We Are Measuring the Value of TPRM Wrong
Reflections on my presentation at apexanalytix Icon 2026 on building the supplier risk business case
In my presentation at Icon 2026 in Scottsdale/Phoenix, I wanted to put one point on the table immediately and directly: we are measuring the value of third-party and supplier risk management wrong. Too often, organizations build the business case for supplier risk management as though it were simply a technology purchase, a compliance exercise, or an efficiency project . . . That framing is too small. It misses the real value.
The business case for supplier and third-party risk management is not primarily about workflow, questionnaires, or even controls. It is about avoided disruption, avoided loss, improved decisions, preserved continuity, and the confidence to move faster through uncertainty rather than slower. That was the heart of my session, Building the Supplier Risk Business Case: Quantifying Avoided Disruption and Loss, and it was a message that clearly resonated with the room.
Before going further, I want to thank apexanalytix for having me at Icon 2026, both on the analyst panel and in this breakout session. It was an excellent event, with a highly engaged audience and the kind of practical conversation that makes a conference worthwhile. People in the room were not there to be entertained by vague promises. They were there to work through a very real challenge: how to articulate the value of supplier risk management in a way that business leaders, finance leaders, procurement leaders, and risk leaders will actually support.
The business case has been framed too narrowly
For too many organizations, the TPRM story sounds something like this: better controls, better compliance, more streamlined onboarding, less manual work. None of that is wrong. It is simply incomplete.
Supplier and third-party risk management is a strategic business capability. It helps the organization understand and navigate uncertainty across the extended enterprise. It helps avoid fraud, disruption, cyber incidents, compliance failures, operational breakdowns, and supplier-driven surprises. It helps leaders understand what is actually at risk if a relationship fails. And it helps the organization move ahead with greater confidence because it is no longer operating blind.
That is why I argued in the session that TPRM should not be the handbrake. It should be the navigation system. It should help the organization steer safely through uncertainty toward its objectives in third-party relationships.
The modern organization is the extended enterprise
A core starting point in my presentation was that the modern organization is not limited to its employees, facilities, and owned assets. It is the extended enterprise: a network of suppliers, logistics partners, outsourcers, cloud providers, software vendors, manufacturers, agents, contractors, and service providers. Across industries, large portions of how value is created and delivered now happen across that network.
That changes the risk conversation fundamentally. If the business operates through third parties, then risk in those relationships is not peripheral. It is risk to the business itself. A supplier cyber incident, sanctions issue, fraud event, continuity failure, or labor problem is not someone else’s issue. It is the enterprise’s issue. That is why supplier risk is not an external side topic. It is central to how objectives are achieved.
The baseline is instability
Another point I stressed is that the baseline in the extended enterprise is not stability. It is instability. Too many organizations still act as though disruption is the exception and calm is the norm. That is backwards. Suppliers change ownership. Financial health shifts. regulations evolve. Cyber vulnerabilities emerge. Sanctions lists change. Extreme weather disrupts facilities. Transportation routes break down. The baseline is motion, change, and uncertainty.
That is why I used the image of a lighthouse in a storm. A lighthouse is not built for calm seas. It exists because instability is the operating context. TPRM has to be understood the same way. It is not there to manage rare exceptions. It exists because instability is normal. That means one-and-done onboarding, annual reviews, and static spreadsheets are not enough. Organizations need continuous visibility, sensing, prioritization, and response.
We focus too much on spend and not enough on value at risk
One of the most persistent mistakes I see is the assumption that the suppliers with the largest spend are automatically the riskiest. Spend matters, but spend does not equal exposure. A relatively small supplier can create enormous risk if it sits at a critical dependency point. A niche technology vendor with privileged access can create serious cyber exposure. A small sole-source supplier can halt production. A modest service provider handling banking or master data can become a fraud pathway.
This is where value at risk becomes essential. The better question is not simply what we spend with a supplier. The better question is: what is at risk if this supplier fails, is compromised, or creates disruption? That is the strategic lens leadership needs. It captures revenue, continuity, customer impact, compliance exposure, brand harm, and operational dependency, not just spend.
Too much TPRM is still looking in the rearview mirror
I also pushed on a point I feel strongly about: too much supplier and third-party risk management is still backward-looking. It tells us what questionnaire was completed, what review was filed, what issue was documented, and what approval happened. That may satisfy a recordkeeping instinct, but it often does little to help the organization see what is coming.
