The numbers from LRN's 2026 E&C Program Effectiveness Report do not invite nuance. Across a global sample of more than 2,500 ethics and compliance professionals, only 27% of organizations report expending meaningful effort on systematic, ongoing third-party risk monitoring. Among high-impact programs, that figure rises to 51%. Among medium-impact programs: 22%. Among low-impact: 15%.
That is not a capability gap. It is a structural fault line running through the majority of corporate compliance programs at precisely the moment regulators, enforcement agencies, and boards have decided that third-party accountability is non-negotiable.
Regulations are raising the stakes for third-party compliance
The enforcement trajectory is not speculative. The UK's Economic Crime and Corporate Transparency Act creates a criminal liability standard for organizations that fail to prevent fraud, including fraud committed by or facilitated through third parties. The defense is the existence of "reasonable prevention procedures," a standard that assumes ongoing oversight, not point-in-time screening. In the EU, mandatory human rights and environmental due diligence obligations under the Corporate Sustainability Due Diligence Directive impose proportionate, risk-based oversight across value chains. The US Department of Justice has stated plainly in updated guidance that a compliance program's effectiveness will be assessed in part by how well it monitors third parties with access to company assets, markets, or data.
This convergence matters because it eliminates the most common organizational rationalization: that third-party risk management belongs to procurement, legal, or audit rather than ethics and compliance. Regulators are not making that distinction. Neither are enforcement outcomes.
How leading compliance programs integrate third-party risk into governance
What separates high-impact programs from the rest is not the sophistication of their vendor questionnaires; it is whether third-party oversight is integrated into governance frameworks that operate continuously, generate actionable intelligence, and report upward at the board level alongside culture and conduct metrics. Supply chain compliance is included in training by only 24% of organizations overall, rising to 29% among high-impact programs. The gap between knowing a risk exists and systematically managing it across your extended enterprise remains, for most organizations, enormous.
The practical implication is a shift in program design philosophy. Third-party risk management built around periodic due diligence cycles creates a compliance posture that is perpetually looking backward. What high-impact programs are building is something different: continuous monitoring architectures that detect anomalies in real time, defined escalation pathways that connect vendor risk signals to executive and board attention, and culture frameworks that extend ethical expectations explicitly to commercial partners.
There is also a reputational dimension that compliance leaders are beginning to name more directly. Cyber incidents linked to supply chain vulnerabilities, integrity failures at supplier level that migrate into brand exposure, and ESG data inaccuracies originating with vendors have all demonstrated that the perimeter of organizational accountability has dissolved. The compliance program that cannot account for what its vendors do, say, or fail to prevent is not a well-run program with an external problem. It is a program with an incomplete design.
Why third-party risk is now a board-level concern
The boards that are beginning to understand this are asking a different set of questions. Not "do we screen our vendors" but "can you show me how third-party risk indicators have changed in the last two quarters, and what we did about it." Answering that question requires more than good intentions and a well-maintained vendor list. It requires the ability to surface risk trends in a format that boards can interrogate, benchmark against peer programs, and act on. That is the capability gap that most programs have not yet closed, and it is exactly where tools like LRN's Catalyst Reveal are doing substantive work: translating third-party monitoring data into board-ready dashboards and benchmarks that make the conversation between compliance leaders and directors a factual one rather than a qualitative one.
The 2026 data shows that board-level reporting on third-party risk remains underdeveloped even in high-impact programs. That is the next capability frontier.
What effective third-party risk management requires in 2026
For compliance leaders preparing their programs for the regulatory environment that is already in place, not the one they are anticipating, three things matter. First, the program's theory of third-party risk needs to be rebuilt around ongoing oversight rather than onboarding. Second, the data generated by third-party monitoring needs to be integrated with internal culture and conduct data so that boards can see patterns across the full risk landscape. Third, and most importantly, the standard of "reasonable prevention procedures" is not self-certifying. It requires documented evidence that oversight is functioning, proportionate, and responsive.
That third requirement is where programs most frequently discover they are exposed. Periodic reviews leave gaps in the historical record. Decisions made between formal audit cycles often go undocumented. When regulators or enforcement agencies ask for evidence of what a program did, and when, and why, the answer needs to be retrievable and structured, not reconstructed from email chains and meeting notes. Platforms like LRN's Catalyst Disclosures exist precisely for this reason: to produce audit-ready, time-stamped evidence that oversight was functioning as claimed, at the moments that mattered.
The 73% of organizations not yet operating at meaningful third-party monitoring intensity are not necessarily negligent. Many are constrained by resource allocation, analytic capability, or organizational structures that distribute accountability across functions in ways that diffuse it. But constrained is not the same as defensible. And in a regulatory environment where the burden of proof is shifting toward organizations to demonstrate what they did, not merely what they intended, the distance between current practice and expected standard is closing faster than most program budgets are being updated to reflect.
Third-party risk is no longer a gap to be managed. It is a test of whether compliance programs are built for the world as it currently operates.
