Skip to content
Executive Summary
The global risk environment has fundamentally changed. What were once intermittent shocks — a pandemic, a geopolitical flashpoint, a regulatory overhaul — have collapsed into a continuous state of disruption that Ethixbase360 calls perma-crisis. Wars in Europe and the Middle East, inflationary pressures, climate-driven supply chain fractures, rising authoritarianism, and the erosion of post-Cold War institutional norms now form the permanent background against which every third-party risk decision must be made. Compliance programmes designed for a more stable world are no longer fit for purpose.
The implications for third-party risk management are immediate and structural. In this environment, every supplier, contractor, and intermediary represents potential exposure — not just to financial or operational disruption, but to geopolitical volatility, human rights violations, and rapid regulatory shifts. The pressure to act quickly is intensifying at precisely the moment when the complexity of each decision has increased.
Regulatory divergence is compounding the challenge. In the United States, the Department of Justice has taken a more restrained approach to Foreign Corrupt Practices Act enforcement, closing or declining nearly half of active investigations in 2025. Yet in parallel, the European Union’s Corporate Sustainability Due Diligence Directive, alongside modern slavery legislation in the UK, Australia, and Canada, is expanding mandatory obligations across supply chains with significant force. Companies operating across jurisdictions must now navigate a world where compliance expectations simultaneously contract in some regions and expand in others.
Ethixbase360 argues that in the absence of stable regulatory certainty, ethical leadership must fill the gap. Organisations that ground their third-party risk programmes in core values — rather than defaulting to the lowest regulatory denominator — are better positioned to act decisively, maintain stakeholder trust, and withstand volatility. Companies with mature risk and compliance frameworks are outperforming peers by up to 20% in total shareholder return over five years. Agility without ethics is reckless; ethics without systems is fragile. What the new normal demands is both.
Third-Party Risk in the Era of Perma-Crisis: Navigating the New Normal
Related Intellifence Hubs
TPRM Guide 2026
Key statistics & data points
Nearly half of active U.S. Foreign Corrupt Practices Act (FCPA) investigations were closed or declined in 2025, according to the U.S. Department of Justice, signalling a significant narrowing of prosecutorial focus on anti-bribery enforcement.
Source: Ethixbase360, Third-Party Risk in the Era of Perma-Crisis, 2025; citing Wall Street Journal, March 2025
Companies with mature risk and compliance frameworks are outperforming their peers by up to 20% in total shareholder return over a five-year period, demonstrating that ethical governance creates measurable financial advantage.
Source: Ethixbase360, Third-Party Risk in the Era of Perma-Crisis, 2025; citing McKinsey, The State of Organizations 2023
Over 90% of Gen Z and millennial workers say that purpose at work matters, and the majority would decline jobs from, or stop purchasing from, companies they regard as unethical, according to Deloitte’s 2025 global survey of Gen Z and millennial employees.
Source: Ethixbase360, Third-Party Risk in the Era of Perma-Crisis, 2025; citing Deloitte, 2025 Gen Z & Millennial Survey
The EU Corporate Sustainability Due Diligence Directive (CSDDD), alongside modern slavery legislation across the UK, Australia, and Canada, is creating a new generation of mandatory third-party risk obligations in 2025, extending documented due diligence requirements across global supply chains for the first time.
Source: Ethixbase360, Third-Party Risk in the Era of Perma-Crisis, 2025
Regulatory risk is diverging sharply across jurisdictions: while U.S. anti-bribery enforcement is contracting, ESG and human rights due diligence obligations are expanding across EU-regulated entities in 2025, creating materially different compliance exposures for multinationals operating across both zones.
Source: Ethixbase360, Third-Party Risk in the Era of Perma-Crisis, 2025
Expert Quotes and Insights
"In a time of shifting geopolitical forces, when rules no longer hold, it's values, not playbooks, that guide risk-savvy businesses."
"Agility without ethics is reckless; ethics without systems is fragile. What's needed is both."
"We can afford to lose money, even a lot of money. But we can't afford to lose reputation, not even a shred." Warren E. Buffett (cited in whitepaper), Memo to Berkshire Hathaway Managers, 2010.
