In April 2025, Marks & Spencer suffered a devastating ransomware breach through a third-party provider, forcing its online store offline for weeks and shaving an estimated £300 million from annual profits. This is stark proof that risks often come via the weakest link in the chain. Global firms no longer stand alone, and third-party partners now shape not just operations, but reputations. This article is a tour of the new strategic, cultural and technological battleground where supply-chain risk occupies prime boardroom turf.
Third-Party Risk Is Now a Boardroom Priority
Supply-chain and third-party risk have definitively graduated from legal checklists to boardroom headlines. The EU’s Corporate Sustainability Due Diligence Directive (CSDDD) entered into force on 25 July 2024 and must be transposed into national law by Member States by 26 July 2026, compelling large firms to identify, address and remediate human-rights and environmental harms across their value chains, under threat of legal action and fines.
In the UK, growing dissatisfaction with the Modern Slavery Act 2015 is pushing towards mandatory due diligence and stronger enforcement. Parliament’s Joint Committee has backed updated laws, including an import ban on goods linked to forced labour. Against a backdrop of heightened investor and NGO scrutiny, boards can no longer relegate compliance to back-office teams. Strategic failures now translate into material consequences which include lawsuits, sanctions and public backlash. Compliance has shifted from being a perfunctory tick-box exercise to forming the very culture and strategy that preserves reputation and secures licence to operate in an increasingly unforgiving landscape.
From Blind Spots to Bright Lines: Building Transparency Across the Supply Chain
Many firms believe they have supply chain transparency once they know their Tier-1 or Tier-2 suppliers. However, risks often lurk deep in Tiers 3-5, where raw materials are extracted, processed or harvested. For example, a manufacturer of furniture might know its immediate veneer supplier (Tier-1), but not the logging operations (Tier-4) feeding its timber. Without visibility beyond the direct suppliers, organisations miss deforestation, labour abuses or other compliance breaches that can severely damage reputation and incur regulatory penalties.
To shift from blind spots to bright lines, forward-thinking businesses are introducing new technologies:
AI-powered supplier mapping and blockchain: Platforms that map every link in the chain and record every transaction immutably help firms verify exactly where components originate.
Satellite monitoring and geospatial analytics: BMW, for example, in partnership with Satelligence and Sourcemap, uses satellite data to trace raw material origin to monitor environmental and social standards deep in its supply network. Olam implemented satellite-based systems across over 600,000 cocoa farms to monitor deforestation in near-real time.
Detection tools: Tools such as Starling (from Airbus) that detect changes in forest cover and link them to supply sources, enable companies to respond quickly when deforestation risks emerge.
The EU Deforestation Regulation (EUDR) (Regulation (EU) 2023/1115) mandates that importers of commodities like coffee, palm oil, timber, rubber, soy, cattle and derived products prove that no illegal or legal deforestation has occurred in their supply chain, including indirect suppliers. Regulators are no longer satisfied with vague claims and now expect firms to prove they know their full chain, down to where raw materials are grown, harvested or otherwise produced.
Practical transparency, backed by cutting-edge mapping, remote sensing and verifiable records, turns vague compliance into defined, enforceable “bright lines.” In doing so businesses reduce risk, satisfy legal obligations and build trust with consumers and regulators alike.
Continuous Monitoring as the New Compliance Standard
Once-a-year checks are fast becoming antiquated. Suppliers shift subcontractors, regulations tighten, and new risks emerge so swiftly that a single onboarding audit no longer suffices. It’s rather like a business moving from an annual health check-up to wearing a real-time fitness tracker. Businesses need constant feedback, not old snapshots.
Innovations are driving this shift. Platforms such as IntegrityNext offer continuous monitoring of suppliers, pulling in data on sanctions, ESG violations, cyber threat intelligence and adverse media in real time. In parallel, everstream.ai uses machine learning to flag anomalies, such as shipment delays, financial instability or unusual labour practices, well before they become crises. Third-party risk platforms like GAN Integrity provide ongoing scanning of vendor intelligence, adjusting risk scores dynamically as new information (e.g. regulatory, ethical or environmental) becomes available.
Regulators in the UK and EU are now expecting “dynamic due diligence”, not simply a document file-review once a year. Laws like the CSDDD demand that businesses can demonstrate continual awareness and response to risks throughout their supply chains. Thus, firms should embed continuous monitoring tools to stay compliant, resilient and ahead of scrutiny.
The Ethical Supply Chain:
What was once seen as tedious red tape is fast becoming a badge of trust, one that separates market leaders from the rest. Businesses are increasingly realising that ethical supply chains aren’t just legal obligations but can be powerful differentiators.
In the UK, retailers are advertising “slavery-free” lines and pushing zero-tolerance policies toward forced labour. A striking example is Primark, which published full factory lists to demonstrate its supply chain transparency and show it has “nothing to hide” regarding forced labour risks. Meanwhile, chocolate brand Tony’s Chocolonely markets itself as “100% slave free” and has leveraged that claim to gain shelf space in Waitrose, Sainsbury’s and Whole Foods, turning its ethical mission into commercial traction.
On the EU side, many firms win public contracting tender bids thanks to strong ESG credentials. Investor pressure aligns here and sustainable funds now screen companies heavily for their supply chain risk management. This mean that those who neglect ethics risk being excluded. Gen Z and younger consumers especially expect full transparency, and any sign of opacity erodes loyalty.
The shift is clear: compliance is no longer a burden, but a chance to differentiate, to build brand strength, and to win business and investment by wearing ethics like a shiny new badge.
Guarding the Gateways
Third-parties pose a dual threat. They can act as gateways for cyber-attackers, or as intermediaries through which corruption sees daylight. Recent data shows just how serious the cyber side has become: in the UK, 51% of organisations reported a breach in the past year involving third-party access to their networks. Meanwhile, corruption via intermediaries remains a major enforcement area. For example, the UK Insurance Broker United Insurance Brokers Limited (UIBL) was charged by the Serious Fraud Office for failing to prevent bribery involving overseas associates and intermediaries in Ecuador.
Regulatory frameworks are also tightening. The EU’s NIS2 Directive (2024) demands stronger obligations on supply-chain cyber resilience, including that essential and important entities assess risks emanating from third-party ICT service providers.
To guard the gateways in practice:
Deploy collaborative cyber-risk scoring platforms (e.g. SecurityScorecard, BitSight, Panorays) which continuously monitor and score suppliers’ security posture, expose weak links and allow you to act pre-emptively.
Extend your whistleblowing systems beyond internal staff to include supplier workforces and encourage anonymous reporting of suspicious demands, payments or corrupt practices within the broader chain.
Build clear contractual clauses that require third parties and intermediaries to maintain minimum cyber and anti-corruption standards, conduct regular audits and notify you immediately of breaches or suspicious activities.
In sum, what was once a reactive “after-the-fact” process must become proactive, continuous, and built into every gate in your third-party ecosystem.
From Compliance Burden to Strategic Advantage
Third-party risk is no longer optional; it defines whether companies thrive or fail. Businesses that merely treat supply chain compliance as a legal chore risk falling behind. Those embracing AI, transparency technology, and adapting to evolving EU/UK regulation will lead in the next five years.
Leaders who adopt compliance as a competitive differentiator will win trust, attract investors and build resilience. Supply chain compliance is not about paperwork, but about building a responsible, cyber-secure and future-proof business.
And what about you…?
- What tools or practices do you currently use to monitor third-party risks and how continuous or “real-time” are they?
- If you could make one change in the next 12 months to improve supply chain transparency and resilience, what would it be?
