top of page
Search

The TPRM Accountability Gap: Who Really Owns Your Vendor Risk?

  • juliachinjfourth
  • 1 day ago
  • 7 min read

Process without accountability is just paperwork


*****


"Who approved this vendor?"


Four people in the room. No one answers.


We've seen this scene play out too many times.


Procurement signed off because the paperwork was complete. Business renewed because "we've always used them." Compliance raised red flags last year ... buried in an email thread. Everyone assumed someone else was watching.


Nobody owned it.


Then the vendor failed. And suddenly everyone's asking: "Didn't we have a process for this?"


You did. But process without accountability is just paperwork.


If you've been in that room, or you're concerned your organisation might be headed there, this is for you.


The Accountability Gap


Why This Keeps Happening


The accountability gap isn't a failure of process. It's a failure of ownership.


Most organisations have vendor management policies. They have onboarding checklists, risk assessments, contract templates. The paperwork exists. What's missing is clarity on who owns the relationship - not just at onboarding, but through the entire lifecycle.


Ownership is assumed, not assigned. Procurement thinks compliance owns ongoing monitoring. Compliance thinks business owns the relationship. Business thinks procurement owns renewals. Everyone's waiting for someone else to act.


Roles are defined on paper but not in practice. The RACI matrix says "Responsible" next to someone's name. But that person has never been told what that actually means. They've never been trained on what to watch for. They've certainly never been held accountable when something went wrong.


The "hot potato" dynamic. When red flags appear, they get passed around. No one wants to be the one who slows things down. No one wants to be the one who says "stop." So the flag gets buried in an email thread, and everyone moves on


The Cost of Ambiguity


When accountability is unclear, three things happen:


Delayed escalation. Someone notices something off - unusual access requests, missed SLAs, a news article about the vendor's financial troubles. But they're not sure it's their job to raise it. So they wait. And the window for action closes.


Renewal by default. The contract comes up for renewal. No one's done a fresh risk assessment. No one's checked whether the red flags from last year were resolved. But the business needs the service, and no one wants to be the blocker. So it gets renewed. "We've always used them."


No single point of accountability when things break. When the vendor fails - a data breach, a service outage, a compliance violation, there's no one person who can explain what happened. Because no one person was watching.


The Pattern We See


Here's a pattern we see repeatedly in our advisory work:


A vendor looked fine in isolation. The due diligence was done. The contract was signed. The risk rating was "medium."


But no one mapped the dependencies.


That vendor was linked to three critical systems. They shared access credentials with two other vendors. Their infrastructure was hosted on the same cloud provider as four other key suppliers.


One failure. And suddenly the entire operation was exposed.


The accountability gap isn't just about who signs the contract. It's about who sees the whole picture.


The Ecosystem Blind Spot


The Isolation Fallacy


Most organisations assess vendors individually. Each vendor gets its own risk assessment, its own due diligence file, its own contract.


But vendors don't operate individually.


They share infrastructure. They have access to the same systems. They pass data to each other. They depend on the same fourth parties. They're nodes in a network and that network has vulnerabilities that no individual assessment will catch.


Shared access credentials. Vendor A has access to your CRM. Vendor B has access to your payment systems. But both use the same IT support contractor, who has admin credentials to both. One compromised contractor, two breached systems.


System integrations. Your HR platform talks to your payroll provider, which talks to your benefits administrator, which talks to your banking partner. A failure at any point cascades through the chain.


Concentration risk. Five of your "different" vendors all run on the same cloud infrastructure. A single outage takes out all five and you never saw it coming because you assessed them separately.


Questions Most Leadership Teams Can't Answer


Ask your vendor management team these questions:

  • Which vendors have access to critical systems?

  • Which vendors share infrastructure or credentials with other vendors?

  • If Vendor X failed tomorrow, what else breaks?

  • What's our exposure if AWS / Azure / Google Cloud has a major outage?

  • Which fourth parties do our critical vendors depend on?


If the answers come slowly, or not at all, you have an ecosystem blind spot.


The Cascade Effect


A payroll vendor has a service outage. Payroll doesn't run. Employees don't get paid. HR is overwhelmed with queries. Finance is scrambling to arrange emergency payments. Operations are distracted.


Customer service suffers. A one-day vendor outage becomes a week-long organisational crisis.


A cloud provider suffers a breach. Three of your "unrelated" vendors were hosted on that provider.


Customer data from all three is exposed. You're now managing three incident responses simultaneously and explaining to regulators why you didn't know your vendors shared infrastructure.


These aren't hypotheticals. They're patterns we've seen across multiple engagements. And they all trace back to the same root cause: vendors were assessed in isolation, not as an ecosystem.


