isn't.

Vendors are containers, not risks

You onboard Microsoft for Office 365. Low-risk productivity tools, standard due diligence, done. Six months later, the same business unit wants to move core platform data into Azure.

That's not the same risk. That vendor just went from low to critical. But if your program only tracks at the vendor level, you'd miss it entirely. Microsoft is already "approved."

The vendor didn't change. What you're buying from them did. And that's where the risk actually lives.

Scope creep is invisible at the vendor level

Vendor relationships expand over time. One product becomes two. A small engagement grows into a dependency. Each addition carries its own risk profile — different data access, different integrations, different failure impacts.

But if your inventory just says "Vendor: Approved" with no visibility into what's underneath, you're flying blind. You assessed the container once. You never assessed what's been added to it since.

The business unit doesn't see this

When someone pushes back with "the vendor is already approved," they're not being difficult. They genuinely don't understand that vendors are just containers for risk items.

The risk isn't the company name on the contract. It's what you're buying, how it's being used, and what it touches. Two products from the same vendor can have completely different risk profiles.

Your job is to make that visible — to them and to your program.

Approve products and services, not just vendors

Your TPRM inventory should track what you're actually using, not just who you're using it from. Each product or service needs its own assessment, its own risk rating, its own ongoing monitoring.

The vendor is just the container. What's inside is what matters.

"The risk isn't the company name on the contract. It's what you're buying, how it's being used, and what it touches."
RM

About the Author

Risk Management Consultant

With over 15 years of experience in financial services risk management, I help regional banks and credit unions build TPRM frameworks that actually work—without the enterprise overhead. My approach focuses on practical solutions that satisfy regulators while respecting your institution's resources and capabilities.

Continue Reading

Article Image
TPRM

Development of Third-Party Risk (Part 2)

Going deeper: how supply chain, delivery, and hosting decisions create residual risk below the application layer.

December 23, 2025 Read more →
Article Image
TPRM

Optimizing TPRM Efficiency Under Increasing Requirements

TPRM requirements have increased tenfold. Your headcount won't. Here's how to close the gap.

December 18, 2025 Read more →
Article Image
TPRM

Fourth-Party Risk Management (Part 1)

Understanding the hidden dependencies in your vendor ecosystem and why they matter.

December 2, 2025 Read more →

Let's Discuss Your Risk Management Needs

Ready to build a TPRM framework that fits your institution? Schedule a free consultation to explore how we can help.

Schedule Consultation →