Third-Party & Supply Chain

As organizations continue to evolve in an increasingly interconnected world, it has become abundantly clear that the way we manage third-party relationships is at the heart of effective governance, risk management, and compliance (GRC). What was once seen as a linear process of managing external partnerships has now transformed into an intricate web of interconnected relationships that extend across global suppliers, contractors, service providers, and more. These third-party connections form what is known as the extended enterprise, and within this ecosystem lies some of the most pressing challenges organizations face today.

In a statement made during his first visit to Brussels as Chancellor, Friedrich Merz, Germany's newly appointed leader, called for the European Union to scrap the Corporate Sustainability Due Diligence Directive (CSDDD). This directive, adopted in May 2024, mandates that companies take action to address their negative impacts on human rights and the environment throughout their supply chains.

In an open letter to third-party software providers, Patrick Opet, the Chief Information Security Officer at JPMorgan Chase, has raised a red flag on a growing security vulnerability that’s quietly creeping through the global economic system. And this one might just be a game-changer for IT security, risk managers, and anyone involved in third-party risk management.

Hertz has recently announced that the company is grappling with a data breach that stemmed from a vendor, Cleo Communications US, LLC. This breach, involving a file transfer platform used by Hertz, further demonstrates the vulnerabilities that third-party vendors can introduce to an organization’s data security.

In the increasingly interconnected world of modern business, organizations rely more than ever on third-party relationships. While these partnerships offer significant opportunities for growth and innovation, they also expose businesses to a range of risks that can threaten resilience and success. As geopolitical tensions and economic uncertainties continue to rise, it is essential for companies to reassess and strengthen their third-party governance, risk management, and compliance strategies. This article expands on the insights from my previous piece, Navigating the Storm: Strengthening Third-Party Governance and Risk Management in Your Extended Enterprise, offering a deeper look into how businesses can build robust, proactive frameworks to navigate these challenges and ensure sustained success across their extended enterprise.

The Institute of Internal Auditors (IIA) recently released a Public Consultation Draft for its Third-Party Topical Requirement. At first glance, it may seem like a technical set of guidelines, but the stakes are high. As businesses increasingly rely on third-party relationships—whether with vendors, contractors, consultants, or others—internal auditors face growing challenges in managing these complex connections. The IIA’s draft aims to offer a more standardized, comprehensive approach to assessing and managing the risks tied to external partnerships. For organizations that regularly engage with third parties, the draft provides a clear framework designed to ensure that no critical risks go unnoticed.

The European Supervisory Authorities (ESAs)— namely the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) — have weighed in on the European Commission’s recent changes to the regulatory framework surrounding subcontracting under the Digital Operational Resilience Act (DORA). And in short, they’re on board.