Supply chain due diligence: il contributo di consulenza, processi e Intelligenza Artificiale

Managing risks related to suppliers and counterparties is becoming an increasingly important component of business continuity. This topic was at the heart of the roundtable discussion entitled “Supply Chain Due Diligence: Ensuring Supply Chain Continuity and Security to Mitigate Business Risk”, held on 11 June as part of Credit Week 2026.

Moderated by Debora Bionda, Editor-in-Chief of CreditNews, the discussion featured, among its speakers, Davide de Nittis, Partner at Excellence Edge, who was invited to explain how consulting firms can support organisations in managing counterparty risk and what opportunities can arise from the use of technology and Artificial Intelligence.

Why Companies Need Support in Managing Third Parties

During the first round of contributions, Debora Bionda asked Davide de Nittis how consulting firms can provide practical support to companies in managing counterparty risk.

Before describing the contribution that consulting can make, de Nittis highlighted several critical issues that make third-party governance particularly complex. The first concerns process fragmentation.

In banks, as well as in large companies and utilities, supplier management generally involves several functions, including Procurement, Risk Management, Compliance and Legal. Each of these functions often operates using its own tools, timelines and criteria, making it difficult to build a unified view of risk.

In this regard, de Nittis referred to data indicating that approximately half of companies still manage their third parties using Excel spreadsheets and fragmented tools. This situation can make it difficult to integrate information and obtain a complete and up-to-date picture of supplier relationships.

A second critical issue concerns what the Excellence Edge Partner described as the “post-onboarding gap”.

Due diligence is, in fact, mainly concentrated in the period before the contract is signed. Once the relationship has begun, however, monitoring risks becoming sporadic or reactive, being activated only following an incident or the emergence of a critical issue.

A supplier’s risk profile may nevertheless change over time, sometimes rapidly, as a result of geopolitical tensions, cyberattacks, operational difficulties or new regulatory obligations. For this reason, de Nittis explained, the initial assessment must be accompanied by continuous monitoring throughout the entire relationship.

The third element highlighted concerns increasing regulatory convergence.

The structured management of third-party risk has long been a particularly important requirement for the banking sector, partly in connection with the EBA Guidelines and the DORA Regulation. Today, with regulations such as NIS2, the CSDDD and the CSRD, similar principles are also being extended to companies operating in other sectors.

According to de Nittis, many corporate organisations are therefore finding themselves in the position of having to rapidly establish frameworks and processes that the financial sector has developed and consolidated over the past few years.

The Role of Consulting: Methodology, Compliance and Digital Processes

After outlining the main areas of concern, de Nittis explained that the support provided by a consulting firm can be developed across three levels.

The first is the methodological level.

Excellence Edge has developed a Third-Party Risk Management framework that covers the entire lifecycle of the relationship with a third party, from the initial identification of a business need through to management reporting and the definition of a potential exit strategy.

The model is divided into nine operational phases, within which roles, responsibilities, expected outcomes and escalation criteria are defined. The risk assessment is carried out through questionnaires and analysis dimensions that make it possible to calculate a weighted score, distinguishing between inherent risk, the mitigation measures adopted and residual risk.

The framework also includes a matrix linking the services provided by suppliers to the relevant business functions. This makes it possible to assess the impact on critical activities and identify potential concentration risks.

The second level concerns compliance by design.

De Nittis explained that regulatory requirements should not be added to the process at a later stage, but incorporated directly into its design. The methodological structure can remain substantially stable across different contexts, while the relevant parameters and requirements may vary: DORA and the EBA Guidelines in the financial sector, and NIS2 and the CSDDD in the corporate sector.

The third level involves the development of a tech-by-design process.

The role of consulting therefore does not end with the definition of a theoretical model. It is also necessary to build the operational and digital process that enables the model to be applied in practice, through workflows involving multiple responsible parties, shared databases, status tracking, automated alerts and audit trails.

As de Nittis emphasised, this is the step that transforms a methodological framework into a process that can actually be executed, measured and verified.

Technology Works Only When the Process Is Properly Designed

During the second round of contributions, Debora Bionda asked de Nittis where and how technology can be used effectively in managing supply chain risks.

The Excellence Edge Partner began his response by clarifying where technology risks being ineffective.

Even a particularly advanced technological tool cannot compensate for the absence of a process or automatically correct a fragmented organisational model. As explained during the discussion, technology acts as an accelerator and amplifies the quality of the underlying process. For this reason, within Excellence Edge’s approach, technology is not the starting point, but rather the enabler of a methodological and operational framework defined in advance.

It is from this perspective that the principle of tech by design should be understood: technology is designed together with the process, rather than being superimposed on it at a later stage.

The Three Areas with the Greatest Impact

De Nittis then identified three areas in which technology, and Agentic AI in particular, can make a significant contribution.

The first concerns document analysis and service classification.

Companies working with hundreds or thousands of suppliers have to manage a large volume of contracts, technical annexes, certifications and due diligence questionnaires.

Artificial Intelligence can support the reading and classification of these documents, map services to a predefined taxonomy, identify any missing clauses and flag potential cases of non-compliance with regulatory requirements.

The second area is quantitative and scalable risk assessment.

As the number of suppliers and analytical dimensions increases, the main challenge lies in the operational ability to collect, normalise and compare data. Digital questionnaires, predefined scoring systems, automated calculations and real-time heatmaps can make the process faster, but above all more standardised and comparable. This makes it possible to compare different suppliers using common criteria and assessment scales.

The third area concerns continuous monitoring and predictive alerting.

The integration of external sources, such as ESG ratings, country-risk indicators, sanctions lists and cyber-risk information, can make it possible to update a supplier’s score over time. The objective is to promptly identify any deterioration in the supplier’s risk profile before it results in an incident or operational disruption.

This marks a transition from an assessment carried out at a specific point in time to a continuous model, in line with the developments required by the most recent regulatory frameworks.

Six Specialised Agents Supporting the Process

Finally, de Nittis presented the approach developed by Excellence Edge through a proprietary platform integrating six specialised Artificial Intelligence agents.

Each agent is designed to support a specific phase of the process: from contract analysis to service classification, from gap analysis against regulatory requirements to the identification of findings and the completion of regulatory registers.

The various activities are coordinated within a five-step digital workflow, involving multiple responsibilities, progress tracking and audit trails.

De Nittis concluded by emphasising that the objective is not to apply a general-purpose Artificial Intelligence system to compliance, but to develop specialised agents based on an in-depth understanding of risk management processes and the relevant regulatory frameworks.

The discussion therefore highlighted the need to consider supply chain due diligence as a continuous and integrated process, in which methodology, governance, compliance and technology work together to safeguard business continuity and strengthen organisations’ ability to manage the risks associated with their third parties.