A board can run a tight control environment internally and still be exposed through the companies it does business with. Agents, distributors, suppliers, and joint-venture partners act in your name and on your behalf, and regulators increasingly hold organisations accountable for what those third parties do. It is the exposure most boards still price too low.
Why it is under-priced
Third-party risk sits between functions. Procurement owns the contract, compliance owns the policy, the business owns the relationship — and no one owns the risk. So it is assessed once, at onboarding, and rarely revisited, even as the relationship deepens and the exposure grows.
What good looks like
- Risk-based diligence. The depth of review scales with the exposure — a critical agent in a sensitive market is not screened like a stationery supplier.
- Live, not one-off. High-risk relationships are monitored over their life, not cleared once and forgotten.
- Contractual teeth. Audit rights, compliance obligations, and termination triggers that you can actually use.
- One owner. Someone accountable for the portfolio of third-party risk, with a line to the board.
The board's question
The question to ask is simple: if a key third party acted improperly tomorrow, would we know, and could we show we had taken reasonable steps? For most organisations the honest answer is no — and closing that gap is far cheaper than the enforcement action that exposes it.