Consider this scenario: You evaluate a new third-party vendor operating in a high-risk country for corruption risk and other liability concerns such as environmental impact or workforce compliance. Once evaluated, the vendor becomes subject to certain controls based on the risk tier established. You monitored those controls but, six months into the relationship, beneficial ownership of the party changes and the initial risk ranking is no longer valid. The new owners have a record of human rights abuses in their factories and have been associated with bribery charges.
There was published news of the upcoming change of ownership, which you would have seen if you had been engaged in ongoing monitoring of external news sources about your third parties. If you had been collecting information from various sources about the new owners and their track record, you would have re-evaluated the third party and enhanced controls or revised your contract. But you are only evaluating changes once every two years when you ask for updated self-reporting.
