Why Risk Intelligence Needs to Live Inside Your Workflow 

Risk teams aren’t short on data. They’re short on time to do something with it. And the numbers show just how wide that gap has become: 73% of financial institutions have two or fewer full-time employees managing vendor risk, even though more than half oversee 300+ vendors (Ncontracts, 2025). This gap, between having information and actually acting on it, is where third-party risk programs run into trouble. We spoke with Stefan Peekel, Chief Growth Officer at Owlin, about why a mix of monitoring tools is no longer sufficient and what changes when risk intelligence is embedded where decisions are made.

Has the pace of risk outgrown the old playbook?

“Not long ago, periodic reviews and manual searches were enough. Supply chains were smaller and less complex, so risks were easier to manage. That’s no longer the world vendor risk teams operate in. Organizations now work with thousands of suppliers, partners, and third-, fourth-, and nth-party entities spread across multiple countries and jurisdictions.

A legal dispute, a sanctions update, a financial issue, or an ESG controversy can reshape a supplier’s risk profile in a matter of hours. Moreover, the cost of missing those signals is real: third-party and supply chain compromises cost financial organizations an average of $4.91 million per incident (IBM, 2025), making them the second most expensive breach vector after malicious insider attacks. Add rising regulatory pressure, the EU’s Corporate Sustainability Due Diligence Directive (CSDDD) being one prominent example, and continuous, risk-based monitoring is no longer a nice-to-have. It is an expectation.”

Many organizations already have mature risk environments. Where does risk-based monitoring still fall short?

“Most mature organizations already have TPRM platforms, procurement systems, compliance workflows, and vendor management tools in place. The issue is that their continuous risk monitoring often sits in yet another separate dashboard. Standalone solutions can work well for smaller teams, but as risk departments grow in size and complexity, separate dashboards create more friction than value.

Moreover, that friction is measurable. A Harvard Business Review study found the average digital worker toggles between applications nearly 1,200 times per day, spending almost four hours per week just reorienting themselves, roughly 9% of their annual work time (Murty et al., 2022). For a risk analyst, every one of those switches is a moment where a signal can be missed, or an investigation loses its thread. Fragmented tooling does not just slow analysts down; it introduces the risk of decisions made without the complete picture.

There is also a subtler problem: AI-powered features are only as useful as the data feeding them. Flashy capabilities do not matter if the underlying intelligence is not trusted, standardized, or explainable. Owlin focuses on delivering exactly that: adverse media, sanctions, and PEP insights delivered via AI-generated scores, events, and summaries that give teams context they can act on.”

If adding another platform is not the answer, what is?

“Intelligence should travel to the workflow, not the other way around. Risk teams already have established processes and systems; asking them to adopt yet another platform only adds complexity. From day one, Owlin was built to integrate into existing ecosystems. We deliver adverse media monitoring, PEP, sanctions, and real-time alerts directly into the systems organizations already use every day: no extra logins, no context switching, no signals falling through the cracks between tools.

A good example is our partnerships with Coupa, ServiceNow, NContracts, and Aprovall: vendor risk teams access continuous risk intelligence directly within their existing environment, without ever leaving the platform where they already manage vendor relationships. When you consider that only 47% of TPRM tasks are currently automated across financial institutions (KPMG, 2022), meeting analysts inside their existing workflow is one of the fastest ways to close that gap without asking teams to change how they work.”

Some buyers worry that ‘embedded’ means shallow, that an integration can’t match the depth of a dedicated platform. How do you answer that?

“It’s a fair concern, and it’s the right question to ask. Embedded shouldn’t mean diluted. The distinction is between where the intelligence lives and how deep the intelligence goes. Owlin delivers the full depth (chain-of-events analysis, risk lenses, AI summaries, per-entity scoring) while surfacing it within the tools teams already use. Standard database checks catch sanctions and PEP hits, but they miss adverse media across languages, emerging financial-crime indicators, and ESG red flags buried in the supply chain. The goal is to bring that full analytical depth to the point of decision, not to trade depth for convenience. You shouldn’t have to choose.”

Does this signal a broader shift in how organizations think about risk technology?

“Absolutely. For years, the default assumption was that giving people a dashboard with enough data would lead them to the value. That era is ending. Intelligence needs to be embedded directly into business processes.

Risk monitoring shouldn’t be a separate activity that happens in isolation; it should be part of everyday decision-making. And that shift isn’t just philosophical. When risk signals arrive inside the tools your team already uses, they’re more likely to be seen, acted on, and tied to the right vendor relationship. The future isn’t standalone monitoring platforms. It’s connected ecosystems where intelligence flows between systems, teams, and workflows.”

What advice would you give organizations preparing for increasing regulatory expectations?

“Focus on making intelligence actionable. Most organizations don’t have a data problem; they have an integration problem. The challenge is ensuring the right people receive the right information at the right moment, in a format they can immediately use.

This matters more under regulations like CSDDD and DORA, which don’t just ask whether you monitored a supplier; they ask whether you can demonstrate continuous, auditable oversight and act on what you find. CSDDD promotes ongoing due diligence across the value chain, and DORA (Articles 28-30) sets explicit expectations for managing third-party ICT risk in financial services (European Parliament and Council of the European Union, 2022). Both reward programs where monitoring is woven into daily operations rather than bolted on as a periodic check.

Risk intelligence is becoming infrastructure. It’s moving from periodic to continuous, from manual to scalable, from separate tools to embedded workflows. The organizations that get ahead won’t necessarily be the ones with the most data. They’ll be the ones that have woven intelligence into how decisions get made, every day.”

See what embedded risk intelligence looks like in practice.

Your team doesn’t need another dashboard. They need the right intelligence within the tools they already use, at the moment it matters. Book a demo and get a real view of how Owlin fits into your third-party risk workflow.

Schedule a demo

Sources

European Parliament and Council of the European Union. (2022). Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (Digital Operational Resilience Act). Official Journal of the European Union.

IBM. (2025). Cost of a data breach report 2025.

KPMG. (2022). TPRM challenges continue for financial services institutions.

Ncontracts. (2025). Ncontracts 2025 third-party risk management survey: Trends & insights for financial institutions [White paper].

Murty, R. N., Dadlani, S., & Murty, R. B. (2022). How much time and energy do we waste toggling between applications? Harvard Business Review.