I have sat in board meetings across four CISO and CIO seats where the cyber update opened with a TPRM completion percentage. The percentage was always high. Eighty-seven. Ninety-two. Once, ninety-eight. The board nodded. Risk was, by the slide, handled.
In every one of those programs, the percentage measured the wrong thing. It measured how many vendors had returned the questionnaire we sent them. It did not measure whether the answers were true, whether the answers were current, or whether the vendors whose answers were complete were the vendors most likely to hurt us. The completion percentage was a number that the program could move. The risk it was supposed to track was not.
This is the shape of the hidden tax. The program is real. The hours are real. The percentage is real. The outcomes are missing.
What the paper program looks like
The shape is consistent across organizations I have worked with and inside of. A spreadsheet of vendors with risk tiers that were mostly assigned by gut on intake day and never revisited. Annual questionnaires, usually SIG-Lite, sent and returned and stored. A folder of SOC 2 reports nobody reads cover to cover. A risk register with three columns and a "last reviewed" date that is twelve months old. An auditor's confirmation that the program is in place. A board metric that says completion is at the high eighties.
None of that is wrong. All of it is real work. The question the program does not answer is the one that matters: which of your vendors is most likely to be your incident response next quarter, and why.
Three taxes the audit committee never sees
The CFO believes you
This is the first tax, and the one I have watched do the most damage. The CFO and the audit committee believe vendor risk is handled because the deck says so. The completion percentage is high. The questionnaire library is current. The security team has been visibly busy.
None of that is the same as knowing what your exposure actually is. The day it matters, the question is not "where was the gap." It is "why did we think there wasn't one." Confidence without instrumentation is the most expensive feeling in security. You sell it to your executives, and they sell it to the board, and the people who relied on it stop trusting you the moment it turns out to have been built on completion percentages.
Audit findings deferred, not avoided
Self-attested questionnaires get accepted at SOC 2 Type 1. They get accepted, with caveats, at SOC 2 Type 2. At HITRUST, ISO 27001, PCI DSS at higher levels, or any framework that pushes into evidence-based assessment, the program that looked complete starts producing findings. Continuous monitoring is missing. Sub-processor visibility is missing. The vendor's security profile in your file is six versions behind the vendor.
The work to upgrade is the work that should have been done from the start. It just gets compressed into a fire drill with an auditor's deadline on it. The cost of building it right the first time is lower than the cost of rebuilding it under audit pressure two years later. Nobody books that delta as a TPRM cost. It still gets paid.
The opportunity cost of the questionnaire mill
A senior security analyst at a mid-market healthcare company is a $130,000 to $180,000 hire. Spending three to five hours a week chasing your payroll provider, your observability platform, and your AI subprocessor to complete questionnaires that do not change outcomes is not a TPRM program. It is overhead with a security label.
The work that would change outcomes is somewhere else. Mapping internal access against vendor exposure. Tracking sub-processor inheritance. Reading breach disclosures that pattern-match against your vendor list. Investigating the architecture of the third party that holds your customer data. That work is the program. The questionnaire is the receipt.
The fourth tax has a Tuesday
The first three taxes accrue quietly. The fourth one has a date on it.
A vendor your program rated medium-low risk has an incident. It is announced on a Tuesday because vendors prefer to announce incidents on Tuesdays. The blast radius reaches you because the vendor touches a system, a dataset, or a sub-processor your program did not surface.
Then the forensics come back, and they say what forensics almost always say in these cases: the warning signs were discoverable months earlier. The vendor changed its data processor in February. Its security lead left in March. Its public breach disclosure pattern shifted in April. Its TLS certificate had been re-issued under a new CA in a way that, in hindsight, mattered. The annual questionnaire your team sent in January captured none of it because the questionnaire is a point-in-time artifact and the risk is continuous.
The board is not going to ask you about your completion percentage that quarter. They are going to ask why a vendor your program had rated as medium-low risk had access to the data that is now in a regulator's letter on your desk. The answer that the questionnaire said the controls were in place is not an answer. It is the bill arriving for a tax you had been paying for years without seeing it.
What real instrumentation looks like
The fix is not a thicker questionnaire. It is not more vendors in the spreadsheet. It is not a higher completion percentage. It is instrumentation that runs between the questionnaires, and the willingness to act on what the instrumentation surfaces.
Concretely, that means continuous external monitoring of vendor security posture instead of annual snapshots. Evidence-based scoring drawn from observable signals (certificate hygiene, breach disclosures, sub-processor announcements, security team continuity) instead of self-attestation. Sub-processor mapping that goes two hops in, not one, because the vendor's vendors are your vendors too. And connection-level visibility into what each vendor actually touches in your environment, with what access, holding what data. That is the question the board is asking when they ask about vendor risk. Most programs cannot answer it.
You can build this internally if you have the team. You can hire it as a managed service. You can buy a platform and operate it yourself. What you cannot do is keep running the questionnaire mill and call it risk management.
The completion percentage is a tell
If the strongest output of your TPRM program is a completion percentage on a slide, the program is doing the job of looking like a program. That is not nothing. It is also not the job.
The vendor your program does not surface is the one that finds you first.
If you want a one-page checklist for evaluating whether your TPRM program is surfacing real risk or just generating artifacts, reach out. We will send it.
Continuous third-party risk, not a questionnaire factory.
Scout is the third-party risk platform we built because the questionnaire model wasn't surfacing the things we needed to know. Continuous monitoring, evidence-based scoring, sub-processor mapping, and connection-level visibility. Available standalone or as a managed program operated by Pylon's team.
Explore Scout