Supplier security programmes have become near-universal in organisations of meaningful size, driven by regulatory expectation (DORA, NIS2), customer requirements, and the recognition that breaches frequently originate at third parties. Most of these programmes operate primarily through questionnaires — suppliers complete extensive security questionnaires, the organisation reviews and files them, and the relationship proceeds. The programmes document position. They rarely reduce risk in proportion to the operational cost they consume. The supplier risk practices that genuinely reduce risk look meaningfully different.
Why Questionnaires Underperform
Suppliers answering questionnaires have strong incentive to answer favourably. The answers are typically not verified beyond self-attestation. The questionnaires are often generic and miss the specific risks a particular relationship presents. They are completed once at onboarding and rarely refreshed as the supplier or relationship evolves. The questionnaire creates the impression of due diligence without producing the evidence that actually reduces risk. The supplier programme that consists primarily of questionnaire collection and filing is performing a regulatory check, not managing risk.
Risk-Tiered Assessment Depth
A supplier handling sensitive customer data requires deeper assessment than one providing office supplies. Strong programmes tier suppliers by risk and apply assessment depth proportional to the tier. Tier 1 (critical, sensitive data, material business impact) gets deep technical assessment, on-site or virtual reviews, evidence verification, possibly penetration testing. Tier 2 gets standard questionnaire-based assessment with verification of key claims. Tier 3 gets light-touch assessment appropriate to lower risk. The tiering itself is the discipline that allocates limited assessment capacity to the suppliers where it matters.
Verification Beyond Self-Attestation
For material suppliers, verification matters more than questionnaire completeness. SOC 2 reports, ISO 27001 certificates, penetration test summaries, security architecture diagrams, evidence of specific controls (incident response runbooks, vulnerability management metrics, access review records). Each of these is independent evidence rather than self-attestation. The verification work is more expensive than collecting questionnaire responses; it is also where the actual risk reduction happens.
A pattern in supply chain breaches: the breached supplier had passed the customer's supplier security questionnaire, sometimes multiple times. The questionnaire claimed controls that did not actually operate. The control gap surfaced during the breach investigation, not during the assessment. The remediation is rarely "better questionnaires"; it is verification of claimed controls for material suppliers, and ongoing monitoring rather than point-in-time assessment.
Contractual Provisions That Actually Matter
Supplier contracts vary widely in their security provisions, and the differences matter when something goes wrong. Right to audit (with realistic scope and frequency, not just nominal language). Specific notification obligations on incidents (timeline, content, escalation). Defined security requirements with specific measurable expectations rather than generic "appropriate security" language. Subprocessor management with notification and approval rights. Liability allocation that reflects the actual risk distribution. Exit assistance terms that make termination viable. Contracts with strong provisions in these areas produce different supplier behaviour than contracts with weak ones.
Ongoing Monitoring vs Point-in-Time Assessment
A supplier assessed annually can have material control degradation in the eleven months between assessments without anyone noticing. Strong programmes complement point-in-time assessment with ongoing monitoring — public security incidents, ratings from independent monitoring services, news monitoring on the supplier, financial health monitoring for counterparty risk, certificate expiration tracking. None of this replaces deep assessment; it surfaces between-assessment changes that the assessment cycle would otherwise miss.
Components of a Programme That Reduces Risk
- Supplier tiering by actual risk, with assessment depth proportional to tier
- Verification of material control claims for top-tier suppliers, not just questionnaire self-attestation
- Contractual provisions calibrated to risk, with right to audit, breach notification, and exit assistance
- Ongoing monitoring complementing periodic assessment
- Internal owner per material supplier — someone whose job it is to know that relationship
- Integration with incident response — the supplier's incidents become your incidents
- Annual portfolio review at the leadership level — top suppliers should be visible to senior management
When the Programme Genuinely Reduces Risk
A supplier programme that reduces risk costs more operationally than one that produces compliance documentation. The investment is justified for material suppliers and difficult to justify uniformly across thousands of low-risk vendors. The maturity is in selectivity — high-touch supplier risk management for the relationships where it matters, light-touch for the rest, and the discipline to know the difference. Programmes that try to apply heavy assessment uniformly fail under their own weight; programmes that apply light assessment uniformly fail to reduce the risks that actually matter.