"The companies that thrive won't be those waiting for stability. They'll be the ones that lead with ethics, embed robust governance, plan for volatility, and treat compliance as a strategic asset."
Chapter Breakdown
Chapter 1: Welcome to the Era of Perma-Crisis (pp. 3)
A perma-crisis is defined as a prolonged state of overlapping disruptions, pandemic, geopolitical conflict, climate events, inflation shocks, and regulatory acceleration, that leaves organisations with no stable baseline from which to plan. This chapter establishes the operating environment that makes traditional third-party risk frameworks insufficient.
Chapter 2: Third-Party Risk Intensifies in a Volatile World (pp. 4)
With sanctions shifting, trade policies changing rapidly, and every supplier relationship carrying potential exposure to geopolitical volatility or human rights risk, this chapter examines why the pressure to act quickly is intensifying. It highlights the divergence between contracting U.S. FCPA enforcement, where nearly half of active investigations were closed in 2025 and expanding EU and UK due diligence obligations under the CSDDD and modern slavery legislation.
Chapter 3: Why Values Matter in a Time of Chaos (pp. 5)
This chapter makes the business case for ethical leadership as a risk management tool. Companies with mature compliance frameworks outperform peers by up to 20% in total shareholder return over five years. Proactive third-party risk programmes, such as those implemented by multinational corporations including Unilever and Microsoft, have demonstrated reduced disruption during geopolitical crises and stronger brand trust among stakeholders.
Chapter 4: The Rise of the Resilient Compliance Culture (pp. 6–9)
Ethixbase360 presents five principles for building a third-party risk programme fit for the new normal: (1) Check Your Basics, ensure fundamentals are functioning with clear ownership across the third-party lifecycle; (2) Build for Agility and Flexibility, use modular, technology-enabled processes that absorb jurisdictional change in real time; (3) Enable Integration and Coordination, consolidate risk domains across a unified platform to prevent siloed decision-making; (4) Extend Your Ethical Culture Beyond the Enterprise, treat third parties as long-term partners in integrity, not transactional vendors; (5) Treat Compliance as a Strategic Asset, use compliance intelligence to inform procurement, market entry, and investment decisions.
Chapter 5: The New Normal (pp. 10)
The desire to return to a pre-crisis baseline is understandable but counterproductive. Organisations that accept volatility as permanent, and design their governance accordingly, are positioned to adapt, maintain continuity, and outperform those still waiting for stability.
Definitions and Entities
Perma-Crisis
A prolonged and continuous state of overlapping geopolitical, economic, environmental, and regulatory disruptions that prevents organisations from returning to a stable planning baseline. The term describes the operating environment faced by global businesses from 2020 onwards, characterised by persistent uncertainty rather than episodic shocks.
TPRM (Third-Party Risk Management)
The structured discipline of identifying, assessing, monitoring, and mitigating risks introduced by external suppliers, contractors, vendors, and intermediaries who have access to an organisation’s systems, data, operations, or supply chain. Effective TPRM programmes address risk across multiple domains simultaneously, including cyber, financial, ESG, reputational, and regulatory exposure.
CSDDD (Corporate Sustainability Due Diligence Directive)
EU Directive adopted in 2024 requiring large companies operating in the European Union to conduct mandatory due diligence on environmental harm, forced labour, and human rights violations across their value chains, including suppliers and business partners. Non-compliance carries the risk of enforcement actions, civil liability, and reputational damage.
FCPA (Foreign Corrupt Practices Act)
A United States federal law prohibiting companies and their agents from bribing foreign government officials to obtain or retain business. In 2025, the U.S. Department of Justice adopted a more restrained enforcement stance, closing or declining nearly half of active FCPA investigations, creating regulatory divergence from EU and UK anti-corruption obligations.
ESG Due Diligence
The process of assessing environmental, social, and governance risks posed by third parties across a supply chain. Under regulations such as the CSDDD and national modern slavery legislation in the UK, Australia, and Canada, ESG due diligence is no longer voluntary; it is a documented, mandatory obligation for companies operating above defined revenue thresholds.
