Back to blog

Friday, December 26, 2025

Subcontractors risk assessment.

Risk Management & Internal Controls
Iratxe Gurpegui
Written by
Iratxe Gurpegui
7 min read
Subcontractors risk assessment.

Subcontractors extend your operations beyond your walls, which is why they extend your risk profile too. In 2025, regulators and auditors look past polished contracts and want to see proportionate, evidenced oversight of subcontractors across the full chain, not just tier‑1 suppliers. If you operate under anti‑corruption, antitrust, criminal compliance in Spain, AML, or the EU AI Act, a structured subcontractor risk assessment is now essential to credible compliance and business continuity.

Why subcontractor risk is different

Vendors sell you goods and services. Subcontractors, by contrast, often execute your obligations for your clients, sometimes on your sites and under your brand. That difference creates distinctive exposure:

  • Proximity and representation, subcontractors may interact with public officials, your customers, or your competitors while representing you.
  • Chain complexity, your tier‑1 subcontractor can cascade work to tier‑2 or tier‑3 firms without your awareness if your contracts lack flow‑down controls.
  • Operational and data access, many subcontractors access facilities, systems, and data sets that increase fraud, safety, privacy, AML, and AI governance risks.
A clean isometric illustration of a prime contractor connected to tier-1 and tier-2 subcontractors across three countries, with small red risk icons for bribery, AML/sanctions, antitrust information exchange, labor/safety, and AI system risk placed at different nodes in the chain.

What regulators expect under key frameworks

Subcontractors sit squarely within third‑party and business associate oversight across widely used frameworks. Here is what that means in practice:

  • Loi Sapin II, Article 17 requires risk mapping and third‑party due diligence proportionate to corruption risks, which includes suppliers and subcontractors, with documentation that the French Anti‑Corruption Agency can review during controls. See the AFA’s guidelines on anti‑corruption compliance programs for expectations on risk mapping, due diligence, and monitoring AFA guidelines.
  • ISO 37001, the anti‑bribery management system standard requires due diligence on business associates based on risk, including subcontractors performing services on behalf of the organization. See the ISO overview of the standard ISO 37001.
  • Antitrust, the Spanish standard UNE 19603 encourages organizations to prevent competition infringements through governance, training, and control of third parties. Subcontractors can be channels for prohibited exchanges of sensitive information or resale price maintenance.
  • Criminal compliance in Spain, UNE 19601 aligns with Article 31 bis of the Spanish Criminal Code and expects crime prevention controls that cover third‑party risks such as false invoicing, misappropriation, occupational safety crimes, and corruption through intermediaries.
  • AI Act, if subcontractors design, fine‑tune, integrate, or operate AI components in your products or processes, your role may shift to provider, deployer, or importer under the Act, with duties for risk management, data governance, technical documentation, and post‑market monitoring depending on risk level.

Internal policies should translate these expectations into concrete controls, flow‑down obligations, evidence, and remediation paths for subcontractors.

A practical method to assess subcontractors

Below is a seven‑step method you can apply in an intermediate‑sized enterprise without over‑engineering.

  1. Define scope and taxonomy

Create a clear perimeter and language so operations know who is in scope. Classify subcontractors by service type, criticality to client delivery, access to sites or systems, location and country risk, and contract value. Decide how far down the chain you will look for high‑risk engagements, for example, always to tier‑2 in high‑risk geographies.

  1. Collect baseline data

Capture the essentials up front. For each subcontractor gather legal name and registration, beneficial ownership where feasible, geography and delivery footprint, contract scope and value, duration, access to your facilities, systems, datasets, or customers, involvement with public officials or regulated processes, and certifications or prior compliance assessments. Automating this collection reduces friction and transcription errors.

  1. Screen and corroborate

Run proportionate checks based on preliminary risk. These typically include sanctions and watchlist screening, politically exposed person and adverse media checks, enforcement and debarment lists for public procurement, and litigation or regulatory actions in reliable public sources. For higher risk, ask for supporting documentation, such as code of conduct, anti‑bribery policy, safety records, training logs, and any ISO 37001 or UNE certifications claimed.

