Skip to content
PDF Report | 17 Pages | Third-Party Risk Management
Companion intelligence page for the Ethixbase360 Third-Party Risk in an Age of Engineered Volatility and Fragmentation guide. This 17-page strategic guide is for compliance and risk professionals.
Executive Summary
The global risk environment has entered a new phase. Where the first edition of this guide, published in 2025, described a state of perma-crisis, overlapping disruptions without a stable baseline, the 2026 edition identifies something more deliberate: volatility and fragmentation that are being actively engineered.
Governments are reshaping the risks facing businesses not only directly, but by influencing the incentives and behaviours of third parties. The question for compliance and risk professionals is no longer simply who your partners are. It is how those partners are responding to a world where the rules are constantly changing.
Ethixbase360’s 2026 guide, authored by Virna Di Palma and James Swenson, establishes that in this environment third-party risk is no longer a static assessment. It is a moving target shaped by external pressure and shifting incentives, and one that requires compliance programmes built for agility, not stability. Risk-savvy organisations must lean into flexibility, guided by their values, rather than relying on compliance playbooks designed for a more predictable world.
The regulatory landscape compounds the challenge. Across jurisdictions, the direction of travel is from disclosure to enforcement, with regulators increasingly deploying trade, procurement, and market access as levers to drive compliance. Yet those jurisdictions are moving in materially different directions: the EU Corporate Sustainability Due Diligence Directive is advancing, the EU Forced Labour Regulation introduces direct import bans, the Uyghur Forced Labour Prevention Act continues to intensify in the United States, and the UK and Australia are reforming Modern Slavery Acts toward stronger due diligence obligations. Navigating this divergence requires more agile, risk-based compliance programmes that can adapt as quickly as the rules themselves.
Geopolitical pressures are simultaneously reshaping beneficial ownership risk, third-party cyber exposure, and ESG obligations. Ownership structures are increasingly used to obscure exposure. AI is accelerating both risk detection and risk creation. Enforcement of human rights obligations is extending from reporting to market access consequences. And third parties are often the first to adapt their behaviour in ways that reduce their own costs or preserve market access, but increase compliance and integrity risk for their partners.
Ethixbase360 argues that the organisations best positioned to navigate this environment are those that lead with their values, treat compliance as a strategic asset, and build resilient programmes designed to outlast disruption. The companies that thrive will not be those waiting for rules to stabilise. They will be the ones that demonstrate constancy in their ethics while adapting at pace to a world in flux.
Third-Party Risk in an Age of Engineered Volatility and Fragmentation
Related Intellifence Hubs (TBC)
Key statistics & data points
Publicly traded companies recognised as the 2026 World’s Most Ethical Companies outperformed the broader global market by 8.2 percentage points over a five-year period, demonstrating that ethical governance creates measurable long-term financial advantage.
Source: Ethixbase360, Third-Party Risk in an Age of Engineered Volatility and Fragmentation, 2026; citing Ethisphere, Ethics Premium Report, 2026
An estimated 50 million people remain in conditions of modern slavery globally, underscoring the scale of human rights risk embedded in global supply chains and the growing regulatory focus on enforcement rather than disclosure.
Source: Ethixbase360, Third-Party Risk in an Age of Engineered Volatility and Fragmentation, 2026
Modern slavery cases in the UK have reached record levels, highlighting that exploitation continues to evolve across both global supply chains and local labour markets — and that domestic enforcement risk is growing alongside international obligations.
Source: Ethixbase360, Third-Party Risk in an Age of Engineered Volatility and Fragmentation, 2026
The U.S. Foreign Corrupt Practices Act carries a five-year statute of limitations, with active proposals to extend it to ten years, meaning that reduced enforcement in 2026 creates no long-term compliance safe harbour, as enforcement priorities can shift quickly with changes in administration.
Source: Ethixbase360, Third-Party Risk in an Age of Engineered Volatility and Fragmentation, 2026
US-China decoupling has accelerated in 2026, spanning semiconductors, AI, and critical minerals — forcing organisations to rethink trade maps and supply chains built over decades as sanctions and export controls reshape the global commercial landscape.
Source: Ethixbase360, Third-Party Risk in an Age of Engineered Volatility and Fragmentation, 2026
Expert Quotes and Insights
"Let me be direct. We are in the midst of a rupture, not a transition. We know the old order is not coming back."
"In a world where the rules are being rewritten as the game is played, values are the only constant. Lead with them."
