Back to Resources

No One is Actually in the Business of TPRM

Blog
November 21, 2025

Author: Natalie Druckmann, Head of EMEA at Certa

Here’s the truth my experience in TPRM has taught me: none of us are actually in the business of managing risk. We’re in the business of our business.

When I worked at a defense startup, the business wasn’t “supplier oversight.” The business was designing silicon chips and PCBs for mission-critical defense systems. At a pharmaceutical or life sciences company, the business isn’t “compliance management.” The business is getting life-saving medicines onto shelves and medical equipment into operating theaters. The TPRM work — as essential as it is — is not the mission. It’s the scaffolding that helps the mission happen safely.

Which is why a question has been stuck in my mind ever since: What happens when we remove the burden of “the TPRM business” from the business?

What happens when low-risk suppliers can be onboarded in two minutes instead of two months? When high-risk partners can be fully evaluated in five or ten days? What does that do for speed-to-market, innovation, resilience, and operational momentum?

Because honestly, I don’t know anyone who gets excited about a due-diligence cycle completed in three days instead of seven. The real excitement — the real impact — comes from the chain reaction that speed unlocks: faster launches, faster procurement, faster scaling, faster experimentation. Better business outcomes, sooner.

But here’s the catch: most organisations will never feel that acceleration, because they’ve built TPRM backwards.

The Real Problem: TPRM Is Designed Backwards

Ask any third-party risk team how they spend their time, and the answer is almost always the same: chasing evidence, interpreting documents, and wrestling tools that were never designed for how the business actually operates.

That’s because the system was built upside down. Most organisations create TPRM programs like this:

  1. Start with the controls

(“What does the regulator require?”)

  1. Build a workflow around them

(“Who needs to sign off, and in what order?”)

  1. Plug the business in at the very end

(“Sorry, it’ll take 42 days — that’s the process.”)

When you start with regulation instead of the business, you’re immediately designing for maximum friction. You end up with bloated questionnaires, redundant reviews, static workflows, and an operational drag that slows everything the company actually exists to do.

The Fix: Design TPRM Forward, Not Backward

A modern TPRM program should follow this sequence:

  1. What decisions does the business need to make?

Speed to market, ability to experiment, geographical expansion, improved vendor agility.

  1. What risks matter to those decisions?

Not everything — just the ones that truly change the outcome.

  1. What controls support those risks?

Purpose-built, minimal, and evidence-driven.

  1. What technology automates and accelerates all of it?

Not to replace people — but to eliminate the repetitive work no human should waste time on.

This is the core of forward design:

Business → Risk → Controls → Tech

Not the other way around.

Why AI Makes Forward Design Finally Possible

Until recently, organisations defaulted to backward design for a simple reason: humans had to manually do all the work. If risk teams needed to review every document, check every control, and touch every supplier, then the process had to be heavyweight.

AI changes that completely.

AI can now:

  • Read and analyse documents
  • Map evidence to your framework
  • Flag inconsistencies
  • Segment suppliers dynamically instead of statically
  • Surface only the items requiring human judgment
  • Reduce onboarding timelines from weeks to minutes

This means you no longer need to design TPRM around human capacity.

You can design it around business agility.

AI frees risk teams from the administrative work they were never meant to do and gives them the capacity to focus on judgment, context, and advising the business — the things humans uniquely excel at.

When TPRM Works the Right Way, It Stops Feeling Like TPRM

In a forward-designed, AI-enabled TPRM model:

  • Risk teams stop being gatekeepers.
  • The business stops seeing risk as friction.
  • Onboarding stops being a bottleneck.
  • Decisions happen earlier, cleaner, and faster.
  • The entire function becomes a strategic capability, not a compliance chore.

This is what it looks like when TPRM shifts from “the business of managing risk” to supporting the business you are actually in. TPRM becomes a competitive advantage for designing silicon chips, creating life-saving medications — doing the things crucial to your business.

And if you want to experience what that shift feels like — in days, not quarters — contact Certa. We’d love to show you how AI-native TPRM can finally be designed the right way around.

Download PDF
Download PDF
Download PDF
Download PDF
Share this post:
Back to Resources
Blog
November 21, 2025

No One is Actually in the Business of TPRM

Author: Natalie Druckmann, Head of EMEA at Certa

Here’s the truth my experience in TPRM has taught me: none of us are actually in the business of managing risk. We’re in the business of our business.

