Rates
CONTACT

Third-party risk management: understanding the challenges of third-party assessment

Never have companies, local authorities and public administrations operated in an environment as complex as today’s. They must deal with a multitude of third parties, both drivers of performance and points of vulnerability. Each relationship opens a breach in the organisation, exposing it to risks that are difficult to measure, but sometimes with dramatic consequences.

Faced with major challenges, elected officials and executives can no longer be satisfied with a reactive approach. In service of the organisation, proactive third-party assessment makes it possible to anticipate, assess and control threats. Yet, nine years after the publication of the Sapin 2 law, companies, local authorities and public administrations are struggling to implement it.

What are the main challenges of third-party assessment? Understand them to raise your awareness of third-party assessment, an essential process for protecting your organisation’s sustainability and growth.

Vector illustration of a female executive examining a partner network with a magnifying glass to illustrate third-party assessment challenges.

Third-party assessment in the face of the complexity of external risks

Every company, local authority or public administration maintains relationships with a multitude of third parties (suppliers, subcontractors, service providers, investors, customers, institutional partners, etc.). Each one exposes it to numerous and varied risks, the consequences of which can be severe for the organisation.

Third-party regulatory non-compliance: a major risk

Regulatory compliance does not concern internal practices alone. Obligations extend beyond the organisation’s boundaries. Failure by third parties to comply with laws and regulations can incur legal and financial liability for companies, local authorities and public administrations:

  • Anti-corruption: in France, the Sapin 2 law requires large companies and public institutions to implement anti-corruption prevention measures, including third-party assessment.
  • Personal data protection: the General Data Protection Regulation (GDPR) strictly governs the collection and management of personal data. Companies, local authorities and public administrations must ensure their third parties’ level of compliance. Their liability may be called into question in the event of a data leak or breach due to a partner’s negligence.
  • Duty of vigilance: since 2017, large companies must prevent serious risks relating to human rights, health, safety and the environment across their entire supply chain (subcontractors, suppliers).

Corruption: a legal and reputational risk

Corruption, money laundering, influence peddling, conflicts of interest: a partner involved in these illegal or unethical practices can expose the company, local authority or public administration to legal and reputational liability, even if the latter is not the source of the wrongdoing.

Between investigations and financial penalties, reputational damage, loss of public or private contracts, weakened governance and a challenge to the culture of integrity, the effects of a third-party ethical risk can be long-lasting and critical.

Dependence on third parties: an operational risk not to be overlooked

Excessive dependence on third parties can have disastrous consequences for business continuity. Multiple and often interconnected, risk scenarios are varied:

  • Supply chain disruption: a bankruptcy, labour dispute or logistical blockage at a supplier can interrupt the delivery of essential raw materials or equipment and bring production to a halt.
  • Loss of investor confidence: a partner’s failure or the discovery of accounting irregularities at a subcontractor can undermine confidence and the company’s market valuation.
  • Deterioration of the customer experience: late or defective delivery of a product by a supplier reduces customer satisfaction, with the risk of customers switching to competitors.
  • Public policy called into question: corruption or shortcomings by a public contract holder can affect the legitimacy of a policy and cast doubt on public-sector governance.

The environment: a reputational risk for the organisation

When calculating their carbon footprint, companies, local authorities and public administrations must take into account indirect greenhouse gas emissions associated with the entire value chain (scope 3).

Thus, a supplier that uses polluting processes or neglects energy efficiency can significantly affect an organisation’s carbon footprint.

Beyond the environmental challenge, a deterioration in the CSR balance sheet, extra-financial CSRD (Corporate Sustainability Reporting Directive) results and environmental, social and governance (ESG) criteria has serious consequences for the organisation: damage to image, customer disillusionment, investor departures, talent drain, etc.

Cybersecurity: a risk amplified by third parties

In an era of widespread interconnection, cybersecurity is a critical issue for companies, local authorities and public administrations. Increasingly, cyberattacks come through external third parties (software vendors, maintenance services, IT subcontractors, etc.).

Hackers exploit weak links in the chain to reach the organisation. A partner with a fragile IT system exposes the organisation to the theft of sensitive data or system encryption by ransomware with a ransom demand.

The organisation may be prosecuted for GDPR violations, with financial and legal risk.

Vector illustration of a concerned professional facing a cyberattack, symbolising the heightened cybersecurity risk linked to third parties.

Third-party assessment: a response to critical challenges for the organisation

Third-party assessment involves identifying, assessing and analysing the risks associated with partners. Classifying and prioritising threats makes it possible to build an appropriate and effective risk management plan.

The objective: reduce the frequency and severity of third-party risks for the company, local authority or public administration.