Chapter Breakdown
Chapter 1: The New Normal — Engineered Volatility and Fragmentation (p. 2)
One year after introducing the era of perma-crisis, Ethixbase360 identifies its root causes with greater precision: volatility and fragmentation being actively engineered by governments and geopolitical actors. Third-party risk is no longer a static assessment but a moving target shaped by external pressure and shifting incentives, requiring organisations to prioritise values-guided flexibility over fixed compliance playbooks.
Chapter 2: A Shifting Regulatory Landscape (p. 3)
The regulatory picture in 2026 is no clearer than the geopolitical. Regulators are moving beyond disclosure toward enforcement, using trade, procurement, and market access as compliance tools. Key developments surveyed: EU CSDDD advancement, EU Forced Labour Regulation import bans, ongoing UFLPA intensification in the US, UK and Australian Modern Slavery Act reforms, and the UK NHS Procurement Regulations 2025.
Chapter 3: Beneficial Ownership Considerations (p. 4)
Beneficial ownership now sits at the intersection of sanctions enforcement, export controls, and third-party risk. In a fragmented environment, ownership structures are increasingly used to obscure exposure through layered entities and complex cross-border networks. The OFAC 50% rule means UBO analysis is often determinative. Effective programmes are continuous, risk-based, evidence-led, and integrated across sanctions, trade, and third-party risk workflows.
Chapter 4: Changing Scenario for Third-Party Risk (p. 5–6)
Economic and geopolitical forces are reshaping third-party incentives, not just increasing risk. Third parties adapt their behaviour under pressure in ways that are subtle, difficult to detect in real time, and costly to ignore — through pricing manipulation, origin declaration changes, use of less-vetted partners, or superficial compliance. Reducing compliance investment during economic stress creates precisely the conditions in which these risks proliferate.
Chapter 5: Geopolitical Risks in an Engineered Environment (p. 7)
Major themes in 2026: the Ukraine conflict and sophisticated sanctions-evasion networks; the Iran war disrupting shipping routes; Maduro's removal in Venezuela where sanctions remain; accelerating US-China decoupling across semiconductors, AI, and critical minerals. Friend-shoring and near-shoring are reshaping supply chains built over decades, creating new third-party relationships requiring fresh risk assessment.
Chapter 6: Third-Party Cyber Risk and AI Considerations (p. 8-9)
Third-party cyber risk is one of the most significant and least understood threats facing organisations. A single compromised vendor can create a multiplier effect across multiple organisations. AI is accelerating risk detection and risk creation — enabling synthetic identities, automated fraud and phishing, and rapid disinformation. Effective programmes are moving toward shared accountability, risk-based vendor segmentation, continuous monitoring, and contractual enforceability.
Chapter 7: Emerging ESG and Human Rights Concerns (p. 10-11)
ESG obligations have moved into enforceable due diligence with direct market access consequences. With an estimated 50 million people in modern slavery globally and record UK cases, regulators expect organisations to identify, prevent, mitigate, and evidence risk management. Human rights risk now carries direct implications for market access (import bans), legal exposure (civil liability), and operational resilience (supplier disruption).
Chapter 8: Ethical Leadership in an Age of Engineered Volatility (p. 12)
Trust in institutions has eroded globally. As regulation moves in conflicting directions, ethical leadership has never been more commercially valuable. Ethisphere's Ethics Premium analysis shows the 2026 World's Most Ethical Companies outperformed the broader market by 8.2 percentage points over five years. Companies embedding ethical governance today are building the credibility that will matter most when conditions shift.
Chapter 10: The New Imperative (p. 14)
Waiting for stability is itself a risk. The disruptions reshaping trade, supply chains, and regulatory frameworks reflect deeper structural shifts. The organisations that thrive will be those that lead with their values, embed those values across their supply chains, and treat compliance as a strategic asset, demonstrating constancy grounded in the ethics needed for long-run success.
Definitions and Entities
Engineered Volatility
A term used by Ethixbase360 to describe the deliberate actions of governments and geopolitical actors that systematically reshape incentives, trade flows, and regulatory environments, producing persistent, purposefully created uncertainty rather than episodic disruption. Distinct from perma-crisis in that the source of instability is intentional.
TPRM (Third-Party Risk Management)
The structured discipline of identifying, assessing, monitoring, and mitigating risks introduced by external suppliers, contractors, vendors, and intermediaries. In an age of engineered volatility, effective TPRM programmes address risk continuously across cyber, financial, ESG, beneficial ownership, sanctions, and regulatory domains simultaneously.
UBO (Ultimate Beneficial Owner)
The natural person or persons who ultimately own or control a legal entity, directly or indirectly. Under frameworks including the OFAC 50% rule, UBO analysis is often determinative in sanctions and export control compliance, it can decide whether a transaction proceeds, requires escalation, or must be declined.