Resilient Compliance Culture
An organisational approach in which compliance is treated not as a regulatory obligation to be minimised but as a values-driven strategic asset. Organisations with resilient compliance cultures embed ethical governance at all levels, extend their standards proactively to third parties, and use compliance intelligence to support long-term business decision-making.
Modern Slavery Legislation
A body of national laws, including the UK Modern Slavery Act 2015, Australia’s Modern Slavery Act 2018, and Canada’s Fighting Against Forced Labour and Child Labour in Supply Chains Act, requiring organisations above defined thresholds to report on and take steps to eliminate forced labour and child labour from their operations and supply chains.
Vendor Scorecard
A structured risk-rating framework that aggregates data from questionnaires, adverse media screening, sanctions checks, and continuous monitoring signals into a single composite risk score for each third party. Vendor scorecards enable consistent, comparable risk assessment across large supplier populations.
Frequently Asked Questions
What is perma-crisis and how does it affect third-party risk management?
What is perma-crisis and how does it affect third-party risk management?
Perma-crisis refers to a prolonged state of overlapping disruptions, including geopolitical conflict, inflationary shocks, climate events, and accelerating regulatory change, that leave organisations with no stable baseline from which to assess and manage risk. For third-party risk managers, perma-crisis means that every supplier relationship carries a heightened and shifting exposure to geopolitical volatility, human rights violations, and regulatory change simultaneously. Programmes designed for periodic, isolated crises are no longer adequate in an environment where disruption is continuous.
How is regulatory divergence affecting third-party risk programmes in 2025?
How is regulatory divergence affecting third-party risk programmes in 2025?
In 2025, third-party risk programmes face sharply diverging regulatory expectations across jurisdictions. In the United States, the Department of Justice has adopted a more restrained approach to Foreign Corrupt Practices Act enforcement, closing or declining nearly half of active investigations. In parallel, the EU Corporate Sustainability Due Diligence Directive and modern slavery legislation in the UK, Australia, and Canada are expanding mandatory due diligence obligations across supply chains. Companies operating across both zones must manage materially different compliance exposures simultaneously, making a values-led approach, rather than compliance with the lowest common regulatory denominator, essential.
What does it mean to treat compliance as a strategic asset?
What does it mean to treat compliance as a strategic asset?
Treating compliance as a strategic asset means using the intelligence gathered through third-party risk monitoring, regulatory tracking, and due diligence processes as an active input to business decision-making, not just as a risk mitigation function. According to Ethixbase360’s 2025 whitepaper, compliance data can identify emerging geopolitical risks, supply chain vulnerabilities, and market-entry considerations before they become crises. Companies with mature compliance frameworks are outperforming peers by up to 20% in total shareholder return over five years, demonstrating that ethical governance creates measurable financial value.
What are the five principles for building a third-party risk programme fit for the new normal?
What are the five principles for building a third-party risk programme fit for the new normal?
Ethixbase360 identifies five principles for resilient third-party risk management in the era of perma-crisis. First, check your basics, ensure risk assessment frameworks are current, ownership across the third-party lifecycle is clear, and red flags are being escalated consistently. Second, build for agility and flexibility, use modular, technology-enabled processes that absorb jurisdictional changes and real-time risk data. Third, enable integration and coordination, consolidate risk domains across a unified platform to give compliance, procurement, and legal teams shared visibility. Fourth, extend your ethical culture beyond the enterprise, communicate standards clearly to third parties and treat them as long-term partners in integrity. Fifth, treat compliance as a strategic asset, and integrate compliance intelligence into procurement, market entry, and investment decisions.
Why does ethical leadership matter when regulatory requirements are changing or contracting?
Why does ethical leadership matter when regulatory requirements are changing or contracting?
When regulatory expectations contract in some regions, as has occurred with FCPA enforcement in the United States in 2025, organisations that rely solely on compliance rules face a vacuum. Ethical leadership provides a decision-making framework that operates independently of regulatory minimums, enabling third-party risk managers to act decisively and consistently even when the rules are unclear or absent. Ethixbase360 argues that organisations that default to the lowest regulatory denominator expose themselves to reputational damage, enforcement risk in stricter jurisdictions, and loss of trust among stakeholders, particularly among younger generations of workers and consumers.