What Regulators Are Now Expecting


The Global Direction of Travel


Regulators worldwide are converging on the same expectations for third-party risk management. Whether it's the Basel Committee's Principles for Sound Management of Third-Party Risk, the FSB's toolkit on third-party oversight, or MAS's recent TPRM consultation, the message is consistent.


Clear roles and responsibilities. Someone needs to own the vendor relationship end-to-end, not just at onboarding, but through the entire lifecycle. Accountability must be explicit, not assumed.


Understanding interconnections and dependencies. Assessing vendors in isolation isn't enough. Regulators expect institutions to understand how vendors connect, to each other, to critical systems, to fourth parties. You need to see the network.


Culture that empowers action. The emphasis is shifting from "do you have a policy?" to "can your people act when something doesn't feel right?" Responsive risk management means people can adapt, escalate, and act, not just follow a checklist.


The Shift


The regulatory direction is clear:

  • From "do we have a policy?" to "do people know it's their job?"

  • From "did we do due diligence?" to "do we see the whole picture?"

  • From "is the paperwork complete?" to "can our people act when something doesn't feel right?"


Process is necessary. But process without accountability, and without visibility, is just paperwork.


Closing the Gap - Structure & Ecosystem


Transformation starts with two fundamentals: Structure and Ecosystem.


Structure: Who Owns What?


For third-party risk, that means:

  • Who owns the vendor relationship end-to-end? Not just onboarding. Not just contract negotiation. The whole lifecycle - from selection to exit.

  • Who monitors ongoing performance? SLAs, security posture, financial health, regulatory compliance. Someone needs to be watching, not just at renewal time.

  • Who escalates when something doesn't feel right? And do they know who to escalate to?

  • Who makes the call to terminate or remediate? When a vendor fails to meet standards, who has the authority and the accountability to act?


The Accountability Map


For each critical vendor, name ONE person accountable. Not a committee. Not a function. A person.

Then test:

  • Do they know they're accountable?

  • Can they explain what they're protecting against?

  • Do they have the authority to act if something goes wrong?


If the answer to any of these is "no," you have a structure gap.


Ecosystem: What's Connected to What?


For third-party risk, that means:

  • Map your vendors as a network, not a list. Who connects to whom? Who shares infrastructure? Who depends on the same fourth parties?

  • Identify concentration risk. Are multiple critical vendors running on the same cloud provider? Using the same payment processor? Dependent on the same country or region?

  • Identify cascade risk. If Vendor X fails, what else breaks? What's the blast radius?


The Dependency Audit


For each critical vendor, answer:

  • Which systems do they touch?

  • Which other vendors do they share access or infrastructure with?

  • What fourth parties do they depend on?

  • If they failed tomorrow, what's the impact and how far does it spread?


If you can't answer these questions, you have an ecosystem blind spot.


Three Questions for Your Leadership Team


You don't need a six-month transformation programme to start closing the accountability gap. Start with three questions:


1. "If our top 5 vendors failed tomorrow, could we name the one person accountable for each?"


If yes: Do they know they're accountable? Have they been told explicitly? Do they understand what that means in practice?

If no: That's your first fix. Assign accountability. Make it explicit. Test that they understand.


2. "When was the last time we mapped vendor dependencies, not just vendor contracts?"

Contracts tell you who you're working with. Dependencies tell you what breaks when they fail.

If your last dependency mapping was "never" or "we did it once, three years ago", you're flying blind.


3. "If someone raised a red flag about a vendor today, do they know who to escalate to, and would they feel safe doing it?"


Structure without culture is just org charts. People need to know it's their job to raise concerns. They need to know who to tell. And they need to believe that raising the flag won't make them the problem.

If your people are burying red flags in email threads, you don't have an escalation process. You have a culture problem.


The Accountability Test


"Who approved this vendor?"


You don't want to be in that room. You don't want four people looking at each other, waiting for someone else to answer.


The fix isn't more process. It's clearer ownership. It's understanding the ecosystem. It's building a culture where people know it's their job and feel empowered to act.


Process without accountability is just paperwork.


Rules don't stop third-party failures. People do.


But only if they know it's their job. And only if they see the whole picture.


Ready to Close the Gap?


The accountability gap doesn't close itself. It requires deliberate intervention, clarifying ownership, mapping dependencies, and building the culture that makes escalation safe.


JFourth works with leadership teams to transform third-party risk management from compliance-on-paper to accountability-in-practice.


We help you identify the gaps, design the structure, and build the culture that protects your organisation.

If you're not sure who owns your vendor risk, or whether they know it, let's talk.


It takes a network to defeat a network.


*****


📩 Subscribe to Tripwire for weekly insights on building robust risk and compliance cultures: https://thetripwire.substack.com/subscribe


📖 Follow our Blog for more: https://www.jfourthsolutions.com/blog-post


Contact JFourth | Learn more about PULSE®


 
 
 

Comments

bottom of page