English
Login
Request a demo

TPGRC: Why “supplier compliance” is no longer the right name for the field

In most procurement and risk conversations, “supplier compliance” is still the working label. It sounds operational, contained, and reasonably modest in scope: collect a few certificates, verify a few attestations, archive what arrives, chase what doesn’t.

The label has the advantage of describing a real activity that most large organisations have been doing for years.

It also has a quieter disadvantage, it badly underrepresents what is now actually expected of the function.

The proper name for the field, TPGRC (Third-Party Governance, Risk and Compliance), is more than terminology pedantry. It captures a scope expansion that has already happened on the ground, even when the org chart hasn’t caught up.

The TAG Heuer case — a Swiss luxury watchmaker inside LVMH that rebuilt its third-party programme around Aprovall — is one of the cleanest illustrations of why the language matters.

Quick read

  • “Supplier compliance” describes a narrow, document-centric activity that most companies still organise around.
  • TPGRC captures the real scope: governance of the third-party portfolio, structured risk management, and continuous compliance — across legal, ethical, environmental and operational dimensions.
  • The trigger for the rename isn’t fashion: it’s the simultaneous arrival of multi-tier visibility expectations, ESG/CSRD reporting, devoir de vigilance, DORA, NIS2, and decarbonation accounting.
  • TAG Heuer (LVMH group, ~2,000 employees, 500 suppliers, deployment in 6 months, +80% supplier completion) shows what the scope expansion looks like in practice, including supply chain visibility down to tier 4–5 and CO₂ data collection.

What is TPGRC?

TPGRC (Third-Party Governance, Risk and Compliance) is the evolution of traditional supplier compliance into a broader operational discipline that combines:

  • governance of third-party relationships,
  • risk segmentation and monitoring,
  • and continuous compliance management.

Unlike traditional supplier compliance, which focused mainly on collecting and validating documents, TPGRC integrates ESG, cyber risk, supplier criticality, regulatory exposure, multi-tier visibility, and operational resilience into a single third-party management framework.

What “supplier compliance” originally meant, and why it stopped being enough

Strip away the modern jargon and “supplier compliance” historically meant three things:

  • collect the legally required documents (URSSAF, fiscal attestations, insurance certificates, work permits),
  • verify that they’re current,
  • and store them somewhere defensible.

It was an audit-driven discipline, owned mostly by Procurement or Legal, with a rhythm that matched the regulatory cycle, annual or semi-annual, document-pull, document-check, archive.

That framing held for a long time because the compliance perimeter was relatively stable.

Documents were known, the list was finite, and the third party was treated as a discrete entity to be checked rather than a node in a value chain to be understood.

The work was real and necessary, but it was bounded.

What changed

What broke that framing wasn’t a single event. It was a sequence of additions, each individually defensible, that collectively pushed the function well past its original scope.

The regulatory perimeter widened

Devoir de vigilance (France), CSRD (EU), DORA, NIS2, conflict minerals reporting, the Modern Slavery Act and adjacent frameworks each added new third-party obligations.

None replaced the old documentary perimeter. They added on top.

The signal of interest moved beyond legality

Buyers and risk functions now want ethical, environmental and cyber signals, not as a side report, but inside the core supplier file.

The depth of view extended below the immediate supplier

A tier-1 supplier’s certificate tells you increasingly little if the actual risk lives in tier 3 or tier 4.
Subcontracting cascades have become the visible part of the compliance perimeter.

Decarbonation accounting hit procurement

Once Scope 3 emissions became the largest category for many companies, the procurement function discovered it owned the data collection problem — and that the data lived with suppliers.

The supplier became the user

“Compliance” used to be done to suppliers; now the function depends on the supplier’s willingness to engage with portals, questionnaires and ongoing data updates.

Each of these shifts is well-known. What is less often acknowledged is what their accumulation does to the vocabulary.

“Supplier compliance” is no longer descriptive; it’s a residual term from a smaller world.

Supplier compliance vs TPGRC

Traditional supplier complianceTPGRC
Focused on document collectionFocused on governance, risk and compliance
Mostly annual verification cyclesContinuous monitoring and updates
Binary compliant/non-compliant logicRisk-based segmentation and prioritisation
Procurement-led operational processMulti-function governance model
Tier-1 visibilityMulti-tier supply chain visibility
Legal and administrative focusESG, cyber, operational and regulatory scope
Supplier as respondentSupplier as active participant
Limited integrationsConnected to ERP, SRM, ESG and risk systems

Why TPGRC is the right name

The proper label, Third-Party Governance, Risk and Compliance, makes three commitments that “supplier compliance” no longer makes.

Picto diagramme circulaire
Governance

The function is no longer just an operational task; it has policy, scope, ownership, escalation and reporting components.

Questions like:

  • Who decides which third parties are critical?
  • On what criteria are they segmented?
  • Who can override a non-compliance?
  • How are decisions traced for the regulator?