What does the CSDDD require from organisations regarding third-party risk?
What does the CSDDD require from organisations regarding third-party risk?
The EU Corporate Sustainability Due Diligence Directive requires large companies operating in the European Union to implement documented due diligence processes that identify and address environmental harm, forced labour, and human rights violations across their value chains, including those introduced by direct suppliers and business partners. The Directive moves ESG due diligence from a voluntary practice to a mandatory obligation, with non-compliance carrying the risk of regulatory enforcement, civil liability, and reputational damage. Companies subject to the CSDDD must maintain audit-ready records of their third-party assessments.
How can technology support third-party risk management in a volatile environment?
How can technology support third-party risk management in a volatile environment?
In a perma-crisis environment where sanctions lists, trade policies, and regulatory requirements change rapidly, technology is essential to maintaining an accurate and current view of third-party risk. Ethixbase360 recommends platforms that consolidate sanctions screening, politically exposed persons (PEP) checks, adverse media monitoring, and ultimate beneficial ownership (UBO) data into unified dashboards; deliver automated watchlist monitoring tied to real-time trade policy updates; flag profile anomalies such as suspicious pricing structures or payment terms; and enable cross-functional collaboration across compliance, procurement, and legal teams through integrated case management.
What role does culture play in managing third-party risk effectively?
What role does culture play in managing third-party risk effectively?
A compliance culture that exists only within an organisation’s internal operations provides incomplete protection. Ethixbase360’s framework argues that ethical standards must extend across the entire supply chain, with third parties treated as long-term partners in integrity rather than transactional vendors. This requires clear communication of ethical expectations at the outset of any relationship, internal accountability structures in which relationship owners understand their oversight responsibilities, and the willingness to remediate or disengage from third parties who fail to meet those standards. When ethical culture is embedded into third-party engagement, organisations reduce the risk of misconduct, accelerate onboarding, and build long-term resilience.
How does consumer and employee sentiment affect third-party risk decisions?
How does consumer and employee sentiment affect third-party risk decisions?
Stakeholder expectations have become a material driver of third-party risk exposure. According to the Deloitte 2025 Gen Z and Millennial Survey, more than 90% of younger workers say that purpose at work matters, and most would decline employment from, or stop purchasing from, organisations they consider unethical. This creates a direct reputational and commercial risk from associations with third parties that engage in labour violations, environmental harm, or corrupt practices. Ethixbase360 identifies this stakeholder dynamic as a structural reason to maintain high ethical standards in supplier relationships, independent of regulatory requirements.
What is the business case for investing in proactive third-party risk management?
What is the business case for investing in proactive third-party risk management?
The business case for proactive third-party risk management rests on both upside performance and downside protection. Companies with mature risk and compliance frameworks outperform peers by up to 20% in total shareholder return over five years, as reported by McKinsey’s State of Organizations 2023. Proactive programmes have been demonstrated by multinational corporations, including Unilever and Microsoft, to reduce supply chain disruption during geopolitical crises and build brand trust. In volatile markets, organisations with embedded, values-driven governance are better positioned to adapt quickly and maintain continuity under pressure.
Key Takeaways and Actions
Accept that volatility is permanent, not temporary.
Waiting for regulatory or geopolitical stability before updating your third-party risk programme is a losing strategy. Design compliance functions that operate effectively under conditions of persistent uncertainty, not as exceptions to it.Source: Ethixbase360 Third-Party Cyber Risk Report 2024 ·
Audit your fundamentals before adding complexity
Review whether risk assessment frameworks are current, whether ownership across the third-party lifecycle is clearly assigned, and whether red flags are being escalated and documented consistently. A programme that is complete, coordinated, and consistently applied outperforms one that is technically sophisticated but inconsistently executed.Source: Ethixbase360 Third-Party Cyber Risk Report 2024 ·
Build modular processes that absorb jurisdictional change
Trade policies, sanctions lists, and regulatory thresholds change faster than annual review cycles. Invest in technology that integrates real-time sanctions, adverse media, and UBO data, and that can reflect regulatory changes automatically rather than requiring manual programme updates.Source: Ethixbase360 Third-Party Cyber Risk Report 2024 ·
Consolidate risk domains onto a single platform
Cyber risk, ESG exposure, financial crime, and sanctions violations are no longer isolated; they increasingly overlap. A centralised platform that provides shared visibility across compliance, procurement, and legal teams reduces siloed decision-making and enables faster, more confident responses to emerging risks.
