AlvorAdvisory

Assess + Operate · Third-party risk

The risk you inherit from the vendors you depend on.

Your security is now only as good as your suppliers', and most organisations cannot name their riskiest vendors, let alone evidence that they have assessed them. We inventory and tier your vendor estate by the access and data they actually hold, assess the ones that matter, and, if you want it, run the program as a standing service so the register never goes stale.

Book a consultation All engagements

Scope agreed in writing before any work. No obligation.

Tiered by access and data heldA repeatable scoring methodAssess once, or run continuously

Three positions a vendor estate reaches.

An unmapped vendor estate

Procurement, shadow purchasing, and acquisitions have left you with more suppliers than anyone has counted, and no clear view of which could hurt you. The first task is simply seeing the estate.

A questionnaire you cannot answer

A customer, an auditor, or a regulator has asked how you manage third-party risk, and the honest answer today is a spreadsheet someone started once. You need a method, not a one-off scramble.

Concentration and supply-chain reach

A handful of providers underpin your critical operations, and obligations like APRA CPS 230 and the SOCI Act now make their risk explicitly yours. You need that concentration surfaced and managed.

What you are commissioning

Two engagements, assess then run.

This page is backed by two named engagements: the assessment that maps and tiers your vendor estate, and the managed service that keeps the register current as it changes. Each is scoped on its own, and the assessment stands alone.

Assess trackTypically 2–4 weeks

Third-Party Risk Assessment

Understand the risk you inherit from the vendors you depend on.

Best for organisations with a growing or unmapped vendor estate.

Includes

Inventory and tiering of your vendors by the access and data they hold
Risk review of your critical and high-tier suppliers
A repeatable scoring method you can keep using

Deliverables

Third-party risk registerVendor tiering model

Operate trackStanding, sized to the estate

Managed Third-Party Risk

Vendor risk run for you, as a standing service.

Best for teams with a large or fast-moving vendor estate.

Includes

Ongoing tiering and review of your vendor estate
New-vendor assessments as they arrive
A risk register kept current

Deliverables

Maintained third-party risk registerNew-vendor assessments

The method

How we make vendor risk manageable.

Inventory and tier by what they actually hold

Vendors are tiered by the access, data, and operational dependence they carry, not by spend or by who shouts loudest. A low-cost tool with admin access to your estate outranks an expensive supplier that never touches your data, and the tiering says so.

Assess the ones that matter, properly

Critical and high-tier suppliers get a real review against the access and data they hold, rather than a self-attestation taken at face value. The depth follows the tier, so effort lands where the risk is.

A method you can keep using

You leave with a repeatable scoring method, not just a snapshot, so new vendors can be assessed consistently as they arrive rather than each one being argued from scratch.

Run it, or keep it

Take the method in-house and run it yourself, or hand the ongoing tiering, new-vendor assessments, and register upkeep to us as a standing service. The register stays portable either way.

The obligation

Your regulators now count your suppliers as yours.

Third-party risk has moved from good practice to explicit obligation, and the standards reach through you to your providers.

1APRA CPS 230 makes you accountable for material service providers and concentration risk
2The SOCI Act's supply-chain hazard domain is part of the risk-management program
3ISO 27001 and SOC 2 both expect a managed, evidenced supplier-risk process

Questions

What teams ask about this engagement.

How do you decide which vendors to assess?

By tier. We inventory the estate, then tier each vendor by the access, data, and operational dependence it carries. Critical and high-tier vendors get a full assessment; lower tiers get a lighter, proportionate review. Spending the same effort on every vendor is how programs stall.

Do you just send security questionnaires?

A questionnaire is a starting point, not the answer. We weight it against the access and data the vendor actually holds, look for corroborating evidence such as a current SOC 2 or ISO 27001 certificate, and rate the residual risk you carry rather than the assurances the vendor offers.

Can you run this as an ongoing service?

Yes. The managed engagement keeps the tiering and register current, assesses new vendors as they are onboarded, and reviews critical suppliers on a cycle, so third-party risk is a maintained capability rather than an annual project. It is sized to the estate and reviewed on your terms.

How does this connect to our APRA or SOCI obligations?

Directly. Both regimes make you responsible for the risk your material service providers carry, including concentration and exit risk. The tiering and register we build feed straight into a CPS 230 service-provider map or a SOCI supply-chain hazard assessment.

What do we walk away with?

A third-party risk register and a vendor tiering model from the assessment, and, under the managed service, a maintained register with new-vendor assessments delivered as they arrive.