When a supplier compliance failure surfaces — an expired certification nobody caught, a sanctions match that slipped through, a tax document that was never re-verified — the instinctive response is usually to write a new policy. Add a step to the checklist. Require an extra sign-off. This almost never fixes the actual problem, because in most enterprises, compliance failures aren’t policy failures.
They’re data failures. The policy said the right thing. The data needed to enforce it simply wasn’t in one place, in one format, where anyone could act on it in time.
Why More Policy Doesn’t Fix a Data Problem
Procurement and compliance teams tend to respond to risk events the way most organizations respond to any failure: by adding process. But a new approval step doesn’t help if the underlying issue is that the same supplier exists as three different records across three systems, each with slightly different information, and nobody has a single view of which version is current. Adding a fourth person to review the fifth version of a spreadsheet doesn’t solve a fragmentation problem — it just adds latency to a process that was already too slow to catch the risk in real time.
This pattern shows up clearly in adjacent risk disciplines that have already been forced to confront it head-on. Gartner’s Predicts 2026 research on third-party risk management makes a related point directly: organizations have historically over-relied on point-in-time, self-reported due-diligence questionnaires to make risk decisions — Gartner estimates 62% of organizations still place excessive trust in this approach — and that model is structurally unable to keep pace as vendor ecosystems expand and the underlying risk becomes more dynamic.
A questionnaire filled out once during onboarding tells you almost nothing about whether that supplier is still compliant eighteen months later. The problem isn’t that the questionnaire asked the wrong questions. It’s that a static document can’t represent a status that changes continuously.
The Real Cost of Fragmentation
Gartner’s analysis goes further, predicting that by 2028, organizations that integrate previously siloed risk and compliance functions onto a unified platform will achieve more than 20% reductions in labor and technology costs — while organizations that keep those functions fragmented will face complexity that becomes structurally unsustainable.
That’s not a minor efficiency gain. It’s a statement that fragmentation itself has a compounding cost, separate from and in addition to whatever specific compliance failure it eventually produces.
For procurement specifically, fragmentation tends to show up in a few recognizable forms:
Vendor master data drift. The same supplier registered slightly differently across business units or ERPs, with no reliable way to confirm you’re looking at a complete, current picture of that relationship.
Compliance documentation with no expiry tracking. A certificate of insurance, a tax exemption form, or a quality certification that was valid at onboarding but has since lapsed, with no automated trigger to catch the lapse before it matters.
Risk signals that live outside the procurement system entirely. A supplier’s financial distress, a regulatory action in their home country, or a quality incident reported by another business unit — information that exists somewhere in the enterprise but never reaches the people making the next sourcing decision involving that supplier.
What Actually Closes the Gap
The fix that both the broader third-party risk literature and procurement-specific research point toward is the same: move from periodic, manual verification to continuous, structured data that compliance status is checked against automatically.
Centralize supplier records at the point of creation. If onboarding creates a clean, structured supplier record rather than a folder of documents, every downstream compliance check has something reliable to check against.
Automate the checks that currently depend on someone remembering. Tax validation, banking verification, and certificate expiry tracking should be system-triggered events, not calendar reminders that depend on an individual’s diligence.
Make compliance status visible at the point of decision. A category manager deciding whether to award new business to a supplier should see that supplier’s current compliance status in the same screen where they’re making the sourcing decision — not in a separate compliance team’s tracker that requires a follow-up email to check.
Treat data quality as a procurement KPI, not just an IT concern. HFS Research’s broader analysis of the S2P market identifies structured, accurate data as the actual precondition for any AI-driven orchestration enterprises want to build — supplier compliance risk is simply the sharpest-edged version of that same underlying problem.
The Reframe
None of this means policy doesn’t matter. It means policy is necessary but not sufficient — a well-written compliance requirement that depends on fragmented, manually-maintained data will fail in exactly the same way regardless of how carefully it’s worded. The organizations actually reducing supplier compliance risk aren’t the ones with the strictest policies. They’re the ones that stopped trying to enforce policy against bad data and fixed the data instead.
Sources: Gartner, “Predicts 2026: Third-Party Cybersecurity Risk Management Evolves for the AI Era,” 2026 (via Reflectiz, RiskRecon coverage). HFS Research, “CPOs Must Unite Enterprise Processes, Platforms, and People for AI-Enabled Outcomes,” 2026.






