Regulatory pressure on organisations is growing by the day and spanning a vaster and more complex agenda. Risks related to bribery and corruption, money laundering, sanctions, data privacy, cybersecurity, ESG, and AI form an increasingly complex regulatory landscape that is compelling companies to enhance their compliance and risk management frameworks.

Regulatory expectations around third-party risk management are tightening with regulators increasingly scrutinising companies’ outsourced activities, resilience controls, and oversight of business relationships and, in several cases, imposing fines or remedial orders.

Indeed, in recent years, the European Union (EU) and several member countries have ramped up enforcement activity, issued major fines and sought to criminalise non-compliant behaviours – such as unlawful cross-border transfers of personal data of EU/EEA users, bribery schemes via third-party business partners, or violation of the sanctions regulations – for both individuals and the legal entities.

Third-party risk management (TPRM) has become a core pillar of regulatory compliance. While companies are generally able to control their own activities to ensure compliance with regulations, keeping the same level of oversight over their third parties is far more challenging, particularly for those firms operating across dispersed and globalised value chains. According to a 2024 Information Security and Risk Management report, half of all companies work with more than 100 vendors, up from 38% a year before.[1]

Any misconduct by these third parties while acting on behalf of a company can lead to severe penalties, reputational damage, and operational disruptions for that company. Firms need to screen all third- and even fourth-party relationships to detect hidden risks in the value chain and ensure they are not inadvertently in breach. Indicatively, one hallmark case saw an aerospace manufacturer pay around $4 billion to settle bribery allegations linked to its third-party partners, while an EU technology company agreed to a settlement of about $15 million with the US’ Office of Foreign Assets Control (OFAC) over an apparent violation of sanctions regulations.

A Changing Risk Landscape

These are some of the key areas of regulatory third-party risk:

Sanctions: The EU has expanded its sanctions framework to 40 different sanction regimes[2], including 19 sanction packages targeting Russia and Belarus, while the UK, the US, and international bodies continuously adapt their programmes to fast-moving geopolitical events.

A particularly noteworthy development is the adoption of Directive (EU) 2024/1126, which harmonises the definition of criminal offences and penalties for the violation of EU sanctions,[3] ensuring consistent enforcement with “effective, proportionate, and dissuasive criminal and non-criminal penalties” and mandatory reporting obligations.[4]

Member States are also being asked to ensure that legal entities are held liable for such offences through criminal or administrative penalties, including pecuniary fines up to 5% of the company’s global turnover or the equivalent of 40 million euros, and restraining measures such as the exclusion from access to public funding and tender procedures.  Countries such as Greece have already transposed the EU directive into national law.[5] These new developments greatly amplify the importance of sanctions due diligence, ongoing monitoring, transparent ownership and control structures, and robust contractual safeguards.

Bribery and corruption:  EU’s legal framework on combating corruption is also being updated with a proposed Directive bringing in stronger rules of accountability for the public sector, “harmonising” corruption offences and sanctions across the EU, and enhancing investigation and prosecution capabilities.[6] While the Directive is still in negotiation stage and any potential implementation is still a few years away, companies operating in Europe should monitor the developments and be prepared for a potential increase in the risk of anti-bribery and corruption enforcement in the coming years, with broader third party risk management impacts.

Cybersecurity: Recent high-profile incidents where third-party failures led to severe business disruption brought cybersecurity and resilience of supply chains to the forefront. Vendors are now identified as a key access point for ransomware attacks and data breaches; 88% of companies surveyed in a 2024 report cited a compromise in their vendor supply chain as the cause of their breach, up from 77% in 2023.[7]

As cybercrime capacity grew, regulation also evolved. The EU’s NIS2 Directive, effective since 2024, requires firms to conduct ongoing risk assessments of third-party IT services to ensure adherence to robust standards. Third-party risk management is also one of the core pillars of EU’s Digital Operational Resilience Act (DORA), which focuses on the digital resilience of financial institutions and came into force earlier this year. Under DORA, financial firms are expected to monitor digital risks across their extended ICT supply chain, a monumental task that can involve the review and updating of hundreds of contracts.[8]

In response to these perpetual supply chain and overall third-party cyber risks, companies must continually update and evolve their TPRM programmes while enhancing their cyber resilience strategies, incident response plans, and regularly test them as the threat landscape evolves in parallel. Companies should focus on expanding their cyber resilience initiatives to include enterprise-wide business resilience and operational risk in order to combat third-party service provider and supply chain attacks.

AI: The EU AI Act requires organisations to implement robust TPRM frameworks, especially for high-risk AI systems. This includes conducting thorough due diligence across their vendor ecosystem, integrating AI-specific compliance into contracts, and the continuous monitoring of third-party AI usage and data protection practices.

Sustainability: The EU Corporate Sustainability Due Diligence Directive, effective from July 2024, is aimed at fostering sustainable and responsible corporate behaviour in companies’ own operations, their subsidiaries and, where related to their value chain(s), those of their business partners. This directive significantly broadens the scope of third-party risk management. It mandates organisations to monitor practices across their entire value chain, and proactively identify, prevent and mitigate human rights violations and environmental harm linked to their operations. Areas requiring close oversight include non-ethical supply chain practices such as modern slavery, child labour, working conditions, unfair pay, environmental impact, and governance failures.

