_{PART ONE}
EXPANDING
THIRD-PARTY RISK UNIVERSE

in partnership with GAN Integrity

The Expanding Third-Party Risk Universe

The original focus of third-party risk management (TPRM) was compliance, particularly anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA). However, TPRM has always included other critical areas like anti-money laundering, financial stability, business continuity, and operational resilience. As businesses and supply chains have grown more complex, TPRM has broadened to encompass risks related to environmental, social, and governance (ESG), human rights, data privacy, and cyber threats. The expansion of compliance risks, blurred boundaries between risk categories, and evolving functions within organizations have contributed to a more fragmented and complex TPRM landscape.

CASE IN POINT

According to Deloitte’s 2023 global TPRM survey, most programs now manage nearly 20 different risk areas. Cyber and information security risk is the most prevalent, followed by geopolitical risk, business continuity, and data privacy.

Other significant categories include concentration risk, regulatory risk, contract risk, anti-bribery and anti-corruption (ABAC), quality risk, environmental risk, reputational risk, and subcontractor risk. Notably, modern slavery and climate risk, while increasingly critical, are often managed separately or inadequately despite stringent regulations.

Regulations impacting TPRM are not only proliferating but also overlapping, creating a complex, intertwined risk landscape. Compliance risk is no longer the sole focus; financial, operational, and strategic risks are equally important. Fragmented TPRM functions across compliance, procurement, legal, IT, and business continuity often result in silos, inefficiencies, and gaps.

The challenge is clear: Compliance cannot operate in isolation. Organizations must integrate their various risk management functions under a unified framework to prevent gaps, eliminate redundancies, and enhance resilience against a broad spectrum of third-party risks.

THE EXPANDING THIRD-PARTY RISK UNIVERSE

Managing Risk at Scale

The sheer volume of supply chain partners is a significant challenge for third-party risk management (TPRM) today. Multinational companies often work with thousands of third parties - and even more fourth- and fifth-party relationships. Gartner’s Third Party Risk Management Benchmarking Report 2023 underscores this complexity: 58% of companies reported an increase in their number of third parties from 2019 to 2022, and 46% noted growth in their fourth and fifth-party relationships.

Alarmingly, nearly half of Gartner's respondents also reported a 17-point increase in high-risk third parties - those whose vulnerabilities pose serious threats to operations, reputation, or financial stability. These high-risk relationships demand greater scrutiny and more robust risk mitigation strategies.

This trend shows no signs of slowing. A 2024 TPRM survey by Mastercard subsidiary RiskRecon found that the number of TPRM programs managing at least 250 vendors doubled between 2020 and 2023.

Part of this expansion reflects growing supply chains, but it also stems from organizations’ increasing reliance on their internal teams to manage complex risk landscapes. With procurement, ethics, and compliance teams stretched thin, efficiently assessing, clearing red flags, monitoring compliance, and regularly re-evaluating risks across a vast network of suppliers presents a formidable challenge.

Managing risk at scale requires streamlined processes and tools to ensure visibility, consistency, and agility across third-party relationships. As companies expand their vendor networks to build resilience, they must also implement scalable TPRM frameworks to keep pace with mounting oversight demands.

How many third parties (suppliers, vendors, distributors, agents, etc.) does your organization engage with?

< 50
51–100
101–500
501–1,000
1,001–5,000
5,001–10,000
10,001–50,000
More than 50,000
Unsure

THE EXPANDING THIRD-PARTY RISK UNIVERSE

Enter the EU

Given an already large risk universe across an expansive and expanding third party population, recent regulatory schemes have focused on specific risk areas by requiring deeper and more detailed disclosures.

In 2024, the European Commission enacted the Corporate Sustainability Due Diligence Directive, a new standard that requires businesses operating in the European Union to establish, fund, and maintain the framework and processes to identify and address potential and actual “adverse human rights and environmental impacts” within their own operations, those of their subsidiaries, and those of their business partners within their value chains.

This standard has since been simplified by the European Commission’s Omnibus Package, which refocuses due diligence primarily on direct suppliers. But the best practices bar has already been raised in the eyes of organizations and their stakeholders.

While this was intended to address human rights risk and environmental sustainability issues, as organizations develop these required capabilities, they will also be able to address other risks deep within their supply chain, such as reputational risk, trade compliance issues, and more. Beyond what this law mandates, the bar for best practices has also been raised by it.

We can expect that like the GDPR influence on global privacy regulations, the EU will be setting the standard for supply chain due diligence not only across a range of risk areas, but also deeper into parties beyond immediate business partners. But worth noting, is that unlike the GDPR, this is currently enacted as a directive, which opens the door for increased complexities as independent member EU member states codify the directive into country specific regulations.

THE EXPANDING THIRD-PARTY RISK UNIVERSE

Data Overload & Budget Constraints

In order to meet due diligence and monitoring requirements, organizations find themselves subscribing to a growing number of data feeds that include (but are hardly limited to) global watchlists, sanctions, adverse media, ESG databases, financial health ratings, cyber-security ratings and more. All of this increases the volume of TPRM data to review by an order of magnitude at a time when program funding and headcount are not keeping pace—despite regulatory guidance such as 2024’s U.S. Department of Justice Evaluation of Corporate Compliance Programs (ECCP) update, which clearly expects companies to adequately resource their E&C functions.

According to Ethisphere’s 2025 World’s Most Ethical Companies benchmarking data, companies ranging from 25,000-50,000 employees have, on average, almost 84 ethics and compliance full-time equivalents. E&C teams, long familiar with making the case for adequate levels of resourcing, are intimately familiar with the challenge of adding headcount, which explains figures from EY’s 2023 Global Third-Party Risk Management Survey, which states that 42% of organizations plan to integrate automation to better manage reporting, and 63% of the plan to integrate external data providers and automation to better manage their inherent risk assessments by 2025 or 2026.

The truth is the adjudication of results and significant numbers of false positives make TPRM a resource-intensive process at a time when flat or even modestly increasing compliance budgets are hard-pressed to manage the data deluge.

How far down your supply chain do you conduct due diligence? (check those that apply)

3rd parties - always
3rd parties - only on a risk based approach
4th parties - always
4th parties - only on a risk based approach
5th parties - always
5th parties - only on a risk based approach
Beyond 5th parties - only on a risk based approach