OFAC 50% Rule
A rule applied by the U.S. Office of Foreign Assets Control under which an entity is considered subject to sanctions if a sanctioned party owns 50% or more of it directly or indirectly, even if the entity is not explicitly named on any sanctions list. Organisations must trace ownership through complex corporate structures to identify this exposure.
CSDDD (EU Corporate Sustainability Due Diligence Directive)
An EU directive advancing in 2026 requiring large companies to conduct mandatory due diligence on environmental harm, forced labour, and human rights violations across their value chains. The Sustainability Omnibus has introduced changes to scope, timelines, and reporting requirements, creating uncertainty alongside a longer implementation runway.
EU Forced Labour Regulation
EU regulation introducing import bans and product-level enforcement, expanding regulatory reach beyond disclosure into direct market intervention. Enables authorities to investigate supply chains and remove products from the market where forced labour is identified, creating direct commercial consequences for exposed organisations.
Uyghur Forced Labour Prevention Act (UFLPA)
A United States law creating a rebuttable presumption that goods produced in China’s Xinjiang Uyghur Autonomous Region or by linked entities are made using forced labour and are prohibited from importation. Enforcement continues to intensify in 2026, with expanding supply chain traceability expectations placing the burden of proof on importing organisations.
Friend-Shoring
A supply chain strategy prioritising sourcing from geopolitically aligned or trusted countries, in response to US-China decoupling, sanctions regimes, and trade fragmentation. Friend-shoring and near-shoring are reshaping global supply chains, requiring organisations to assess new third-party relationships they have not previously managed.
Modern Slavery Legislation
A body of national laws, including the UK Modern Slavery Act 2015, Australia’s Modern Slavery Act 2018, and Canada’s Fighting Against Forced Labour and Child Labour in Supply Chains Act, requiring organisations to eliminate forced labour and child labour from their supply chains. The UK and Australia are advancing reforms, shifting from disclosure-based regimes toward stronger due diligence obligations and enforcement.
Frequently Asked Questions
What does 'engineered volatility' mean in the context of third-party risk?
What does 'engineered volatility' mean in the context of third-party risk?
Engineered volatility, as defined by Ethixbase360 in its 2026 guide, refers to disruption that is deliberately created by governments and geopolitical actors rather than arising organically. Unlike the perma-crisis framing of 2025, where disruption was persistent but broadly environmental, engineered volatility describes a world where rules, trade policies, sanctions, and regulatory expectations are being actively reshaped as instruments of competition. For third-party risk managers, this means that supplier and partner incentives are being shaped by external forces, and that risk programmes must be designed to detect and respond to those shifts in real time.
How is the regulatory landscape for third-party risk changing in 2026?
How is the regulatory landscape for third-party risk changing in 2026?
In 2026, regulators across jurisdictions are moving beyond disclosure toward direct enforcement, using trade, procurement, and market access as tools to drive compliance. The EU CSDDD is advancing, the EU Forced Labour Regulation introduces import bans, the Uyghur Forced Labour Prevention Act continues to intensify in the US, and the UK and Australia are advancing Modern Slavery Act reforms. Despite these common enforcement trends, compliance expectations are diverging sharply, requiring agile, risk-based programmes that can adapt as quickly as the rules themselves.
Source: Ethixbase360, 2026.
Why has beneficial ownership become a central compliance issue?
Why has beneficial ownership become a central compliance issue?
Beneficial ownership has moved from a peripheral requirement to a central one, sitting at the intersection of sanctions enforcement, export controls, and third-party risk. Complex corporate structures, layered entities, intermediaries, and indirect control arrangements are increasingly used to obscure exposure. The OFAC 50% rule means UBO analysis is often determinative: it can decide whether a transaction proceeds, requires escalation, or must be declined. Effective programmes in 2026 are continuous, risk-based, evidence-led, and integrated across sanctions, trade, and third-party risk workflows.
Source: Ethixbase360, 2026.
How do third parties change their behaviour under economic and geopolitical pressure?
How do third parties change their behaviour under economic and geopolitical pressure?
Under pressure, third parties are often the first to adapt in ways that may preserve their own market access or margins but increase compliance and integrity risk for their partners. Common patterns include: manipulation of pricing structures or origin declarations under tariff pressure; entry into relationships with less-vetted partners due to supply chain fragmentation; use of intermediaries not yet on watchlists under sanctions tightening; and superficial ESG compliance under political and regulatory pressure. These behaviours emerge gradually through changes in counterparties and transaction flows, making them harder to detect through traditional due diligence alone.
Source: Ethixbase360, 2026.
