Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register nowarrow_forward

menu

Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register now

arrow_forward

language

Products

arrow_drop_down

Solutions

arrow_drop_down

Resources

arrow_drop_down

Diligent AI

Request a demo

Governance

Risk

Compliance

Audit

Diligent Boards

Automate meeting prep, secure sensitive data and give directors the clarity to make the best decisions.

BoardEffect

Secure, flexible board management software for nonprofits and higher education.

Community

Increase transparency, streamline governance and empower your school board or local government.

Diligent Market Intelligence

On-demand access to exclusive shareholder activism, executive compensation and ESG data.

FEATURED

Diligent One Platform

Centralize and unify all your board management and GRC activities

Role

Use Cases

Company Type

Industries

General Counsel

Safeguard your organization with centralized oversight of governance, risk and compliance.

Corporate Secretary

Run governance flawlessly with AI tools that eliminate busywork and ensure audit-readiness.

Executive Assistant

Streamline board prep, communications and approvals with AI workflows for seamless meetings.

C-Suite

Accelerate decisions and inspire confidence with AI-powered reporting and real-time risk intelligence.

Directors & Trustees

Prepare faster, mitigate risk and make smarter decisions with purpose-built board tools.

Risk Manager

See enterprise risk in real time, act decisively, and deliver AI-powered insights.

Information Security

Unify IT risk, compliance and cyber oversight in one secure platform.

Compliance Officer

Turn regulatory obligations into clear, actionable metrics — proving compliance and ROI.

Internal Auditor

Connect audit management, analytics and monitoring in a secure, AI-powered hub.

FEATURED

Diligent One Platform

Centralize and unify all your board management and GRC activities

Content Library

Case Studies

Virtual Summits

Events

Resources Hub

Discover all of Diligent's insights in one place. Stay ahead of trends with expert perspectives, exclusive research and information you won't find anywhere else.

MEDIA TYPE

Blog Guides Videos Podcasts Content Toolkits Research & Reports

BY TOPIC

Governance Risk & Audit Compliance AI & Cyber Public Sector Diligent Institute

FEATURED

Diligent named a Leader in 2025 Gartner® Magic Quadrant™ for GRC

Navigating Third-Party Risk Management: An EU & UK Perspective

September 13, 2023

•

5 min read

Michael Rasmussen

GRC Analyst & Pundit

Share:

The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacies, such as deep supply chains and subcontracting relationships. Roaming the hallways of an organization means crossing paths with contractors, consultants, temporary workers, and more. Business today relies and thrives on third-party relationships; this is the extended enterprise.

The European Union and the United Kingdom stand at the forefront of global trade and business partnerships. However, with increasing interconnectivity comes the challenge of managing third-party risks. For companies headquartered, operating within these jurisdictions, or in the supply/value-chain of companies that do, understanding and mitigating these risks is not only crucial for resilience but also for compliance.

The Essence of Third-Party Risk Management

Third-Party Risk Management (TPRM) involves identifying, assessing, and controlling risks presented by outside entities with which a business engages. These entities could range from suppliers, vendors, and contractors, to any other non-internal party involved in the value chain.

In the context of the EU and UK, several legislative frameworks emphasize third-party risk management:

1. German Supply Chain Act

Germany took a major step in 2021 by enacting the LkSG (Lieferkettensorgfaltspflichtengesetz, yes, German’s love complex words), otherwise known as the Supply Chain Due Diligence Act. This legislation focuses on human rights and environmental protections within supply chains. Under the act, companies are required to:

Conduct due diligence throughout their supply chains.
Establish risk management processes.
Implement grievance mechanisms.
Provide annual public reporting on their due diligence activities.

For businesses, this means that simply monitoring one's immediate suppliers is not enough; it's about ensuring every part of the supply chain, no matter how distant, is compliant. This regulation has now influenced the EU Corporate Sustainability Due Diligence Directive that will require every member country of the EU to pass a law similar to Germany’s LkSG.

2. UK Bribery Act and Sapin II in France

In the context of anti-bribery and corruption, the UK has its Bribery Act and France has Sapin II. Bribery and corruption enforcement actions reveal that third-parties are most often involved in these misdeeds. These laws aim to bolster transparency, fight corruption, and modernize economic activity in the UK and France. One of their major components is TPRM, especially concerning bribery risks. Key mandates include:

Organizations must implement a compliance program that includes a code of conduct, a whistleblowing mechanism, risk assessment methodologies, and third-party due diligence procedures.
Engage in continuous monitoring and regular updates of their compliance measures, especially when partnering with third parties.

3. UK Corporate Governance Code

Although the UK Corporate Governance Code primarily focuses on board leadership and company performance, it indirectly emphasizes the importance of TPRM. For instance:

Companies must foster relationships with shareholders and stakeholders, which includes understanding the risks they bring.
Regular engagement with the workforce (which could include third-party contractors) to determine their views and manage associated risks.
Under the most recent changes, the board has to issue resilience statements. An organization cannot be resilient without looking at the extended enterprise of third-party relationships.

Challenges in Implementing TPRM in the EU & UK

While the importance of TPRM is undeniable, its implementation is fraught with challenges:

Complex Supply Chains: Especially for multinational corporations, supply chains can span continents. Each link adds potential risk factors.
Diverse Regulatory Frameworks: As illustrated above, different countries have different regulations, making a standardized TPRM approach difficult.
Cultural Differences: What's acceptable in one country or region might be taboo in another. Navigating these nuances is essential for effective TPRM.

Mitigating Third-Party Risks: A Way Forward

For businesses operating in the EU and UK, here are some steps to ensure an effective TPRM:

Due Diligence: Always vet third parties before engagement. Understand their business operations, financial health, reputation, and any potential red flags.
Continuous Monitoring: Risk management is not a one-off task. Regularly monitor third parties for potential risks and ensure they remain compliant with evolving regulations.
Clear Contracts: Ensure that all contracts with third parties have clauses that allow for regular audits, adherence to regional regulations, and stipulate repercussions in case of breaches.
Training and Awareness: Ensure that employees at all levels understand the importance of TPRM. Regular training sessions can keep them updated about the latest best practices and regulatory requirements.
Leverage Technology: Use advanced TPRM solutions that can automate due diligence, monitor risks in real-time, and provide actionable insights.

The EU and UK, with their progressive stances on business transparency, human rights, and environmental protection, provide both opportunities and challenges for businesses. While the regulatory landscape may seem daunting, with a robust third-party risk management strategy, businesses can not only comply with regional mandates but also foster trust and build stronger, more resilient relationships with their partners. A haphazard department and document-centric approach for TPRM compounds the problem and does not solve it. Organizations need to address third-party risk with an integrated strategy, process, and technology to manage third-party relationships with real-time information and risk intelligence.