Advisory & Data Protection

Third-Party Risk Management

Supplier cyber risk managed continuously — tiered assurance from automated questionnaires to analyst-led review and validated evidence, run by Blackfoot in Clarity.

Most supplier security checks happen once, at onboarding, and never again. Meanwhile the supplier's access grows, your dependency deepens and their security posture changes — unseen. Blackfoot's third party risk management service closes that gap: a managed, platform-backed programme that continuously identifies, assesses, prioritises and manages supplier cyber risk.

Crucially, Blackfoot manages the process. Questionnaires get issued, responses get chased, reviews get done and reassessments happen on schedule — our analysts and the Clarity portal do the administrative heavy lifting while your team keeps full visibility without operating a platform or chasing suppliers themselves.

Three tiers of third party risk management assurance

Not every supplier deserves the same scrutiny, so the service is tiered. Registered suppliers get lower-touch coverage: onboarding, automated questionnaire issue, response capture and ongoing visibility. Reviewed suppliers add analyst-led assurance — risk-tier review, response review with a risk rating, additional questionnaires where risk warrants, follow-up and escalation, and recommendations under ongoing managed review. Assured suppliers receive higher-assurance validation scoped on demand: evidence review and validation, second-party audits, agreed remediation with tracking and improvement monitoring.

Delivery is structured and predictable. Year one includes full setup — branding, initial supplier data load, single sign-on, roles, dashboards, standard questionnaires and training. Each supplier is then managed annually through their tier's cycle, supported by monthly progress sessions, quarterly service reviews and an annual supplier summary and debrief. Your team gets unlimited TPRM manager and supplier-owner access, custom questionnaires, risk ratings, dashboards and raw data export.

The result is supplier risk visibility that holds up over time — consistent assurance, prioritisation by risk and business impact, and evidence ready for audits, insurers and customer due diligence. It pairs directly with Risk Management as a Service, so supplier risks feed your wider register, and with Compliance as a Service, where supplier diligence is itself a recurring framework requirement.

What you get

We run the process

Questionnaire issue, response chasing, reviews and reassessment handled by Blackfoot — your team keeps oversight without the admin burden.

Tiered to the risk

Registered, Reviewed and Assured tiers match scrutiny to supplier criticality, so effort and cost concentrate where exposure is real.

Analyst judgement, not just forms

Reviewed and Assured tiers add expert review, risk ratings, follow-up questioning and recommendations — answers get scrutinised, not filed.

Reassessment built in

Suppliers are reviewed on a managed cycle, catching the drift that onboarding-only checks miss entirely.

Evidence on demand

Risk ratings, questionnaire history and dashboards in Clarity give auditors, insurers and customers answers without a scramble.

Structured service rhythm

Monthly progress sessions, quarterly service reviews and an annual supplier summary keep the programme visible and accountable.

How it works

  1. 01

    Set up and load

    Year-one setup configures Clarity with your branding, supplier data, single sign-on, roles, dashboards and standard questionnaires, with training for your team.

  2. 02

    Tier your suppliers

    Suppliers are assigned to Registered, Reviewed or Assured tiers based on risk and business impact, focusing scrutiny where it matters.

  3. 03

    Assess and review

    Questionnaires are issued and chased automatically; analysts review responses, apply risk ratings and escalate follow-ups according to tier.

  4. 04

    Manage the findings

    Recommendations, remediation agreements and improvement tracking are managed through the portal, with your team seeing status in real time.

  5. 05

    Review and reassess

    Monthly progress sessions and quarterly service reviews keep the programme on track, with suppliers reassessed on cycle and an annual summary to close the year.

Frequently asked questions

Straight answers to what prospective clients ask us most.

What is third party risk management?

It's the discipline of assessing and monitoring the cyber risk your suppliers create — the access they hold, the data they touch and the security they actually practise. Managed well, it's a continuous programme with tiered assurance, not a questionnaire at onboarding.

How do the supplier tiers work?

Registered suppliers receive automated questionnaires and ongoing visibility without analyst review. Reviewed suppliers add analyst-led response review, risk ratings, follow-up and recommendations. Assured suppliers get the highest level — evidence validation, second-party audits and tracked remediation — scoped on demand.

How much work is left for our team?

Very little of the administration. Blackfoot issues questionnaires, chases responses, reviews and escalates; your TPRM managers and supplier owners get unlimited access to Clarity for oversight, decisions and reporting, including raw data export.

Will this satisfy our auditors and insurers?

It gives you exactly what they ask for: a documented, consistent supplier assurance process with risk ratings, assessment history and evidence of follow-up. Supplier diligence is also a recurring requirement in frameworks like PCI DSS and ISO 27001, where this service feeds directly into compliance.

What if a supplier assessment uncovers serious problems?

Reviewed-tier suppliers receive analyst recommendations and escalation; for critical relationships, the Assured tier scopes evidence validation, remediation agreement and improvement monitoring. You decide the commercial response — we make sure you're deciding on evidence.

Ready to talk about third-party risk management?

Get a fixed-scope quote, usually the same working day.