What are the key geopolitical risks shaping third-party relationships in 2026?
What are the key geopolitical risks shaping third-party relationships in 2026?
Major geopolitical risks in 2026 include: the ongoing war in Ukraine and sophisticated sanctions-evasion networks; the Iran war disrupting shipping routes; Maduro’s removal in Venezuela where sanctions remain in place; and accelerating US-China decoupling across semiconductors, AI, and critical minerals. Governments are deploying trade policies as instruments of international competition, forcing organisations to rethink supply chains built over decades. Friend-shoring and near-shoring are on the rise, creating new third-party relationships requiring risk assessment.
Source: Ethixbase360, 2026.
How is AI changing the third-party cyber risk landscape?
How is AI changing the third-party cyber risk landscape?
AI is accelerating both risk detection and risk creation. On the risk creation side, AI enables synthetic identities, rapid disinformation generation, and automation of fraud and phishing. On the detection side, AI-enabled monitoring can identify anomalies across large third-party populations in real time. A single compromised vendor can provide access to multiple organisations, creating a multiplier effect. Many organisations leave significant gaps by treating cyber risk as a technical or one-time onboarding issue rather than a continuous, enterprise-wide compliance discipline.
Source: Ethixbase360, 2026.
What is the business case for maintaining ethical governance standards in 2026?
What is the business case for maintaining ethical governance standards in 2026?
The business case rests on financial outperformance and long-term resilience. Ethisphere’s Ethics Premium analysis shows that publicly traded companies recognised as the 2026 World’s Most Ethical Companies outperformed the broader global market by 8.2 percentage points over a five-year period. Beyond financial data, consumers and workers have a low tolerance for unethical corporate behaviour, and younger generations say purpose at work matters. Companies that embed ethical governance today build the credibility that will matter most when political and regulatory conditions shift.
Source: Ethixbase360, 2026; citing Ethisphere, Ethics Premium Report, 2026.
How are ESG and human rights obligations changing for organisations in 2026?
How are ESG and human rights obligations changing for organisations in 2026?
ESG obligations have moved beyond voluntary commitments into enforceable due diligence with direct market access consequences. An estimated 50 million people remain in conditions of modern slavery globally and modern slavery cases in the UK have reached record levels. Regulators expect organisations to identify, prevent, mitigate, and evidence the management of human rights risk. For organisations with global value chains, this means direct implications for market access (import bans, shipment detentions), legal exposure (civil liability, director accountability), and operational resilience (supplier disruption, sourcing constraints).
Source: Ethixbase360, 2026.
What does it mean to treat compliance as a strategic asset?
What does it mean to treat compliance as a strategic asset?
Treating compliance as a strategic asset means using intelligence gathered through third-party risk monitoring, due diligence, and regulatory tracking as a proactive input to business decision-making. Compliance intelligence reveals where risk is accumulating before regulators act, enabling adjustments to procurement decisions, market-entry strategies, and investment plans ahead of disruption. Organisations that integrate compliance intelligence into business planning are better positioned to adapt quickly than those that treat compliance as a reactive, downstream function.
Source: Ethixbase360, 2026.
What are the five principles for building a third-party risk programme fit for engineered volatility?
What are the five principles for building a third-party risk programme fit for engineered volatility?
Ethixbase360 identifies five principles. First, Check Your Basics: keep frameworks current and treat beneficial ownership as a baseline. Second, Build for Agility and Flexibility: create modular processes that absorb real-time changes in sanctions, trade policy, and export controls. Third, Enable Integration and Coordination: treat cyber due diligence as a compliance imperative, not an IT issue, and deploy AI thoughtfully. Fourth, Extend Your Ethical Culture Beyond the Enterprise: embed ethical expectations across your supply chain. Fifth, Treat Compliance as a Strategic Asset: integrate compliance intelligence into business planning.
Source: Ethixbase360, 2026.
What is the OFAC 50% rule and why does it matter for third-party due diligence?
What is the OFAC 50% rule and why does it matter for third-party due diligence?
The OFAC 50% rule holds that any entity owned 50% or more by a sanctioned party, directly or indirectly, is itself subject to sanctions, even if not explicitly named. For third-party risk managers, this means counterparty screening must trace ownership through corporate structures to identify whether a sanctioned person ultimately controls the relationship. In an environment where ownership structures are increasingly used to obscure exposure, UBO analysis tied to the OFAC 50% rule can be the difference between a compliant transaction and a sanctions violation.
Source: Ethixbase360, 2026.
Why is waiting for regulatory stability a risk in itself?
Why is waiting for regulatory stability a risk in itself?