When I worked at a defense startup, the business wasn’t “supplier oversight.” The business was designing silicon chips and PCBs for mission-critical defense systems. At a pharmaceutical or life sciences company, the business isn’t “compliance management.” The business is getting life-saving medicines onto shelves and medical equipment into operating theaters. The TPRM work — as essential as it is — is not the mission. It’s the scaffolding that helps the mission happen safely.

Which is why a question has been stuck in my mind ever since: What happens when we remove the burden of “the TPRM business” from the business?

What happens when low-risk suppliers can be onboarded in two minutes instead of two months? When high-risk partners can be fully evaluated in five or ten days? What does that do for speed-to-market, innovation, resilience, and operational momentum?

Because honestly, I don’t know anyone who gets excited about a due-diligence cycle completed in three days instead of seven. The real excitement — the real impact — comes from the chain reaction that speed unlocks: faster launches, faster procurement, faster scaling, faster experimentation. Better business outcomes, sooner.

But here’s the catch: most organisations will never feel that acceleration, because they’ve built TPRM backwards.

The Real Problem: TPRM Is Designed Backwards

Ask any third-party risk team how they spend their time, and the answer is almost always the same: chasing evidence, interpreting documents, and wrestling tools that were never designed for how the business actually operates.

That’s because the system was built upside down. Most organisations create TPRM programs like this:

  1. Start with the controls

(“What does the regulator require?”)

  1. Build a workflow around them

(“Who needs to sign off, and in what order?”)

  1. Plug the business in at the very end

(“Sorry, it’ll take 42 days — that’s the process.”)

When you start with regulation instead of the business, you’re immediately designing for maximum friction. You end up with bloated questionnaires, redundant reviews, static workflows, and an operational drag that slows everything the company actually exists to do.

The Fix: Design TPRM Forward, Not Backward

A modern TPRM program should follow this sequence:

  1. What decisions does the business need to make?

Speed to market, ability to experiment, geographical expansion, improved vendor agility.

  1. What risks matter to those decisions?

Not everything — just the ones that truly change the outcome.

  1. What controls support those risks?

Purpose-built, minimal, and evidence-driven.

  1. What technology automates and accelerates all of it?

Not to replace people — but to eliminate the repetitive work no human should waste time on.

This is the core of forward design:

Business → Risk → Controls → Tech

Not the other way around.

Why AI Makes Forward Design Finally Possible

Until recently, organisations defaulted to backward design for a simple reason: humans had to manually do all the work. If risk teams needed to review every document, check every control, and touch every supplier, then the process had to be heavyweight.

AI changes that completely.

AI can now:

  • Read and analyse documents
  • Map evidence to your framework
  • Flag inconsistencies
  • Segment suppliers dynamically instead of statically
  • Surface only the items requiring human judgment
  • Reduce onboarding timelines from weeks to minutes

This means you no longer need to design TPRM around human capacity.

You can design it around business agility.

AI frees risk teams from the administrative work they were never meant to do and gives them the capacity to focus on judgment, context, and advising the business — the things humans uniquely excel at.

When TPRM Works the Right Way, It Stops Feeling Like TPRM

In a forward-designed, AI-enabled TPRM model:

  • Risk teams stop being gatekeepers.
  • The business stops seeing risk as friction.
  • Onboarding stops being a bottleneck.
  • Decisions happen earlier, cleaner, and faster.
  • The entire function becomes a strategic capability, not a compliance chore.

This is what it looks like when TPRM shifts from “the business of managing risk” to supporting the business you are actually in. TPRM becomes a competitive advantage for designing silicon chips, creating life-saving medications — doing the things crucial to your business.

And if you want to experience what that shift feels like — in days, not quarters — contact Certa. We’d love to show you how AI-native TPRM can finally be designed the right way around.

Related Resources

Infographic

Your TPRM is Designed Backwards: Here's How to Fix It

November 21, 2025
Podcast

Third Party Therapy Podcast: AI Unleashed — Transforming Third Party Risk

November 20, 2025
Product Announcements x

We're Expanding the Orchestra (And Handing You the Conductor's Wand)

October 6, 2025
Case Study

How Honeywell Saves ~50,000 Hours with Certa

September 18, 2025