Third-party and supply chain risk management

Organisations in Switzerland increasingly rely on third parties, suppliers, vendors, outsourced service providers and cloud platforms to support critical business operations. These dependencies introduce cyber, operational and regulatory risks that organisations must manage through structured third-party risk management (TPRM), supplier risk management and supply chain cyber risk management programmes. Forvis Mazars in Switzerland provides TPRM and supply chain cybersecurity services covering the full lifecycle - from due diligence and vendor assessments through to supplier and third-party audits and supply chain cyber risk management. We help organisations strengthen governance, assess supplier and vendor risks, improve oversight of outsourced activities and align with EU and Swiss regulatory requirements, including FINMA expectations for outsourcing and operational resilience.

Our TPRM and supply chain cybersecurity services

TPRM lifecycle design and review
 

We support organisations in establishing, reviewing and strengthening TPRM frameworks across the entire vendor lifecycle. Our services cover due diligence, onboarding, risk classification, contract governance, ongoing monitoring and offboarding processes for suppliers, vendors and outsourced service providers. We also assess existing TPRM programmes and supplier risk management frameworks to identify governance gaps, control weaknesses and regulatory exposure. 

Supply chain cyber risk management advisory

Cybersecurity in supply chain operations has become a major operational and regulatory challenge for organisations operating in Switzerland. A vulnerability affecting a supplier, vendor or outsourced service provider can expose organisations to cyber incidents, operational disruption and reputational damage.

We provide supply chain cyber risk management and supply chain cybersecurity advisory services to help organisations identify critical dependencies, assess supplier-related cyber risks and strengthen cybersecurity supply chain governance. Our work includes supply chain cyber risk assessments, cybersecurity in supply chain reviews and cyber supply chain risk management advisory aligned with recognised frameworks and regulatory expectations.

Third-party risk assessments and vendor risk assessments

Understanding the risk profile of your vendors and suppliers requires more than a questionnaire. We conduct comprehensive third-party risk assessments, vendor risk assessments, supplier risk assessments and vendor security assessments covering cybersecurity controls, operational resilience and regulatory compliance. Assessments are based on established standards and frameworks, and deliver clear risk ratings and prioritised recommendations giving organisations the visibility they need to make informed decisions about their supplier relationships.

Third-party audits, supplier audits and vendor audits

We perform independent third-party audits, supplier audits, vendor audits and supply chain audits of critical service providers, outsourced partners and suppliers supporting operationally important functions.

These independent audits assess cybersecurity controls, governance frameworks, operational resilience capabilities and compliance with contractual and regulatory obligations. Audit results are documented in structured audit reports containing findings, risk observations and recommendations to strengthen control environments and supplier oversight.

When do organisations seek TPRM support?

• preparing for FINMA reviews or regulatory audits,
• onboarding a critical supplier, vendor or outsourced service provider,
• strengthening vendor risk management or supplier risk management programmes,
• responding to a third-party cyber incident or operational disruption,
• conducting a third-party audit, supplier audit or vendor audit,
• assessing cloud service provider risks,
• reviewing outsourcing governance and operational resilience frameworks,
• preparing for regulatory assessments or compliance reviews,
• improving oversight of critical third parties and supply chain dependencies.

We support organisations ranging from SMEs to large international groups in Switzerland and abroad. Our clients operate across banking, insurance, asset management, healthcare, manufacturing, technology and many other sectors — particularly organisations relying on suppliers, vendors, outsourced service providers or complex supply chains to support critical business operations.
Consultants assessing third-party and supply chain cybersecurity risks through vendor risk management and supplier risk assessment

FAQ about TPRM and supply chain cybersecurity

What is third-party risk management (TPRM)?

Third-party risk management (TPRM) is the process of identifying, assessing and managing risks arising from relationships with suppliers, vendors, outsourced service providers and other third parties. A structured TPRM programme helps organisations manage cyber, operational, regulatory and supplier-related risks across the entire third-party lifecycle.

What is the difference between vendor risk management and supplier risk management?

Vendor risk management and supplier risk management are both components of third-party risk management. Vendor risk management typically focuses on technology vendors and outsourced service providers, while supplier risk management addresses risks associated with suppliers supporting operational and business activities. Both require structured governance, risk assessments and ongoing monitoring processes.

What is included in a third-party risk assessment?

A third-party risk assessment evaluates cybersecurity controls, governance structures, operational resilience capabilities, data protection measures and regulatory compliance of a supplier, vendor or outsourced service provider. Assessments typically include vendor security assessments, supplier risk assessments and control reviews to identify critical risks and dependencies.

When is a third-party audit or supplier audit required?

A third-party audit, supplier audit or vendor audit is typically required when a supplier or outsourced service provider supports critical business functions, processes sensitive information or operates within a regulated environment. Independent audits help organisations assess control effectiveness, strengthen oversight and support regulatory and audit requirements.

What is supply chain cyber risk?

Supply chain cyber risk refers to cybersecurity threats and vulnerabilities introduced through suppliers, vendors, cloud providers and outsourced service providers. Weak cybersecurity controls within the supply chain can expose organisations to cyber incidents, operational disruption and regulatory consequences, even where internal controls are strong.

Which regulations and frameworks are relevant to TPRM in Switzerland?

In Switzerland, FINMA-regulated organisations must maintain appropriate oversight of outsourced activities and third-party risks. Third-party risk management programmes are commonly aligned with FINMA outsourcing expectations, the Swiss Data Protection Act (DSG) and recognised frameworks such as NIST CSF, COBIT and ISO 27001.

Plus d’infos ?