Why unchecked third-party suppliers are becoming a board-level risk for retailers

Retail Online Training


Third-party supplier oversight is now one of retail’s biggest compliance risks, according to Vantify 

Retailers are facing a compliance landscape where some of the greatest threats increasingly sit outside their direct control. 

From greenwashing rules to cyber disruption and senior management accountability, organisations are being judged on how well they understand, verify and govern the third parties they rely on. 

That creates a clear financial and reputational risk. One unverified environmental claim, one poorly governed technology provider or one long-standing supplier relationship that has not been reviewed for years can quickly become a public compliance failure. 

The wider messaging for retailers is fundamentally simple; supplier oversight can’t be treated as a one-off onboarding exercise. Third-party providers may have worked with a business for years, but without regular due diligence, monitoring and evidence, familiarity can become a serious risk. 

Greenwashing guidance 

In January 2026, the Competition and Markets Authority published new guidance, Making green claims: Getting it right, across the supply chain. It was designed to clarify how UK consumer protection law applies to environmental claims made not only by retailers and brands, but also by the manufacturers, suppliers and other businesses that provide the evidence behind those claims. 

The CMA’s message was clear. Greenwashing isn’t just a marketing risk, but a supplier governance risk. 

Businesses that repeat, rely on or promote environmental claims must take reasonable steps to verify them, rather than simply accepting supplier assurances. Claims about recycled content, sustainable sourcing, carbon impact, circularity or “eco” ranges must be accurate, clear, substantiated and capable of being evidenced across the product lifecycle. 

In fact, adverts by Adidas, Uniqlo and Calvin Klein have recently been banned by the UK advertising watchdog over potentially misleading claims about recycled clothing and footwear. 

Retailers must therefore question whether their suppliers can substantiate the materials, production processes, data and certifications that underpin green claims. A retailer may have strong environmental standards within its own business, but that’s no longer enough, if the same level of evidence cannot be produced across its supplier base. 

If a long-standing supplier cannot provide reliable evidence, the retailer’s own reputation is still exposed. 

The enforcement landscape is also materially tougher. The CMA can now investigate and impose penalties directly under the Digital Markets, Competition and Consumers Act 2024, including fines of up to 10 per cent of global turnover without first going to court. 

Earlier interventions involving ASOS, Boohoo and George at Asda showed the direction of travel, but the risk for retailers is now much more immediate. 

For retailers, the practical requirement is documented supplier due diligence. You need evidence packs, audit trails, approved claim wording, ongoing monitoring and escalation routes where claims cannot be verified. Long-standing supplier relationships should not be treated as low risk simply because they are familiar. 

Cyber-crime and third-party access 

Another pressing operational risk facing retailers is cyber-crime. This risk grows as stores, warehouses, payment systems, customer platforms and supplier systems become more interconnected. 

Compromised credentials, weak access controls or poor security practices at third-party IT suppliers can provide the route in. The consequences can be immediate and severe, from systems outages and disrupted fulfilment to data loss, ransom demands, regulatory scrutiny and lasting reputational damage. 

Recent attacks on major UK retailers, including M&S, Co-op and Harrods, showed how social engineering, third-party supplier access and shared technology dependencies can affect multiple businesses at once. 

The M&S cyber attack in particular brought the risk of supplier-linked disruption into sharp focus. It showed how a weakness outside a retailer’s direct organisation can still lead to operational disruption, lost sales, customer frustration and reputational damage for the retailer itself. 



The financial consequences are not theoretical. Jaguar Land Rover’s 2025 cyber incident, widely reported as having caused major production disruption and substantial losses, also demonstrated how issues connected to third-party systems or supplier access can cascade through operations, suppliers and customers. 

For retailers, the lesson is clear. Cyber resilience is inseparable from supplier resilience. 

Robust supplier due diligence, access reviews, contractual controls, incident planning, staff training and continuous monitoring are now essential to protecting revenue, operations and customer trust. A third-party supplier that was safe to use five years ago may not be safe today if its controls have not kept pace with the retailer’s own risk profile. 

Senior accountability and supplier governance 

The Crime and Policing Act 2026 adds another reason for retailers to take supplier governance seriously. 

While physical crime remains a major issue for the sector, the more relevant compliance point is the way failures in due diligence, onboarding or governance can create exposure for senior managers where supplier activity translates into criminal conduct. 

It shifts the issue from operational housekeeping to leadership accountability. If a third-party provider is not properly vetted, monitored or challenged, the consequences may no longer sit only with procurement, legal or compliance teams. They may reach senior decision-makers who are expected to show that reasonable steps were taken to prevent, identify and respond to risk. 

That makes supplier oversight a board-level issue. Retailers need to know who their third-party providers are, what services they perform, what risks they introduce and when those risks were last reviewed. 

A supplier that has been in place for years should not automatically be considered safe. In some cases, the opposite may be true. Long-standing relationships can lead to outdated contracts, weak audit trails, unclear ownership and assumptions that no longer reflect the current risk environment. 

Continuous supplier compliance 

In an already complex retail ecosystem, the environment around brands is changing faster than legacy processes, reporting lines and third-party supplier controls. The result is a growing gap between the risks retailers face and the evidence they can produce to show those risks are being managed. 

Sustainability claims now require evidence across the supply chain. Cyber risk sits across technology, operations, people and third parties. Senior accountability is increasing where failures in governance allow supplier risk to become business risk. 

For brands operating at scale, compliance cannot be seen as a static legal checklist. It’s a continuous exercise in knowing who your third-party suppliers are, what risks they introduce, when their controls were last tested and whether the evidence still supports the claims, access and responsibilities they carry. 

The danger lies in assuming that a long-standing service provider is automatically a trusted one. Without regular due diligence, monitoring and clear ownership, familiar suppliers can become a serious financial, operational and reputational threat. 

Retailers therefore need governance systems that can spot change early, assign ownership quickly and turn supplier risk into practical action before a failure becomes public. 

Click here to sign up to Retail Gazette‘s free daily email newsletter

Retail Online Training