Illustration vectorielle d’une balance avec des pièces d’euro et une flèche descendante, symbolisant l’impact financier des risques tiers.
Protect financial balance

Properly assessing and managing third-party risks helps preserve economic stability, budgetary balance and growth for companies, local authorities and public administrations. The consequences of a poorly managed external risk can indeed be critical:

  • Loss of revenue, due to collapsing sales, customers and users moving to competitors, exclusion from public tenders, or the termination of contractual relationships.
  • Investor flight, as they are sensitive to regulatory compliance, operational resilience and ESG performance criteria.
  • Shareholder distrust, hindering access to financing and delaying structuring initiatives.
  • Financial penalties such as, for example, administrative fines for GDPR non-compliance (up to €20M or 4% of global turnover)
  • Budget imbalance forcing reductions in operating and investment expenditure.
Protect financial balance
Illustration vectorielle d’une balance avec des pièces d’euro et une flèche descendante, symbolisant l’impact financier des risques tiers.
Illustration vectorielle d’un tribunal et d’un panneau d’alerte avec un marteau de juge, symbolisant le risque juridique lié aux tiers.
Protect against legal risk

Third-party assessment protects companies, local authorities and public administrations from legal risks of prosecution and litigation related to a partner’s negligence.

For example, when one of its third parties is involved in corruption, forced labour or serious environmental harm, the organisation may be investigated for complicity or failure to meet its duty of vigilance.

A third party’s contractual failure (a supplier unable to deliver, a service provider that does not meet standards) can also generate lengthy and costly commercial disputes, accompanied by high financial costs (legal fees, damages, contractual penalties, etc.) and negative publicity for the company, local authority or public administration.

Protect against legal risk
Illustration vectorielle d’un tribunal et d’un panneau d’alerte avec un marteau de juge, symbolisant le risque juridique lié aux tiers.
Illustration vectorielle d’un mégaphone et d’un smartphone diffusant une alerte, symbolisant l’impact réputationnel des risques tiers.
Protect the organisation’s reputation

Long to build, reputation is quickly destroyed. In a hyperconnected world, every environmental or social harm, every ethical failing, is relayed within hours by the media and social networks. Even when committed by a third party, they hit the partner organisation’s image head-on.

Working with a third party involved in a scandal (forced labour, massive pollution, corruption, cyberattack, etc.) is enough to trigger a reputational domino effect, accompanied by distrust, loss of credibility or boycotts.

Implementing third-party assessment reduces these threats, whose repercussions leave irreversible and lasting scars, both internally and externally.

Protect the organisation’s reputation
Illustration vectorielle d’un mégaphone et d’un smartphone diffusant une alerte, symbolisant l’impact réputationnel des risques tiers.
Illustration vectorielle de collaborateurs avec des valeurs affichées (intégrité, confiance, RSE), symbolisant l’impact des tiers sur l’image employeur.
Protect the employer brand

New generations of employees are increasingly attentive to the organisation’s values, whether a company, local authority or public administration.

By limiting third-party-related crises, third-party assessment protects the employer brand. Because, even without direct responsibility, the organisation suffers the human consequences of third-party risks. Employee disengagement, higher turnover and reduced attractiveness in the labour market compromise internal operations, growth, innovation and the organisation’s development.

Protect the employer brand
Illustration vectorielle de collaborateurs avec des valeurs affichées (intégrité, confiance, RSE), symbolisant l’impact des tiers sur l’image employeur.
Illustration vectorielle d’un bâtiment fissuré menacé par une chute de dominos, symbolisant la survie organisationnelle face aux risques tiers.
Protect the organisation’s survival

Too often perceived as operational or one-off, an incident involving a third party may seem manageable. But when combined, legal, financial, human and reputational consequences worsen each other and create a vicious circle, feeding into one another. This cycle can lead to extreme situations such as bankruptcies, site closures or institutional crises.

In this context, third-party assessment is a strategic issue that affects sustainability, legitimacy, and even the organisation’s survival.

Protect the organisation’s survival
Illustration vectorielle d’un bâtiment fissuré menacé par une chute de dominos, symbolisant la survie organisationnelle face aux risques tiers.

Long underestimated, third-party risks are proving critical. Beyond the financial, legal and reputational challenges, the sustainability and development of the company, local authority or public administration are at stake.

Faced with the growing number and diversity of threats, implementing a proactive approach to risk management and third-party assessment is no longer optional. It is a strategic imperative. Identifying the most sensitive third parties, verifying their robustness and compliance, and anticipating crisis scenarios means building a safety net for resilience and performance.

Discover our third-party assessment solution

Powered by the latest “no-code” and artificial intelligence technologies, the third-party assessment software developed by Values Associates protects your company, local authority or public administration against third-party risks.

Fully customisable, this third-party assessment platform simplifies, strengthens and accelerates the assessment of risks related to your third parties thanks to its intelligent features and its cutting-edge, adaptive technology.

Book a demo
Illustration Sapin 2 software - Corruption risk mapping module