The rearview mirror matters, but you cannot drive by staring into it. You need to see the road ahead. TPRM has to become more present-aware and future-aware through better data, continuous monitoring, event-driven intelligence, and scenario analysis. The real value is not in describing the past more elegantly. It is in helping the organization anticipate the future with fewer surprises.
Risk is our business
Yes, I brought Captain Kirk into the room. Again.
I used the familiar Star Trek line, “Risk is our business,” because it gets to something important. Risk is not an exception to business. It is inherent in any mission worth pursuing. The question is not whether risk exists. The question is how intelligently the organization understands, governs, and navigates it.
That is especially true in the extended enterprise. If the business creates value through suppliers, service providers, and partners, then risk in those relationships is inseparable from the mission of the business itself. A third-party cyber incident, supplier failure, sanctions issue, corruption event, or continuity disruption is part of our business reality. TPRM, then, is not about becoming risk averse. It is about becoming mission capable in uncertainty.
TPRM requires orchestration
Supplier and third-party risk management is also inherently cross-enterprise. Procurement, finance, AP, legal, compliance, information security, privacy, sustainability, operations, and business owners all see different dimensions of third-party exposure. Without orchestration, the result is duplication, delay, supplier fatigue, conflicting data, and fragmented decisions.
That is why I used the metaphor of the orchestra and the conductor. Each function may be highly skilled, but without a conductor you do not get harmony. You get noise. Mature TPRM requires orchestration across strategy, process, information, and technology. That is not merely a nice design principle. It is what makes the function coherent enough to actually reduce exposure and support better decisions.
The value model: efficiency, effectiveness, resilience, and agility
The centerpiece of the session was the four-part model I use to frame TPRM value: efficiency, effectiveness, resilience, and agility. The business case is far stronger when it includes all four.
- Efficiency is the traditional ROI story: time saved, money saved, friction reduced, duplicate work eliminated, and capacity created. But efficiency is most powerful not because it cuts cost. It is powerful because it frees skilled people from administrative mechanics so they can spend more time on planning, analysis, and action.
- Effectiveness is where the case gets more strategic. You can make a process faster without making it better. Effectiveness asks whether exposure is actually being reduced. Are risky suppliers identified earlier? Are fraud exposures blocked? Are control failures and preventable issues reduced? That is why I emphasized: measure exposure reduced, not just controls added.
- Resilience is the ability to anticipate, absorb, and recover from disruption. No program eliminates all risk. The question is whether the organization can detect change faster, escalate sooner, understand dependencies better, and keep an issue from becoming a crisis.
- Agility is where TPRM becomes a true business enabler. It means moving ahead through uncertainty with speed and confidence. It means onboarding strategic suppliers faster, adapting to regulatory change, running scenario analysis more effectively, and shifting the function from reactive administration to predictive and prescriptive support.
Together, these four dimensions tell a fuller and more credible story than ROI alone ever can.
Quantification has to move beyond activity
A big part of the session was focused on quantification. We can and should measure more than activities completed. We can measure reductions in high-risk exposure, improvements in detection speed, reductions in unresolved critical issues, movement from inherent to residual risk, blocked fraud pathways, avoided loss events, faster response, and stronger continuity preparedness.
In the examples I used, including a large retailer case, the story quickly grew beyond labor savings into avoided fines, avoided legal costs, fraud prevention, cyber exposure reduction, and materially lower loss potential. That is exactly the point. Once organizations start quantifying avoided disruption and avoided loss, the conversation becomes much bigger than “better process.”
The end game is business confidence
I closed the session with what I believe is the real destination of this whole discussion: business confidence. Not blind optimism. Not the illusion of zero risk. But informed confidence. Confidence that the organization understands its third-party ecosystem well enough to act. Confidence that it can move with the right mix of speed and rigor. Confidence that it can identify meaningful uncertainty early enough to avoid surprise. Confidence that it can absorb disruption without losing continuity. Confidence that it can move forward strategically through a world where instability is the norm.
That is why we have to stop measuring TPRM value as though it were merely a control cost or a workflow automation story. We need to measure it in terms of avoided disruption, avoided loss, reduced uncertainty, stronger decisions, greater resilience, and better business confidence.
That is the call to action I brought to Icon 2026. Judging from the engagement at the conference, it is a conversation this market is ready to have.