Onboarding a new vendor – it should be simple. Many days later, Sam is still stuck

By Sachin Jha

Third-party risk management is broken.
And no one feels the pain more than the people at the center of it all—the TPRM analysts.

Meet Sam – he’s smart, organized, and dedicated. But like many risk professionals today, Sam is drowning in outdated processes, endless follow-ups, and vendor delays that stretch what should be days into weeks—or worse, months.

Here’s what his world looks like:

It Starts with a Simple Request…

A new vendor, ACME Inc., needs to be onboarded. It should be simple.

But Sam’s process begins with:

  • Requesting the vendor to fill out the intake form
  • Hunting down the internal relationship owner for additional context
  • Identifying the vendor’s Trust Center and searching for any known hacks or past breaches
  • Creating a new record in a shared Excel tracker
  • Reviewing documentation like the DPA, Security Addendum, and Privacy Policy—alongside the legal team
  • Assigning a risk tier (still based on gut feel and a basic checklist)
  • Selecting the standard questionnaire from the team’s library, and updating it slightly to reflect the vendor’s unique setup or AI usage
  • Drafting the outreach email

One hour in, and Sam still hasn’t hit send.

The Endless Chase Begins

The questionnaire goes out—initially shared with the vendor’s sales representative.
The expectation? A smooth handoff.
The reality? Silence.

The vendor, Andy, doesn’t respond.

Sam checks the tracker. Sends a polite nudge. Still nothing.
Business stakeholders grow impatient.

Andy’s out-of-office bounces back.
A new contact, Adam, steps in—but asks Sam to “resend everything from the beginning.”

This back-and-forth continues for days/weeks.

Eventually, evidence starts to come in—but it’s disorganized and incomplete. Files arrive through fragmented email threads and random file-sharing links. Naming conventions are inconsistent—files are labeled things like “screenshot_24.07.24” or “document_final_final_v2,” making it nearly impossible to trace them back to specific questions. With no clear references or structure, Sam spends hours just trying to figure out what each file is and where it fits.

Review, Review, and… Review Again

Sam finally receives the full submission—only to find:

  • Half the answers are boilerplate
  • No documentation for key controls
  • Nothing mapped to a standard like NIST or SOC 2
  • Several claims that need validation (“Yes, we have a DLP policy!”)

So he starts again. Redlines, follow-ups, manual review of attachments, and risk scoring by eyeballing multiple tabs.

He’s not just reviewing responses.
He’s deciphering language, chasing context, and trying to connect dots that should already be mapped.

The Result?

  • 24+ days from request to closure
  • 10+ hours of hands-on work per vendor
  • Reactive cycles and repetitive tasks
  • Zero visibility into 4th parties
  • Zero automation. Zero collaboration. Zero peace of mind.

And the scariest part? Sam knows he can’t scale. Not like this.

The Problem Isn’t Sam—It’s the System

This isn’t about people not working hard enough. It’s about the system being built for a different time.

TPRM today is a patchwork of broken workflows—held together by spreadsheets, siloed intake forms, and manual effort.

Static trackers. Generic questionnaires. Copy-pasted risk models. Compliance checks done by hand.

And the worst part? Endless follow-ups.

Not only do they waste time—they introduce chaos.

With so much back-and-forth, the real risk can easily get buried.

For Tier 1 vendors—the ones with the highest impact on the business—that chaos becomes a critical issue.

The current system wasn’t designed for today’s complex, fast-moving vendor ecosystems.

And it shows.

What the Market Needs Now

There’s a growing urgency for a better model—one that’s:

  • Automated from start to finish
  • Smart enough to prioritize what matters
  • Fast enough to keep up with the business
  • Flexible enough to scale across thousands of vendors
  • Aligned with today’s AI-driven threat landscape

In other words, what third-party risk teams need isn’t just another dashboard.

They need an autonomous TPRM.

A system that connects every stage of the process.

One that thinks, acts, and evolves like a teammate—not just a tool.

One that reduces effort, not adds to it.

The Bottom Line

Sam’s story isn’t unusual. It’s the norm.
And until something changes, third-party risk management will keep lagging behind the pace of business.

But there’s a shift coming.

And when it does, the teams who embrace automation and autonomy won’t just keep up—they’ll lead.

Stay tuned. Something smarter is on the way…..

Sign: Something Smarter Is on the Way

RELATED POSTS

Blog

Apr 15, 2025

CISO Confidential Podcast: Erik Decker on Surviving the High Stakes World of Healthcare Cybersecurity

Blog

Apr 10, 2025

SAFE’s Continuous Risk Management Platform Sweeps the Cyber Insurance Awards USA 2025

Events

Apr 10, 2025

FAIR Institute: APAC Summit