Article

Managing third party risk without losing sleep

By:
Ben Langford,
Robert Shaw
13 Jan 20265 min read
insight featured image
Recent high-profile failures have shown how third-party risk can lead to severe financial and reputational damage. Yet, despite growing awareness, many organisations still struggle to manage it effectively.
Contents

Although the use of third parties can bring cost efficiency and operational flexibility, it can also introduce potential vulnerabilities. So how do you manage it? Through a robust third-party risk management programme that identifies, prioritises, and monitors these risks.

Ben Langford and Robert Shaw share common challenges businesses face when managing third-party risk so you can prepare. Plus, find out how The Institute of Internal Auditors recently issued Topical Requirement on Third Parties can help you. 

Third-party risks — what’s really at stake?

Third-party relationships can expose your organisation to risks that go far beyond operational hiccups. These risks can impact compliance, reputation, and even business continuity. Here are some of the most critical areas to watch:

  • Operational resilience
  • Ethical and regulatory compliance (such as bribery & corruption, trade sanctions & export controls, fraud)
  • Performance and delivery, such as quality, reliability, training.
  • Financial, such as failure of third-party.
  • Cybersecurity and data privacy, such as system vulnerabilities and GDPR compliance.
  • Climate and sustainability
  • Social and Human Rights including Modern Slavery 

Don’t just spot risks — manage them

Identifying risks is only half the battle. To truly protect your organisation, you need to embed risk management throughout the entire third-party lifecycle. Here’s what that looks like:

  • Requirement specification and supplier selection, includes processes to determine the need for a third party, the plan for its use, and the criteria for selection.
  • Due diligence and contracting, includes due diligence with the third party and implementing a legal agreement
  • Onboarding and mobilisation, begins when the contract is signed to start the relationship and establishes a foundation for third parties to meet the terms of the contract or agreement
  • Contract delivery, includes processes for “in-life” management and ongoing monitoring of the third party after the contract has been established and approved. The approach is usually systematic and risk-based and should consider continuous improvement. This includes managing contract variations and scope changes.
  • Offboarding, includes processes for ending contracts and agreements, maintaining an exit strategy for third parties that have been prioritized based on risk, and terminating relationships when necessary. The processes typically use a risk-based approach and may involve a formal exit plan

At a governance level, it’s important to define an approach supported by clear policies and procedures. Roles and responsibilities for working with third parties should be well-defined, along with clarity on who the key stakeholders are across the business. These may include the board, senior management, operations, risk management, HR, IT, finance, legal & compliance, and procurement. Ensuring third parties align with your company’s values and ethics is equally critical.

Risk management processes around third parties should be sufficient to identify, prioritise, mitigate and monitor risk across the third-party life cycle and the full risk universe.

Simple questions to better understand your third-party landscape

A strong risk management framework starts with asking the right questions. Use these prompts to uncover gaps and prioritise actions:

Theme Key questions to ask
Who are your critical third parties?  
  • Where is your greatest exposure? If third party failed tomorrow, what would break?
  • Do you have a consistent and commonly understood prioritisation process?  
Governance Gaps – who is in charge?  
  • Who, if anyone, has oversight across all third party risk?
  • Is it clear who owns specific third party relationships and / or contracts, and do they have a clear view of risk?  
The Document Deficit – good record keeping is essential  
  • Is there a single source of truth?
  • Are key third party and contractual documents readily accessible?  
Due Diligence – not just at onboarding  
  • Is due diligence sufficiently robust, done at the right time and covers key risks?
  • Are actions arising from due diligence monitored and tracked to completion?
  • Do you have ongoing pr periodic monitoring processes?  
Performance monitoring – required for all critical vendors  
  • Is there a regular cadence of meetings, with actions agreed and tracked?
  • Are KPIs / SLAs defined and reported?  
Hidden risk in your legal agreements  
  • Do you have clarity on key clauses and their implications?
  • Are contracts refreshed for scope changes and reflect current relationship?
  • Which contracts are subject to the third party’s T&Cs?  

Sub-outsourcing – the hidden risk
  • Do you have visibility of fourth and fifth parties (“nth parties”)?
  • Have you applied your risk assessments and performance monitoring beyond direct third parties across the full value chain?  
Exit planning – for planned and stressed scenarios  
  • Do business continuity plans include third-party dependencies where relevant?
  • Are there documented exit strategies for critical suppliers? And do these align with business continuity plans and contractual agreements?  
The procurement disconnect  
  • Are there documented policies across the third party lifecycle?
  • Are these in line with actual practice and consistently used across the business?
  • Are policies bypassed by senior management or ignored by staff with no consequence?  

 

What’s next?

  • Map your third-party landscape and prioritise critical relationships.
  • Benchmark your processes against IIA’s Topical Requirement on Third Parties.

Build a governance framework that enforces accountability and transparency.

If you’d like to have an exploratory conversation or find out more information, contact Ben Langford.

 

TAGS  
Authors
  • Ben Langford
    Ben Langford I am an experienced risk and internal audit professional having worked for 23 years with large global groups in the area of governance, risk and control. View Profile
  • Robert Shaw
    Robert Shaw Having worked in IT and the business services sector for over 20-years, I'm passionate about the contribution accountants can make to the top and bottom line. View Profile

Read our insights, reports and more

View more

Pension administration under sharper regulatory scrutiny

Article

TPR has sharpened expectations for pension scheme administration, highlighting key risks around governance, data integrity and oversight that trustees must act on.

Zoe O’Donnell
| 7 min read | 05 Feb 2026

Crypto regulations pick up pace with recent FCA consultations

Article

UK crypto regulation is accelerating as the FCA issues new consultations. Learn what firms must do to prepare for authorisation under the incoming regime.

Paul Staples
| 7 min read | 29 Jan 2026

Technology risk trends: Your key priorities for 2026

Technology risk trends: Your key priorities for 2026

Boards are increasingly being called upon to take ownership of technology risk oversight as a strategic imperative, reinforced by the updated UK Corporate Governance Code and the new Cyber Governance Code of Practice. In 2026, staying ahead of technology risks and regulatory shifts isn’t optional - it’s essential. Are you clear on where to focus to keep your organisation in control?

22 Jan 2026
    View more