Third-party compliance basics

By Chris Els - May 23, 2023


The term forensic refers to the application of scientific knowledge to legal problems, especially scientific analysis of physical evidence (as from a crime scene).

Third-party process forensics looks to discover legitimate partnerships, their process practices and industry compliance to protect everyone in the shared supply chain.



The purpose for regulatory compliance is motivated by the following four objectives:

  1. Quality
  2. Health
  3. Safety
  4. Continuity

In all countries, regulators manage corporate compliance referencing over 30,000 global industry standards.



Compliance can be industry and community specific, or focus on general protection such as quality, health, and safety. Compliance also has a place to protect individual rights, data security, data privacy and environmental sustainability.

More than 47,000 global listed companies invest in formal ESG policy and GRC certification compliance. However, less than 25% of third parties and their subcontractors serving these organisations invest in compliance and other measures to protect themselves and their clients. That means risk is ever present.


Economic drivers such as time, cost and corporate success resulted in the creation of industry and ethical institutions tasked to identify and promote process improvements,   production quality, health, safety and extended economic and universal sustainability.


There are 3 types of Supply Chain, 2 of which are often overlooked in the measure of risk protection.

  1. Physical Process of Supply Chain
    (Procurement and Logistics)
  2. Data Supply Chain
    (Data Integration, Security and Privacy
  3. Security Platform Chain
    (Data Center's, infrastructure, and Software solutions in the supply chain)

The 3 types of supply chain are interdependent. Risk of disruption comes from the following threats:


Cyber Crime is a magnification of Malicious Intent and Human Negligence. A multibillion-dollar industry offers a range of options to combat cybercrime/ransomware. Organisations need to balance effective protection with operational performance, and within the constraints of limited budgets.

Data Supply-Chains are initiated by compliant enterprises who are motivated to share their supply chain opportunities with smaller downstream specialist suppliers. These downstream subcontractors are likely not regulated and 75% will not invest in or maintain a compliance program required to secure consumer trust in delivered services and products. Unregulated suppliers can introduce easy access to upstream corporate information systems, which increases the likely loss of data and threat of business-continuity.

Around 300,000 new pieces of malware are created daily to target individuals and organizations. From exploiting human error to launching sophisticated assaults capable of bypassing even the strongest security systems, cyberattacks can come in various forms. The five most common cyberattacks that wreak havoc include phishing (85% of all reported attacks), ransomware, malware, data breach and Distributed Denial of Service (DDoS).

Malware originating or passing through supplier network systems will directly impact verified and unverified touch points. Effective Third-Party Risk Management (TPRM) requires significant time and resources. You need to accurately identify who your vendors are. The inventory should be kept up-to-date and extend to fourth parties (your third-party vendor’s vendors). iTracker makes it easy to identify your vendor inventory.


Information Security

Vendor Management

Business Continuity


Internal Audit


Supply Chain



R & D

Compliance is not restricted to statutory regulations and Industry standards. Organisations ensure they focus on behaviors' and processes in the interest of all stake holders. Internal audit teams work with specialist line of business executives to document measurable corporate policies for ongoing review and improvement.

Nearly Onn billion email accounts were exposed in 2021. That’s 1 in 5 internet users each year that get affected by data breaches, and in most cases provide cyber criminals access to user’s employers operational systems and information.

FACT: Your data will be breached, often.

You need to protect your organisation, your partners, and your community. For business continuity you need tested recovery plans for when your data is breached.

Before you can put the above in place, you need to know who has access to your data and information. Knowing how far down your supply chain goes is not a simple task. Gaps are soon established in complex service level agreements, and why might be considered secondary responsibilities are soon unrelated to priority dependencies, and soon enough forth level providers in a supply chain become a vulnerable entry point for hackers to reach in all the way up to the prize data at the top of the data chain.

Discovery is a legal forensic term, and it strikes me as odd that many turn to technology to apply assumptions to arrive and possible conclusions of risk. Following a trail of factual certainty can point one to a far more obvious and predictable cause, and assist with preparing for disruption in whatever form it presents itself. Sophisticated algorithms will inevitably guide an enquiring mind back to what exists and can link your data supply chain up and downstream.


We promise that we won't SPAM you.