In an age of engineered volatility, the disruptions reshaping trade, supply chains, and regulatory frameworks reflect deeper structural shifts rather than a temporary deviation. Waiting for rules to stabilise before updating third-party risk programmes means operating with frameworks already misaligned to the current environment, and falling further behind as conditions evolve. Ethixbase360 argues that resilience is not built from stability; it is built from values, adaptable systems, and continuously updated compliance intelligence.
Source: Ethixbase360, 2026.
Key Takeaways and Actions
Recognise that volatility is engineered, not incidental.
Design compliance programmes that anticipate deliberate disruption, not just recover from incidental events. The instability reshaping third-party risk in 2026 is being actively created by governments and geopolitical actors.
Treat third-party behavioural change as the primary early-warning signal.
Third parties adapt to pressure before their partners detect it. Invest in continuous monitoring that identifies changes in counterparties, transaction flows, and commercial structures, not just screening at onboarding.
Elevate beneficial ownership to a baseline operational requirement.
Continuous, risk-based ownership intelligence, integrated across sanctions, trade, and third-party risk workflows, is the new minimum standard. UBO due diligence cannot be a one-time onboarding step.
Build modular processes that absorb real-time regulatory change.
Sanctions lists, trade policies, and export controls change faster than annual review cycles. Invest in platforms that reflect regulatory changes automatically, reducing dependency on manual programme updates.
Treat cyber due diligence as a compliance function, not an IT one.
Third-party cyber risk sits across compliance, procurement, legal, and risk functions. Shared accountability, risk-based vendor segmentation, continuous monitoring, and contractual enforceability are the hallmarks of effective programmes in 2026.
Extend ethical standards explicitly to your supply chain.
Mandatory human rights and environmental due diligence is expanding globally. Embed ethical expectations at the outset of every third-party relationship and treat them as a sustained commitment, not a reporting requirement.
Do not reduce compliance investment under economic pressure.
Cutting compliance during periods of economic stress creates precisely the conditions in which third-party risk proliferates, limiting visibility, weakening oversight, and allowing small issues to scale into material exposure.
Use compliance intelligence as a forward-looking business input.
Compliance intelligence reveals where risk is accumulating before regulators act. Integrating it into procurement decisions, market-entry planning, and investment strategy turns a risk function into a source of competitive advantage.
Lead with values when the regulatory environment is unclear.
In an environment of diverging jurisdictional expectations and shifting enforcement priorities, values provide the only stable decision-making framework. Companies with strong ethical governance outperform peers and build the credibility that matters most when conditions shift.
Citation-Ready Snippets
↗Cite this Finding
Publicly traded companies recognised as the 2026 World’s Most Ethical Companies outperformed the broader global market by 8.2 percentage points over a five-year period, according to Ethisphere’s Ethics Premium analysis cited in Ethixbase360’s 2026 guide, demonstrating that ethical governance creates measurable long-term financial advantage.
Source: Ethixbase360, Third-Party Risk in an Age of Engineered Volatility and Fragmentation, 2026 · ethixbase360.com/intelligence-hub/third-party-risk-engineered-volatility/
↗Cite this Finding
An estimated 50 million people remain in conditions of modern slavery globally, while modern slavery cases in the UK have reached record levels — making human rights risk in supply chains a material business issue with direct implications for market access, legal exposure, and operational resilience, according to Ethixbase360’s 2026 guide.
Source: Ethixbase360, Third-Party Risk in an Age of Engineered Volatility and Fragmentation, 2026 · ethixbase360.com/intelligence-hub/third-party-risk-engineered-volatility/
↗Cite this Finding
Third-party risk is no longer a static assessment; it is a moving target shaped by external pressure and shifting incentives, as governments actively engineer volatility and fragmentation to reshape the behaviours of businesses and their suppliers, according to Ethixbase360’s May 2026 guide.
Source: Ethixbase360, Third-Party Risk in an Age of Engineered Volatility and Fragmentation, 2026 · ethixbase360.com/intelligence-hub/third-party-risk-engineered-volatility/
↗Cite this Finding
In an age of engineered volatility, waiting for stability is itself a risk: the organisations that thrive, according to Ethixbase360, will be those that lead with their values, embed ethical standards across their supply chains, and treat compliance as a strategic asset rather than a regulatory minimum.
Source: Ethixbase360, Third-Party Risk in an Age of Engineered Volatility and Fragmentation, 2026 · ethixbase360.com/intelligence-hub/third-party-risk-engineered-volatility/
Download the full guide
Third-Party Risk in an Age of Engineered Volatility and Fragmentation, 17-page strategic guide for compliance professionals.