Third-Party Risk 2.0
Most vendor programs still rely on questionnaires—an honor-system snapshot that rarely reflects live exposure. This playbook introduces a higher-fidelity model: continuous signals, contract-triggered actions, and telemetry that reflects how a vendor actually behaves.
Tier vendors, measure exposure with intelligence inputs, and activate proportional controls when signals shift. A modern approach for legal, compliance, procurement, and security teams.
01 — Tiering Model
Classify vendors by impact, not convenience.
Vendors are not equal. Some can disrupt operations or expose regulated data; some pose minimal risk. Tiering ensures the right amount of scrutiny and oversight.
Operationally Critical
- Direct system integration
- Handles regulated or sensitive data
- Service outage impacts operations or revenue
- Breach creates high reputational exposure
Medium Exposure
- Limited data access
- Operational dependency but reversible
- Moderate regulatory intersection
- Risk manageable with controls
Low Exposure
- No data access
- No operational dependency
- Minimal compliance intersection
- Basic due diligence required
02 — Due Diligence 2.0
Move beyond questionnaires—interrogate reality.
Static documents show intent, not capability. Archer Knox incorporates external intelligence to identify whether a vendor behaves like a risk, regardless of what they declare.
External Signals
- Breach history & dark web chatter
- Credential leaks related to vendor domains
- Litigation filings or regulatory actions
- OSINT footprint (misconfigurations, exposures)
- M&A or financial distress indicators
Operational Reality Checks
- Runtime behaviors vs. documented controls
- Actual access level vs. contracted access
- Support responsiveness & SLA adherence
- Security practice alignment with SOC2/ISO claims
- Third-party subprocessor mapping
03 — Vendor Scorecard
A measurable model for exposure and behavior.
This scorecard creates a quantifiable threat surface for each vendor. Scores update when signals update—creating a live risk profile.
Security Posture
- Vulnerability history & patch cadence
- Certifications validated (SOC2, ISO)
- Endpoint hygiene & MFA enforcement
- Architecture transparency
Behavioral Indicators
- Unexplained downtime patterns
- Access drift outside contracted scope
- Support gaps or SLA deviation
- Shadow subcontractors
Operational & Financial Stability
- Financial stress signals
- Leadership turnover
- Regulatory actions or lawsuits
- M&A transitions impacting data governance
04 — Contract Triggers
Controls that activate when signals shift.
Contracts shouldn’t be static—they should behave like operational tools. Triggers automatically enforce additional scrutiny or suspension when risk crosses a threshold.
Trigger Examples
- Breach notification obligation within 24 hours
- Mandatory security review if score declines by X%
- Immediate suspension upon evidence of misuse
- On-demand audit rights
Remediation Pathways
- 30-day corrective action plans
- Updated architectural documentation
- Re-validation of controls
- Executive-level vendor briefing
Termination Thresholds
- Repeat SLA failures
- Evidence of fraud or unauthorized access
- Uncontained breach or data loss
- Financial collapse or insolvency risk
05 — Continuous Monitoring
Risk doesn’t wait for annual reviews.
Intelligence-driven programs monitor vendors the way security teams monitor threat actors—consistently, methodically, and with proportional alerting.
Daily Signals
- Breach chatter
- Credential leaks
- DNS anomalies
- Uptime irregularities
Weekly Signals
- Support delays
- Access permission drift
- Change management gaps
- Unacknowledged incidents
Monthly Signals
- Financial shifts
- Leadership turnover
- Regulatory activity
- Contract compliance checks
Annual Signals
- Re-tiering vendors
- Updated due diligence
- Full audit of access & permissions
- Contract renegotiation
Related Risk & Compliance Assets
Extend the program with adjacent playbooks.