These are governance questions, not compliance questions.

A programme without explicit governance is one that quietly defaults to whoever has time.

Risk

Compliance is binary, a document is valid or it isn’t. Risk is graduated.

A supplier may be technically compliant but financially fragile, geographically exposed, ESG-weak, or critically irreplaceable.

TPGRC requires a risk model that runs alongside the documentary check, not just a status flag.

Picto automatisation
Compliance

This part is preserved, and rightly so. The documentary discipline doesn’t disappear; it becomes one of three layers, not the only one.

The order of the letters is also worth noting. Governance first, because without it the rest is reactive.

Risk before compliance, because risk dictates which compliance to prioritise rather than treating every supplier identically.

Compliance last, not because it matters least, but because it is now the floor rather than the ceiling.

TAG Heuer: a real-world example of TPGRC in practice

The TAG Heuer case is useful precisely because it lands in a sector where “supplier compliance” still felt like the right label until recently.

Luxury watchmaking has a long-standing relationship with documentary discipline — certifications, traceability, quality dossiers — and a relatively contained supplier base.

TAG Heuer, headquartered in La Chaux-de-Fonds, Switzerland, with around 2,000 employees and part of LVMH since 1999, works with roughly 500 suppliers and indirect service providers.

A few hundred suppliers, a stable certification framework, a strong industrial culture: on paper, the perfect environment for “supplier compliance” to remain a sufficient label.

It didn’t.

Before the platform

Before the dedicated platform, document management ran on emails and Excel.

Loss, manual chasing and unreliable data were the consequence — entirely typical symptoms of the residual model.

The trigger for change wasn’t only the documentary backlog.

It was the simultaneous arrival of new regulatory obligations and the first 2023 carbon footprint, which required precise data from suppliers — themselves major contributors to the company’s CO₂ footprint.

Why the company shifted toward TPGRC

Rather than extending the existing tooling into yet another document repository, TAG Heuer redefined the scope and selected a specialised platform — Aprovall — to centralise the entire third-party programme.

Deployment started in early 2023 with direct suppliers and extended in 2024 to strategic indirect suppliers, integrated into Oracle.

What the platform actually supports

Picto diagramme circulaire
Governance
  • Eight users across Purchasing and Internal Control share a single view
  • Supplier paths are personalised by risk profile
  • Questionnaires and workflows are automated rather than ad hoc
Risk
  • Third-party maturity is evaluated, not just the presence of documents
  • Certifications are actively monitored
  • Ethics and environmental criteria sit alongside legal requirements
Picto automatisation
Compliance
  • Documents are collected, versioned and archived in one place
  • ERP integration keeps procurement records aligned and current

The operational results

The numbers reveal what happens when the framing changes.

+80%

completion rate within less than 6 months, “without excessive manual chasing”

8 users

running the programme across Procurement and Internal Control

6 month

deployment

4th and 5th tier coverage

visibility extended across certain value chains

CO₂ data collection

integrated directly into supplier interactions

Very quickly, we reached completion rates above 80%. The time saved for buyers was considerable, and suppliers particularly appreciated the simplicity of the journey. Thanks to Aprovall, we were able to trace certain value chains down to tier 4 or 5, where we previously had no visibility at all.

The message I want to convey is ease of use. Aprovall meets both our needs and our suppliers’ needs. It is not an imposed tool, but a shared solution that frees up time and improves the quality of our data.

Marc Menetrier, Purchasing Director – TAG Heuer

Marc Menetrier

Purchasing Director | TAG Heuer

The second quote matters as much as the first.
A platform that suppliers actually engage with isn’t a side benefit of TPGRC; it’s a condition of TPGRC working at all.

The moment the scope expands beyond static documents into evaluations, CO₂ data and tier-N visibility, the supplier becomes a participant rather than a target.

If the experience isn’t shared, the data doesn’t come.

What changes when an organisation adopts a TPGRC model

Renaming “supplier compliance” to TPGRC isn’t a vocabulary exercise.
It changes how the work is structured, who owns it, and how success is measured.

1. Ownership becomes plural

Procurement keeps a major role, but Internal Control, Compliance, CSR/Sustainability, IT Security and Legal each become co-owners of specific dimensions.

The TAG Heuer model, eight users split between Purchasing and Internal Control, is the early form of this multi-ownership.

Larger organisations often end up with five or six co-owning functions on a single platform.

2. Segmentation replaces uniformity

Treating all suppliers identically becomes untenable once you add risk and ESG dimensions.

Critical suppliers get deeper treatment. Non-critical ones get lighter, automated paths.

The platform must support that differentiation natively, not as a configuration afterthought.

3. The supplier journey becomes a design surface

Under “supplier compliance”, the supplier path was rarely designed; it was assumed.

Under TPGRC, the supplier-side experience becomes one of the main success metrics, because the data depends on it.

Free, multilingual, simple, these become product requirements.