  1. Score risk by domain

Use a simple, transparent matrix per domain, for example 1 to 5 for likelihood and impact, and compute residual risk after considering existing controls. Keep criteria concrete to avoid debates. Example criteria: corruption exposure via intermediaries and gifts, antitrust exposure via marketplace roles or industry forums, AML and sanctions exposure via cross‑border flows and bank account mismatches, criminal compliance exposure via high‑risk labor or safety environments, AI Act exposure via use or provision of AI systems in high‑risk categories.

  1. Map controls and flow‑down clauses

For each risk level, define minimum contractual clauses and operational controls, such as anti‑bribery, antitrust, and sanctions clauses with audit and termination rights, flow‑down obligations to lower tiers, role‑specific training requirements, onboarding attestations and annual reaffirmations, right to approve or veto sub‑tier subcontracting, secure data handling and access controls, and speak‑up and investigation cooperation.

  1. Decide treatment and remediation

Document a decision for each subcontractor. Options are accept with baseline controls, mitigate with targeted actions and deadlines, escalate to enhanced due diligence and management approval, or avoid and decline or exit the relationship. Remediation should be specific, for example, complete training for field supervisors, replace cash‑based payments with verified bank transfers, implement a clean desk and access badge regime, or adopt an AI risk management plan with defined testing.

  1. Monitor and refresh

Set a refresh cadence that tracks risk. High‑risk subcontractors may be reviewed at least annually and on trigger events, such as adverse news, incident reports, expansion to new geographies, scope changes, or delegation to a new tier‑2. Keep evidence organized, time‑stamped, and linked to a documented decision trail.

A simple circular diagram with five labeled segments showing the subcontractor lifecycle: onboarding, screening, scoring, mitigation, and continuous monitoring, with arrows indicating a loop and a small icon for evidence at each segment.

Risk red flags to look for

  • Anti‑corruption, success fees without clear deliverables, refusal to disclose beneficial owners, requests for cash or unorthodox payment routes, excessive gifts linked to public tenders.
  • Antitrust, subcontractor attends industry meetings on your behalf without counsel, circulates competitor price or volume data, proposes resale price instructions in implementation plans.
  • AML and sanctions, invoices from entities different from the contracting party, bank accounts in unrelated jurisdictions, frequent last‑minute changes to counterparties, routing through sanctioned countries.
  • Criminal compliance in Spain, repeated safety near misses or accidents, suspicious timesheets and expense patterns, pressure to accept noncompliant documentation to meet deadlines.
  • AI Act, subcontractor integrates AI for safety‑relevant or HR decisions without risk assessment, documentation, or human oversight, or uses datasets with unclear provenance.

Make it scale in an SME

SMEs rarely have a large third‑party risk team. You can still operate a defensible process without creating gridlock:

  • Right‑size questionnaires and use dynamic forms so low‑risk subcontractors answer fewer questions, while higher‑risk flows branch to enhanced checks.
  • Embed checks where work already happens, align with procurement, project management, EHS, and IT so data points are captured once and reused.
  • Standardize flow‑down clauses by risk tier and region, but keep a playbook for exceptions and approvals.
  • Train the people closest to the work, field supervisors and project managers often see the earliest warning signs and can escalate quickly.
  • Measure turnaround times and remediation velocity, then remove bottlenecks and address recurring issues through contractual design.

If you are building or refreshing your approach, you may find these related deep dives useful, our guide to building a risk map and our practical vendor management post complement the subcontractor focus in this article. See How to build a compliance risk map in 6 steps and From red flags to trust, vendor risk management on Naltilia’s blog.

Metrics your board will recognize

Boards care about coverage, speed, and outcomes. A simple, credible set includes subcontractor coverage rate by risk tier, percent of high‑risk subcontractors with completed due diligence and signed flow‑downs, remediation velocity for high‑risk findings, training completion rate for subcontractors in high‑exposure roles, audit or site‑visit pass rate, incident rate and incident closeout time, and exceptions approved by management with rationale. These align with the board‑level metrics we recommend across compliance domains and can be automated if your evidence is captured at source.

Back to blog