EVOLVING THIRD PARTY RISK MANAGEMENT FOR EFFECTIVE RISK ASSURANCE: A RISK-BASED APPROACH

Third-party risk has quietly become pervasive and arguably a material threat to enterprise resilience. In today’s hyperconnected business environment, organisations increasingly rely on a complex ecosystem of third parties, which enables innovation, speed and cost efficiency. However, failure of a single external partner can trigger regulatory breaches, operational disruption and reputational damage at scale. As supply chains diversify and global operations deepen, third-party risk is no longer peripheral, it is central to risk assurance.

The five Cs of TPRM constraints

According to GAN Integrity’s The State of Third-Party Due Diligence 2025 study, third‑party risk is expanding faster than most teams can manage. The challenges facing third party risk management (TPRM) can be broadly understood through the ‘five Cs of TPRM constraints’: capacity, complexity, coverage, consistency and coordination. Although this framework continues to evolve, these constraints today limit an organisation’s ability to obtain timely, reliable assurance over its third‑party ecosystem.

Capacity remains a core issue, as third‑party populations grow faster than available staffing or subject‑matter expertise. Teams face increasing onboarding volumes, growing review backlogs and rising regulatory expectations – all often managed through manual, resource‑intensive processes.

Complexity is also mounting. Risk domains and regulatory requirements continue to expand, and organisations must assess an ever-broader spectrum of exposures. Directives such as the EU’s Corporate Sustainability Due Diligence Directive significantly raise expectations for supplier oversight, adding further strain.

Apr-Jun 2026 Issue

Novartis

Join our free mailing list to read the full article