4. The KPIs change

“Documents archived” or “certificates valid” stop being meaningful headline numbers.

TPGRC KPIs instead include:

  • completion rate,
  • time-to-onboard,
  • supplier-side activation,
  • depth of value-chain visibility,
  • and percentage of suppliers covered by ESG questionnaires.

5. Integration moves to the centre

Because TPGRC pulls in data from and pushes data to the ERP, the SRM, the carbon-footprint tool and the risk management system, integration is no longer a “phase 2” concern. It’s a day-one requirement.

The TAG Heuer choice to integrate Aprovall with Oracle from the outset is the textbook approach.

Why the shift to TPGRC matters now

If “supplier compliance” had simply become slightly outdated, the case for the rename would be weak.

What makes it pressing is timing.

The 2025–2026 window concentrates several regulatory and accounting events that each individually push the function past its old framing:

  • DORA in force,
  • NIS2 transpositions,
  • CSRD double materiality reporting,
  • devoir de vigilance enforcement,
  • Scope 3 disclosure,
  • and minerals/forced-labour due diligence.

None of these can be served credibly by a programme still operating under “supplier compliance” assumptions.

The risk of keeping the old label is not aesthetic. It’s structural.

A function still framed as compliance gets staffed, budgeted and tooled for compliance, and quietly fails when asked to deliver risk segmentation, CO₂ data and tier-N traceability.

The TAG Heuer numbers, 80% completion in 6 months, tier 4–5 visibility, integrated CO₂ collection, only become reachable once the framing is corrected upstream.

Conclusion

“Supplier compliance” is a term that was accurate for a smaller, calmer, more documentary world.

The world it described still exists, but it is now a subset of a larger field with its own coherent name: TPGRC.

The rename is not cosmetic, it changes:

  • ownership,
  • segmentation,
  • supplier experience,
  • KPIs,
  • and integration choices.

TAG Heuer’s experience, a 500-supplier, 8-user programme that delivered 80% completion in under six months, reached tier 4–5 visibility and embedded CO₂ data collection, is one of the clearest demonstrations that the new framing is operationally tractable, even at modest team sizes.

The companies still running their programmes under the old label are not behind on tooling.

They are behind on language, which, in this field, turns out to be the same thing.

Book a meeting at our booth

Don’t miss this opportunity to connect with our team, see our solutions in action, and discuss how Aprovall can help you drive procurement excellence and stronger supplier risk management.

Book a meeting

These articles might interest you

  • Procurement and Compliance colleagues collaborating near a window in a green-toned office, with a glassmorphism overlay showing one TPRM platform that centralizes, automates, and supports reporting.
    14 January 2026
    TPRM&TPGRC
    Unified TPRM Platform for Procurement & Compliance Teams
    Procurement and Compliance teams face a common challenge: managing third-party risks efficiently while meeting increasingly stringent regulatory requirements. The growing number of suppliers, the complexity of compliance obligations, and the pressure to accelerate processes make this task especially demanding. In this context, a unified TPRM (Third-Party Risk Management) platform helps structure third-party risk management and […]

    Read more

  • Vue par-dessus l’épaule de deux collaborateurs devant un écran illustrant une plateforme TPRM unique : un parcours fournisseur partagé qui décloisonne Achats, Finance et Conformité.
    23 February 2026
    TPRM&TPGRC
    TPRM integrations : best ERP & GRC integrations for third-party risk
    TPRM integrations : breaking down ERP & GRC data silos TPRM-integrations : when third-party risk, procurement, and compliance data sit in disconnected ERP and GRC systems, organisations lose real-time visibility and create audit exposure. The goal is a unified, measurable control layer where vendor risk signals flow into procurement decisions and governance becomes traceable. Organisations […]

    Read more

  • Supplier database: professional in a bright office managing structured supplier records with green visual markers for onboarding, audit trails, validation, and third-party governance.
    08 April 2026
    TPRM&TPGRC
    Supplier database: beyond document storage
    Supplier database: A centralized supplier database becomes useful when it turns supplier information into structured, validated records that support faster onboarding, audit readiness, and third‑party risk decisions. Instead of acting like a filing cabinet, it should connect procurement, finance, compliance, and security teams around a shared single system of record for supplier governance. Platforms used […]

    Read more

  • Risk governance: team in a bright office clarifying roles, accountability, escalation, and reporting across the third-party lifecycle with green visual markers for governance workflows and auditable decisions.
    13 April 2026
    TPRM&TPGRC
    Risk governance: who decides, who executes, who reports?
    Quick Answer Risk governance in third-party risk management (TPRM) is effective when risk appetite is translated into operational thresholds, ownership is explicit across the supplier lifecycle, and reporting makes exceptions visible early. Platforms such as Aprovall support this approach by centralising third-party governance, risk, and compliance across the lifecycle and by providing auditable workflows. Aprovall […]

    Read more