A supplier questionnaire is a photograph. It tells you how things looked on the day it was filled in. Risk, though, is a film - it keeps moving after the shutter clicks.
The first failure is time. The control that was in place in January can be gone by March; the questionnaire will still say it’s fine until next year’s round.
The second is capacity. A small assurance team facing thousands of suppliers cannot chase, read and score questionnaires fast enough to keep any of them current. The maths simply does not work - so coverage quietly collapses to the noisiest few suppliers.
Continuous assurance changes the ratio and the cadence:
The questionnaire still has its place - as one input, not the whole picture. The shift is from an annual event to a living position.
You don’t need more questionnaires. You need the work to happen on the platform instead of in your inbox, and the picture to stay current between assessments. That is the difference between a photograph and a film.
Occasional, practical notes on UK public-sector cyber risk and compliance. No spam, unsubscribe anytime.
See AI evidence review and the self-serve portal on your own suppliers.