Managing Third Parties For Today’s World

The line between your company and your suppliers, partners, and platforms used to be clearer. It isn't so clear anymore.

Today, third parties are critical to how value gets created. They touch your products, services, customer experience, technology, data, AI, supply, logistics, and critical operations. They are also how risk gets transmitted. But the way many companies manage third parties was built for a simpler time.

Why the stakes have never been higher

In addition to the increasingly mission-critical role third parties play for business, three forces are reshaping what managing third-party relationships for this new world means.

1. Emerging threats are amplifying volatility. AI failures, cyber attacks, technology concentration, geopolitical disruption, supplier concentration, fourth-party dependencies, and complex delivery models are creating new pathways for risk to reach the business. Cyber and AI failures now travel through suppliers and subcontractors faster than they can be detected. A single cloud or platform outage can ripple across thousands of organizations at once. Most companies have limited visibility past their direct counterparties — but failures at the fourth-party and “nth-levels” still reach the business.

   
   

2. Regulation is also extending into external relationships. Privacy, labor right, human rights, climate, environment, and responsible sourcing rules now require companies to govern, evidence, and respond across the value chain. CSRD, CSDDD, EUDR, UFLPA, supply chain acts, climate disclosure rules: each carries its own scope, its own deadlines, its own evidentiary expectations. The board-level question is the same: can the company show what it knew, what it asked, what it monitored, and what it did next?

   
   

   

3. Customer demands are flowing upstream. Customers face their own pressures, and they pass them through the supply chain via due diligence, audits, cyber reviews, flow-down clauses, data requests, and sustainability requirements. Strong third-party management can support customer qualification, trust, and growth. Weak evidence can quietly slow deals, limit market access, or erode trust before anyone notices.

   
   

While these are evolving risk drivers and sources of complexity, they still transmit as familiar risks—strategic, operational, financial, compliance, reputational, governance—just driven through new vectors. Manageable, if we approach them differently.

Why the “way we’ve always done it” is no longer fit for purpose

Most companies are still managing third parties the way they did a decade ago. Decisions move sequentially: business need, then procurement sourcing, then legal contracting, then risk review, then monitoring. Each function does its part well. But value, reliance, risk, and ownership remain disconnected.

The result is a model designed to patch leaks, not repair the structure. Cyber risk gets a checklist. Regulatory compliance gets a checklist. Each siloed effort manages individual risks without ever asking the harder question: is this relationship designed to deliver the intended value at an acceptable level of risk?

It rarely is. In a world where third parties are increasingly central to how companies compete, deliver, and earn trust, that gap is no longer one we can absorb.

A different way to think about it

Strong third-party management focuses instead on making three strategic decisions:

●      Why: Why is a third party the right way to deliver this value? Define what value means here: capability, customer experience, market access, resilience, regulatory support — not just cost. Test the full range of delivery options before committing. Define the type of reliance being created and the level of control required. Maintain reversibility: how easily can we exit, substitute, or pivot?

●      Who: Which third party is the best given our business objectives? Build a real view of the market. Evaluate candidates on capability, viability, and partnership fit, plus broader quality and value measures including sustainability. Consider supplier segmentation and portfolio fit. Calibrate due diligence to the reliance and exposure being created. Make the selection against the value criteria—not against the lowest bid.

●      How: How do we work with them over time to deliver what we expect? Translate the risk profile into contracts and commercial terms that incentivize delivery. Onboard for operational readiness and baseline performance. Manage performance, change, and exposure continuously, not just at the point of signing. Treat renewal or exit as a strategic decision, not a default.

These three decisions are anchored in strong governance: how strategy and oversight, ownership and collaboration, performance management, capabilities, and technology and systems align across the portfolio. The result is foresight, resilience, and the confidence to deliver, not just the absence of incidents.

Implications for organizations and leaders

A new approach to third-party management requires companies to work in new ways. A few core changes:

1. Move the strategic questions (especially why) upstream. Most third-party decisions today are made by the time the contract reaches risk and legal. By then, the strategic choice has already been made — by default. Leaders need to reset the timing: bring the right expertise into the design conversation, not the gate review.

   
   

2. Replace handoffs with shared accountability. Functions still own their lanes—segregation of duties, independent challenge, and auditability remain essential. But the model has to shift from sequential handoffs to integrated engagement. The same people, asking sharper questions earlier, staying engaged longer. Procurement is a strategic thought partner about the make vs buy decision in the first place. Business owners actively frame tradeoffs. Risk, sustainability, legal are all contributors to a process and decision criteria that balance a critical mix of business needs.

   
   

3. Make governance visible. Most leaders, boards, and stakeholders see third-party reporting that summarizes activity but rarely informs decisions. The new bar: portfolio-level visibility into concentration, fourth-party exposure, performance trends, and emerging risks surfaced in time to act on.

   
   

4. Invest in the capability, not just the process. Skills, ways of working, technology, and data are the foundations. AI will play a role, but not alone. Without these foundations, even the right process produces inconsistent results. With them, a fit-for-purpose process becomes a source of competitive advantage.

The opportunity

Third-party management built for a different era will keep producing the outcomes of that era— siloed reviews, late-stage compliance, occasional incidents, and slow erosion of value. Built for the world we're actually in, it does something else: it lets companies anticipate change, absorb shocks, sustain trust, and turn external dependencies into a source of resilience and growth.

The question is not whether the world has changed. It has. The question is whether the way we manage it changes too.