Compliant Procurement: Aligning for Third-Party Risk Excellence 🤝🛡️

The days of treating third-party risk as simply an anti-bribery checkbox exercise have vanished, replaced by a multidimensional risk landscape that demands sophisticated, cross-functional approaches to protect organizational integrity. 

This episode of The Ethicsverse explored the evolving landscape of third-party risk management, examining how organizations can effectively navigate the growing complexity of vendor relationships in today’s business environment. The discussion revealed that the scope of third-party risk has expanded significantly beyond traditional anti-bribery concerns to encompass data privacy, cybersecurity, human rights, ESG factors, sanctions, AML, supply chain transparency, and AI governance. Experts emphasized the need for a risk-based approach that prioritizes high-risk relationships while maintaining reasonable oversight proportionate to organizational resources. The panel discussed governance challenges stemming from fragmented accountability across departments and proposed solutions centered on cross-functional collaboration, clear risk tolerance statements, and structured oversight mechanisms. A recurring theme highlighted the importance of compliance professionals positioning themselves as relationship-builders and business enablers rather than obstacles, allowing them to gain the credibility needed to effectively mitigate third-party risks. The speakers provided practical insights on implementing tiered risk assessment processes, leveraging contract provisions strategically, and maintaining ongoing monitoring systems that can adapt to emerging risks.

• Jacquelyn Pruet, Former Regulator, Texas Commission on Law Enforcement
• Gitanjali Sakhuja, Associate General Counsel, Americares
• Matt Kelly, CEO & Editor, Radical Compliance
• Nick Gallo, Chief Servant & Co-CEO, Ethico

The Risk Landscape Has Dramatically Expanded

• Third-party risk management has evolved beyond traditional anti-bribery concerns to include data privacy, cybersecurity, human rights, ESG, sanctions, AML, supply chain transparency, and AI governance.
• The complexity of modern supply chains has transformed from linear pathways to intricate webs where disruptions in one area can impact the entire system.
• Compliance teams face mounting pressure to manage these diverse risks despite often operating with limited resources and increasing stakeholder scrutiny.

Establish Clear Ownership and Accountability

• Every effective third-party risk program needs a designated “conductor” who can coordinate specialists across departments, even without being an expert in each domain.
• Organizations must determine where risk responsibilities currently reside and create accountability structures that bridge functional silos among legal, compliance, procurement, and business units.
• The governance structure should be appropriate to organizational size and resources while maintaining clear lines of responsibility for risk decisions.

Compliance as the “Department of Relationships”

• Reframing compliance from the “Department of No” to the “Department of Relationships” creates the trust foundation necessary for effective risk management conversations.
• Compliance professionals must demonstrate business acumen and flexibility on lower-risk issues to build credibility for when firm positions on significant risks become necessary.
• Building strong stakeholder relationships allows compliance teams to establish the authority needed to influence third-party selection decisions without appearing adversarial.

Define Risk Tolerance Parameters Early

• Establish clear risk tolerance statements before evaluating specific third-party relationships to avoid inconsistent decision-making and business conflicts.
• Define organizational “red lines” for third-party risks related to corruption, forced labor, data security, and other critical factors to create objective standards that depersonalize decisions.
• Pre-established guidelines provide compliance professionals with clear authority during high-pressure situations when business imperatives might tempt stakeholders to overlook significant risks.

Implement Risk-Based Assessment Approaches

• Apply the 80/20 principle to focus limited compliance resources on the third-party relationships posing the greatest potential harm to the organization.
• Develop screening mechanisms that categorize vendors based on relationship type, jurisdiction, data access, contract value, and other relevant risk factors.
• Match due diligence intensity to risk levels, using simplified questionnaires for low-risk vendors and comprehensive assessments for high-risk relationships to maximize efficiency.

Leverage Contract Provisions Strategically

• Approach contractual protections like audit rights strategically rather than including them as boilerplate provisions you have no intention or resources to implement.
• Consider whether your organization realistically intends to exercise contractual rights and whether the relationship’s risk profile justifies potential negotiation friction.
• Align contractual requirements with your organization’s actual risk management capabilities, as regulators may question provisions that are included but never exercised.

Manage the Full Third-Party Lifecycle

• Extend risk management beyond initial onboarding to encompass the entire relationship lifecycle through structured monitoring and periodic reassessment processes.
• Avoid disproportionate focus on pre-contract due diligence at the expense of post-implementation monitoring, which creates vulnerabilities as third-party circumstances evolve.
• Establish clear relationship owners, implement risk-appropriate monitoring mechanisms, and develop processes to address emerging issues that may alter initial risk classifications.

Navigate Cross-Functional Communication Challenges

• Address miscommunication stemming from differing departmental priorities, vocabularies, and timelines by developing shared risk terminology and establishing clear escalation pathways.
• Recognize and reconcile compliance’s risk-focused perspective with business units’ emphasis on speed, procurement’s focus on cost, and other functional priorities.
• Create forums for cross-functional discussion of significant third-party relationships to build mutual understanding of how each department’s objectives contribute to organizational success.

Adapt to Rapidly Evolving Risk Factors

• Develop agile risk management approaches capable of responding to rapidly emerging threats such as new sanctions regimes, tariff changes, and supply chain disruptions.
• Create mechanisms to quickly reassess existing vendors against new criteria when risk factors that weren’t on your radar six months ago suddenly become critical considerations.
• Maintain strong regulatory intelligence functions and develop contingency plans for critical third-party relationships that may be affected by geopolitical or regulatory shifts.

Balance Technology Monitoring with Practical Implementation

• As third parties increasingly incorporate AI and other advanced technologies into their service delivery, organizations must determine appropriate governance and disclosure requirements without creating unreasonable monitoring burdens.
• When evaluating how deeply to probe third-party technology use, compliance teams should consider the nature of the service provided, sensitivity of data accessed, criticality to operations, and regulatory requirements applicable to the specific relationship. 
• Organizations should focus technology governance efforts on third parties handling sensitive customer data, performing critical functions, or operating in highly regulated domains, while adopting more flexible approaches for vendors whose technology use poses minimal additional risk to the organization.

Closing Summary