The Deepwater Horizon explosion wasn’t caused by a single failure. It was a chain of flawed decisions, misaligned incentives, and blind spots in how we worked with our partners. Eleven people lost their lives. The environmental, reputational and financial damage was immense. And much of it was preventable.
Internal auditors have a crucial role to play in helping organisations govern third-party relationships, not just manage them. That means looking beyond policy compliance to ask harder, more human questions: Are we trusting the right people? Do we understand their capabilities and culture? Will this relationship hold under pressure?
Why traditional approaches fall short
Third-party risk management frameworks often start with the question: "How likely is something to go wrong?" But in high-consequence relationships - where failure could mean death, serious harm, environmental damage, or major disruption - the question should be: "What’s at stake if it does?"
Organisations frequently apply the same risk processes to all third parties. That leads to too much bureaucracy where it’s not needed and not enough scrutiny where it matters most. A better approach starts with impact.
Tailoring our approach to what’s at stake
Not all third-party relationships are created equal. We need to focus on the consequences of failure, not just the likelihood. Here’s a simple impact-based categorisation:
- High-consequence relationships: Failure could result in death or injury, environmental damage, major service disruption, or regulatory or reputational disaster. Think: offshore drilling partners, critical software providers, safety-critical manufacturers.
- Medium-consequence relationships: Failures could cause financial loss, localised disruption, or compliance breaches - but without the wider fallout.
- Lower-consequence relationships: Routine suppliers delivering standard goods or services, with little impact if something goes wrong.
Each level needs a proportionate approach. And the higher the consequence, the deeper the scrutiny should go.
Five lessons internal audit should apply
Based on my experience - and the feedback I recently submitted to the Institute of Internal Auditors on its draft Third-Party Topical Requirement - here are five areas where internal auditors can add real value:
- Joint planning for emergency response
High-consequence suppliers should be part of emergency exercises. It’s not enough to have a plan; you need to test how people respond under pressure, together. Internal audit can check whether joint scenarios have been rehearsed and how lessons were captured and incorporated. - Culture matters - especially safety culture
A supplier may tick every compliance box and still have a weak culture. Do people feel safe raising concerns? Are front-line workers empowered to stop unsafe work? These are cultural questions, not just technical ones. Internal audit can bring this into scope by triangulating interviews, observations, and whistleblowing data. - Decision governance in operational pinch points
Some of the worst failures happen not from lack of rules, but from poor judgment in the moment. How are decisions made when time is short and pressure is high? Who holds the pen? Are there built-in checks? Internal audit should examine decision governance during critical operations. - Technical competency must be verified
Contracts often state that suppliers will use competent people - but how do we know they are? In high-consequence scenarios, competency should be tested and evidenced, not just promised. Internal audit can look at how that verification happens. - Incentives and fears can override good judgment
People do what they’re rewarded for; and avoid what they’re punished for. If a supplier is under pressure to cut costs or meet unrealistic deadlines, or if their staff fear repercussions for raising concerns, risk increases. Internal audit should assess how incentives (and disincentives) shape behaviour.
A final word on bureaucracy vs. risk sensitivity
From the supplier’s perspective, third-party due diligence can feel like death by paperwork. But the answer isn’t less scrutiny, it’s better targeted scrutiny. Internal audit can help organisations focus on what really matters, reduce superficial checks, and invest energy where the stakes are high.
If internal audit only reviews the paperwork, we’re missing the point. Our role is to help organisations build third-party relationships that are resilient, not just compliant.
That’s how we prevent the next disaster - before warning signs become tragedy.