The numbers from LRN's 2026 E&C Program Effectiveness Report do not invite nuance. Across a global sample of more than 2,500 ethics and compliance professionals, only 27% of organisations report expending meaningful effort on systematic, ongoing third-party risk monitoring. Among high-impact programmes, that figure rises to 51%. Among medium-impact programmes: 22%. Among low-impact: 15%.
That is not a capability gap. It is a structural fault line running through the majority of corporate compliance programmes at precisely the moment regulators, enforcement agencies, and boards have decided that third-party accountability is non-negotiable.
Regulations are raising the stakes for third-party compliance
The enforcement trajectory is not speculative. The UK's Economic Crime and Corporate Transparency Act creates a criminal liability standard for organisations that fail to prevent fraud, including fraud committed by or facilitated through third parties. The defense is the existence of "reasonable prevention procedures," a standard that assumes ongoing oversight, not point-in-time screening. In the EU, mandatory human rights and environmental due diligence obligations under the Corporate Sustainability Due Diligence Directive impose proportionate, risk-based oversight across value chains. The US Department of Justice has stated plainly in updated guidance that a compliance programme's effectiveness will be assessed in part by how well it monitors third parties with access to company assets, markets, or data.
This convergence matters because it eliminates the most common organisational rationalisation: that third-party risk management belongs to procurement, legal, or audit rather than ethics and compliance. Regulators are not making that distinction. Neither are enforcement outcomes.
How leading compliance programmes integrate third-party risk into governance
What separates high-impact programmes from the rest is not the sophistication of their vendor questionnaires; it is whether third-party oversight is integrated into governance frameworks that operate continuously, generate actionable intelligence, and report upward at the board level alongside culture and conduct metrics. Supply chain compliance is included in training by only 24% of organisations overall, rising to 29% among high-impact programmes. The gap between knowing a risk exists and systematically managing it across your extended enterprise remains, for most organisations, enormous.
The practical implication is a shift in programme design philosophy. Third-party risk management built around periodic due diligence cycles creates a compliance posture that is perpetually looking backward. What high-impact programmes are building is something different: continuous monitoring architectures that detect anomalies in real time, defined escalation pathways that connect vendor risk signals to executive and board attention, and culture frameworks that extend ethical expectations explicitly to commercial partners.
There is also a reputational dimension that compliance leaders are beginning to name more directly. Cyber incidents linked to supply chain vulnerabilities, integrity failures at supplier level that migrate into brand exposure, and ESG data inaccuracies originating with vendors have all demonstrated that the perimeter of organisational accountability has dissolved. The compliance programme that cannot account for what its vendors do, say, or fail to prevent is not a well-run programme with an external problem. It is a programme with an incomplete design.
Why third-party risk is now a board-level concern
The boards that are beginning to understand this are asking a different set of questions. Not "do we screen our vendors" but "can you show me how third-party risk indicators have changed in the last two quarters, and what we did about it." Answering that question requires more than good intentions and a well-maintained vendor list. It requires the ability to surface risk trends in a format that boards can interrogate, benchmark against peer programmes, and act on. That is the capability gap that most programmes have not yet closed, and it is exactly where tools like LRN's Catalyst Reveal are doing substantive work: translating third-party monitoring data into board-ready dashboards and benchmarks that make the conversation between compliance leaders and directors a factual one rather than a qualitative one.
The 2026 data shows that board-level reporting on third-party risk remains underdeveloped even in high-impact programmes. That is the next capability frontier.
What effective third-party risk management requires in 2026
For compliance leaders preparing their programmes for the regulatory environment that is already in place, not the one they are anticipating, three things matter. First, the programme's theory of third-party risk needs to be rebuilt around ongoing oversight rather than onboarding. Second, the data generated by third-party monitoring needs to be integrated with internal culture and conduct data so that boards can see patterns across the full risk landscape. Third, and most importantly, the standard of "reasonable prevention procedures" is not self-certifying. It requires documented evidence that oversight is functioning, proportionate, and responsive.
That third requirement is where programmes most frequently discover they are exposed. Periodic reviews leave gaps in the historical record. Decisions made between formal audit cycles often go undocumented. When regulators or enforcement agencies ask for evidence of what a programme did, and when, and why, the answer needs to be retrievable and structured, not reconstructed from email chains and meeting notes. Platforms like LRN's Catalyst Disclosures exist precisely for this reason: to produce audit-ready, time-stamped evidence that oversight was functioning as claimed, at the moments that mattered.
The 73% of organisations not yet operating at meaningful third-party monitoring intensity are not necessarily negligent. Many are constrained by resource allocation, analytic capability, or organisational structures that distribute accountability across functions in ways that diffuse it. But constrained is not the same as defensible. And in a regulatory environment where the burden of proof is shifting toward organisations to demonstrate what they did, not merely what they intended, the distance between current practice and expected standard is closing faster than most programme budgets are being updated to reflect.
Third-party risk is no longer a gap to be managed. It is a test of whether compliance programmes are built for the world as it currently operates.
