St Georges Strategy

Signals / Third-party risk

Dependencies that look internal when they fail

The exploded third-party page behind the weekly brief. It translates vendor, model-provider, cloud, processor, and outsourcing signals into ownership and evidence questions.

Supporting evidence

Ten further third-party signals

The shortlist above carries the leadership read. These ten additional rows link external signals to the dependency questions they create for procurement, resilience, technology, and risk owners.

  1. 06

    Agentic AI suppliers create permission and audit-log questions

    AI agents / Financial Times / 2026-06-30
  2. 07

    Enterprise AI features can enter production through existing tools

    Workspace AI / Google / 2026
  3. 08

    Fourth parties can carry the real operational dependency

    Official expectations / Bank of England and PRA
  4. 09

    Regulatory notification paths should include vendor-originated incidents

    Official expectations / Bank of England and PRA
  5. 10

    Concentration risk should be aggregated across business lines

    Global policy / FSB third-party risk
  6. 11

    Outsourced complaints and remediation can become conduct exposure

    Conduct / Financial Times / 2026-06
  7. 12

    Data processors need lineage, return, deletion, and subcontracting evidence

    Official expectations / EBA outsourcing guidelines
  8. 13

    Vendor AI guardrails need technical controls outside the prompt

    AI security / TechRadar / 2026
  9. 14

    Exit plans need migration windows, data return, and workaround detail

    Official expectations / Bank of England and PRA
  10. 15

    Board packs need a single view of critical third-party exposure

    Global policy / FSB third-party risk

Why it made the weekly brief

The editorial judgement

Third-party risk matters when the external provider effectively becomes part of the firm's control environment, customer journey, or regulatory evidence base.

So what

Outsourced does not mean externally owned

The customer, supervisor, and board will often experience a vendor failure as the firm's failure. The weekly brief should make that accountability visible.

Who cares

Procurement, technology, resilience, legal, compliance, data, and business owners

Third-party risk cuts across contract terms, control assurance, incident response, data lineage, exit planning, and customer impact.

Evidence needed

Criticality, ownership, concentration, control rights, and exit practicality

Good assurance should show who owns the dependency, what rights exist, what evidence is available, and how the firm would operate during failure.

Control evidence checklist

What the reader should ask for

This checklist gives a third-party or resilience owner enough prompts to test the current evidence pack.

Archive and source trail

How this topic should compound over time

Third-party risk is cumulative: the value comes from seeing repeated dependency patterns across providers, services, and regulatory expectations over time.