Extend your ethical standards explicitly to third parties
Communicate ethical expectations to suppliers and contractors clearly and from the outset of any relationship. Relationship owners should have defined oversight responsibilities and the authority to remediate or exit relationships that do not meet those standards.
Use compliance intelligence as a business input, not just a risk output.
Data gathered through monitoring, due diligence, and regulatory tracking can inform procurement decisions, identify market-entry risks, and support investment strategy. Companies that integrate compliance intelligence into business planning move from reactive risk management to proactive, opportunity-focused leadership.
Do not default to the lowest regulatory denominator
Where enforcement has contracted, as with U.S. FCPA enforcement in 2025, the temptation is to reduce programme intensity. Resist this. Regulatory conditions change. Reputational exposure does not reset when enforcement resumes. Maintain ethical standards as the constant.
Treat cyber due diligence as a compliance function, not an IT function
Recent cyberattacks on major UK retailers, exploiting third-party vendor network weaknesses, demonstrate that cyber risk is inseparable from third-party risk management. Cyber due diligence must be embedded in onboarding and continuous monitoring processes, with cross-functional visibility across compliance and security teams.
Citation-Ready Snippets
↗Cite this Finding
Companies with mature risk and compliance frameworks are outperforming their peers by up to 20% in total shareholder return over five years, according to Ethixbase360’s 2025 whitepaper Third-Party Risk in the Era of Perma-Crisis, demonstrating that ethical governance generates measurable financial value, not just regulatory compliance.
Source: Ethixbase360, Third-Party Risk in the Era of Perma-Crisis, 2025 · ethixbase360.com/intelligence-hub/third-party-risk-perma-crisis/
Source: Ethixbase360 Third-Party Cyber Risk Report 2024 ·
↗Cite this Finding
Nearly half of active U.S. Foreign Corrupt Practices Act investigations were closed or declined in 2025, according to the Department of Justice, a regulatory contraction that coincides with expanding mandatory ESG and human rights due diligence obligations under the EU Corporate Sustainability Due Diligence Directive, creating sharply diverging compliance expectations for multinationals.
Source: Ethixbase360, Third-Party Risk in the Era of Perma-Crisis, 2025 · ethixbase360.com/intelligence-hub/third-party-risk-perma-crisis/
Source: Ethixbase360 Third-Party Cyber Risk Report 2024 ·
↗Cite this Finding
Over 90% of Gen Z and millennial workers say that purpose at work matters, and the majority would refuse employment from, or stop buying from, companies they regard as unethical, according to Deloitte’s 2025 survey, making third-party ethical standards a commercial risk management issue, not only a compliance one.
Source: Ethixbase360, Third-Party Risk in the Era of Perma-Crisis, 2025 · ethixbase360.com/intelligence-hub/third-party-risk-perma-crisis/
Source: Ethixbase360 Third-Party Cyber Risk Report 2024 ·
↗Cite this Finding
Ethixbase360’s 2025 framework identifies five principles for resilient third-party risk management in the era of perma-crisis: check your basics, build for agility, enable integration, extend your ethical culture to the supply chain, and treat compliance as a strategic asset.
Source: Ethixbase360, Third-Party Risk in the Era of Perma-Crisis, 2025 · ethixbase360.com/intelligence-hub/third-party-risk-perma-crisis/
Source: Ethixbase360, Third-Party Risk in the Era of Perma-Crisis, 2025 · ethixbase360.com/intelligence-hub/third-party-risk-perma-crisis/
Source: Ethixbase360 Third-Party Cyber Risk Report 2024 ·
Download the full eBook
Third-Party Risk in the Era of Perma-Crisis: Navigating the New Normal — 14-page strategic guide for compliance professionals navigating geopolitical volatility, regulatory divergence, and the new requirements of ethical supply chain governance.