Best Practices for Third-Party Risk Management

Against this regulatory backdrop, risks arising from value chains require rigorous assessment, a coordinated cross-functional approach, and a strategic shift in organisational culture. Failures at any stage of the TPRM lifecycle can result in substantial penalties and significant reputational harm.

To ensure compliance, businesses should anchor their TPRM programmes on the following pillars:

Enhanced screening and monitoring: TPRMs need to evolve from static compliance checks to monitoring programmes capable of detecting sanctions and other evolving threats quickly and consistently. Scandals or sanctions can emerge overnight, and reputational damage from these developments can follow swiftly.

Tracking risks throughout the entire lifecycle of the relationship – not only during onboarding – is central for achieving this. Best practices recommend continuous monitoring to detect changes in third-party risk profiles and “look back” exercises to reassess legacy relationships that may have been onboarded under outdated standards or lack complete documentation.

Whether during onboarding or later, organisations should go beyond self-declared certifications to include independent verification and real-time sanctions screening. Questionnaires are a common tool, however, sole reliance on them cannot accurately capture and reflect third-party risk. In any scenario, third-party non-responsiveness and reluctance to share information should be treated as a red flag.

Risk-based segmentation: With potentially thousands of third-party relationships to manage, companies must prioritise the most critical when allocating resources. Risk-based assessments are an effective way to achieve this. They categorise third parties based on their perceived degree of risk so that companies can apply enhanced due diligence for those relationships classified as higher risk, based on parameters such as jurisdiction, industry, service/product type, location of the third party’s banking institution, or the maturity of IT/cybersecurity controls.

A risk-based approach is particularly valuable given the growing number of third-party relationships. Many organisations report lack of resourcing as the number one barrier to TPRM adoption and growth.[9] An internal survey by TPRM network Shared Assessments revealed that only 25% of their members have taken steps to address ransomware risk for both their own organization and their vendors. This gap largely reflects a lack of adequate or adequately trained staff, part of a wider problem of a cybersecurity skills gap globally.[10]

Build trusted relationships: Transparency and collaboration in third-party relationships are just as critical to effective TPRM as traditional compliance and risk mitigation practices. Companies should make “know your vendor” an institutional priority by fostering trust and building open, constructive partnerships with their network of vendors. A collaborative approach, whereby organisations help vendors become better third parties and vice-versa, reduces friction and streamlines the process for all parties. [11] Having established and tested communication channels will help companies respond quicker and more easily during an actual incident. Jointly creating and testing scenarios will also foster a stronger partner response.

Balancing risk and operational flexibility: For companies working with multiple and international suppliers/subcontractors, one critical challenge is to make sure TPRM does not become an obstacle to the business flow. TPRM departments might find themselves under pressure from procurement and operations teams to accelerate onboarding, especially when critical services or production timelines are at stake.

Addressing this tension requires strong organisational communication and leadership commitment. Information must be shared across teams, and systems should be in place so that decisions made by one function are visible to others. One effective solution is keeping a central repository of third-party risk relevant information, including contracts, evaluations, and third-party audit results. This repository must be continuously updated and easily accessible.

Governance: Against this regulatory backdrop, companies cannot treat vendor/third-party risk merely as a procurement or operational issue but must elevate it to compliance, risk management, and governance frameworks. Organisations are increasingly shifting governance structures to centralised models. Top functional owners of TPRM include ERM, IT, legal, procurement, and compliance, while ultimate ownership lies with senior management and the board of directors. Management buy-in is critical, as it establishes leadership direction that can cascade through the rest of the organisation, and sets the tone for compliance culture. Leadership commitment helps embed TPRM into the business and helps create an environment where risk considerations are not sidelined in pursuit of speed.

Technology for greater visibility and control: Technology plays an increasingly vital role in TPRM programmes, helping companies monitor third-party risk profiles at the scale and speed required today. Firms are pursuing efficiency in their TRPM initiatives through automation and AI tools, for example by using AI to read and compare vendor documentation. More sophisticated use cases, including deploying AI and machine learning tools to detect changes in risk profiles in real time, detect anomalies, and identify early warning signals from vast amounts of data to support a more proactive approach to risk management.

However, organisations must be aware of the risks such as “deep learning” bias from AI tools and implement robust governance frameworks to ensure outputs are reliable and ethical. To fully capitalise on these technologies, they should also invest in staffing adequacy and upskilling.

Finally, there is no “one-size-fits-all” solution for companies looking to leverage technology and AI in TPRM. With an overwhelming number of providers and platforms available, businesses may struggle to determine the right application for their specific needs. This decision should be guided by factors such as company size, nature of activity, operational complexity, and the market and regulatory environment in which they operate.

In Summary

Growing regulatory scrutiny in areas as wide as AI and human rights, tighter enforcement, and more complex supply chains are compelling firms to strengthen their third-party risk management frameworks. Risks embedded in value chains require rigorous assessment, a coordinated cross-functional approach, and a strategic shift in organisational culture. Failures at any stage of the TPRM lifecycle can lead to severe penalties, significant reputational harm, and operational disruptions with potentially material financial consequences for the business.

The views and opinions expressed in this article are those of the authors.

Read Past Raising the Bar Issues