Managing third party risk without losing sleep

Article

By: Ben Langford, Robert Shaw

13 Jan 20265 min read

Recent high-profile failures have shown how third-party risk can lead to severe financial and reputational damage. Yet, despite growing awareness, many organisations still struggle to manage it effectively.
Contents

Although the use of third parties can bring cost efficiency and operational flexibility, it can also introduce potential vulnerabilities. So how do you manage it? Through a robust third-party risk management programme that identifies, prioritises, and monitors these risks.

Ben Langford and Robert Shaw share common challenges businesses face when managing third-party risk so you can prepare. Plus, find out how The Institute of Internal Auditors recently issued Topical Requirement on Third Parties can help you. 

Third-party risks — what’s really at stake?

Third-party relationships can expose your organisation to risks that go far beyond operational hiccups. These risks can impact compliance, reputation, and even business continuity. Here are some of the most critical areas to watch:

  • Operational resilience
  • Ethical and regulatory compliance (such as bribery & corruption, trade sanctions & export controls, fraud)
  • Performance and delivery, such as quality, reliability, training.
  • Financial, such as failure of third-party.
  • Cybersecurity and data privacy, such as system vulnerabilities and GDPR compliance.
  • Climate and sustainability
  • Social and Human Rights including Modern Slavery 

Don’t just spot risks — manage them

Identifying risks is only half the battle. To truly protect your organisation, you need to embed risk management throughout the entire third-party lifecycle. Here’s what that looks like:

  • Requirement specification and supplier selection, includes processes to determine the need for a third party, the plan for its use, and the criteria for selection.
  • Due diligence and contracting, includes due diligence with the third party and implementing a legal agreement
  • Onboarding and mobilisation, begins when the contract is signed to start the relationship and establishes a foundation for third parties to meet the terms of the contract or agreement
  • Contract delivery, includes processes for “in-life” management and ongoing monitoring of the third party after the contract has been established and approved. The approach is usually systematic and risk-based and should consider continuous improvement. This includes managing contract variations and scope changes.
  • Offboarding, includes processes for ending contracts and agreements, maintaining an exit strategy for third parties that have been prioritized based on risk, and terminating relationships when necessary. The processes typically use a risk-based approach and may involve a formal exit plan

At a governance level, it’s important to define an approach supported by clear policies and procedures. Roles and responsibilities for working with third parties should be well-defined, along with clarity on who the key stakeholders are across the business. These may include the board, senior management, operations, risk management, HR, IT, finance, legal & compliance, and procurement. Ensuring third parties align with your company’s values and ethics is equally critical.

Risk management processes around third parties should be sufficient to identify, prioritise, mitigate and monitor risk across the third-party life cycle and the full risk universe.

Simple questions to better understand your third-party landscape

A strong risk management framework starts with asking the right questions. Use these prompts to uncover gaps and prioritise actions:

Theme Key questions to ask
Who are your critical third parties?  
  • Where is your greatest exposure? If third party failed tomorrow, what would break?
  • Do you have a consistent and commonly understood prioritisation process?  
Governance Gaps – who is in charge?  
  • Who, if anyone, has oversight across all third party risk?
  • Is it clear who owns specific third party relationships and / or contracts, and do they have a clear view of risk?  
The Document Deficit – good record keeping is essential  
  • Is there a single source of truth?
  • Are key third party and contractual documents readily accessible?  
Due Diligence – not just at onboarding  
  • Is due diligence sufficiently robust, done at the right time and covers key risks?
  • Are actions arising from due diligence monitored and tracked to completion?
  • Do you have ongoing pr periodic monitoring processes?  
Performance monitoring – required for all critical vendors  
  • Is there a regular cadence of meetings, with actions agreed and tracked?
  • Are KPIs / SLAs defined and reported?  
Hidden risk in your legal agreements  
  • Do you have clarity on key clauses and their implications?
  • Are contracts refreshed for scope changes and reflect current relationship?
  • Which contracts are subject to the third party’s T&Cs?  

Sub-outsourcing – the hidden risk
  • Do you have visibility of fourth and fifth parties (“nth parties”)?
  • Have you applied your risk assessments and performance monitoring beyond direct third parties across the full value chain?  
Exit planning – for planned and stressed scenarios  
  • Do business continuity plans include third-party dependencies where relevant?
  • Are there documented exit strategies for critical suppliers? And do these align with business continuity plans and contractual agreements?  
The procurement disconnect  
  • Are there documented policies across the third party lifecycle?
  • Are these in line with actual practice and consistently used across the business?
  • Are policies bypassed by senior management or ignored by staff with no consequence?  

 

What’s next?

  • Map your third-party landscape and prioritise critical relationships.
  • Benchmark your processes against IIA’s Topical Requirement on Third Parties.

Build a governance framework that enforces accountability and transparency.

If you’d like to have an exploratory conversation or find out more information, contact Ben Langford.

 

TAGS  

Authors

  • Ben Langford

    I am an experienced risk and internal audit professional having worked for more than 25 years with large global groups in all areas of governance, risk and control. View Profile

  • Robert Shaw

    Having worked in IT and the business services sector for over 20-years, I'm passionate about the contribution accountants can make to the top and bottom line. View Profile

Read our insights, reports and more

View more

Provision 29: Assurance mapping for material controls

Article

Assurance mapping gives firms a consolidated view of control activities, helping boards meet Provision 29 requirements in the UK Corporate Governance Code.

Emma Young
| 6 min read | 04 Jun 2026

FCA wholesale markets report – aligning with FCA expectations

Article

A practical overview of the FCA’s 2026 wholesale markets priorities, highlighting key risks in financial crime, market abuse and conflicts of interest, and what firms should do to strengthen controls and governance.

Rebecca Deane
| 6 min read | 11 May 2026

Provision 29: What to prioritise as first year reporting approaches

Article

Emma Young provides a summary on what organisations need to consider in 2026 to meet provision 29 requirements for the first year reporting.

Emma Young
| 6 min read | 11 May 2026
    View more