St Georges Strategy

Signals / Third-party risk

Dependencies that look internal when they fail

The exploded third-party page behind the weekly brief. It translates vendor, model-provider, cloud, processor, and outsourcing signals into ownership and evidence questions.

Supporting evidence

Five more third-party signals

The shortlist above carries the leadership read. These five more rows link external signals to the dependency questions they create for procurement, resilience, technology, and risk owners.

  1. 06

    Agentic AI suppliers create permission and audit-log questions

    Monitoring / Financial Times / 2026-06-30
  2. 07

    FCA one-year review: third-party vulnerability identification still needs more work despite mapping progress

    Primary / FCA / 2026-03-27
  3. 08

    ICT risk governance should connect supplier access, monitoring, and continuity

    Primary / EBA ICT risk guidelines
  4. 09

    Material outsourcing still needs audit, subcontracting, and exit evidence

    Primary / EBA outsourcing guidelines
  5. 10

    FSB consults on sound practices for AI adoption, including third-party and vendor concentration risk oversight

    Primary / FSB / 2026-06-10

Why it made the weekly brief

The editorial judgement

Third-party risk matters when the external provider effectively becomes part of the firm's control environment, customer journey, or regulatory evidence base.

So what

Outsourced does not mean externally owned

The customer, supervisor, and board will often experience a vendor failure as the firm's failure. The weekly brief should make that accountability visible.

Who cares

Procurement, technology, resilience, legal, compliance, data, and business owners

Third-party risk cuts across contract terms, control assurance, incident response, data lineage, exit planning, and customer impact.

Evidence needed

Criticality, ownership, concentration, control rights, and exit practicality

Good assurance should show who owns the dependency, what rights exist, what evidence is available, and how the firm would operate during failure.

Third-party evidence checklist

What the reader should ask for

This checklist gives a third-party or resilience owner enough prompts to test the current evidence pack.

Archive and source trail

How this topic should compound over time

Third-party risk is cumulative: the value comes from seeing repeated dependency patterns across providers, services, and regulatory expectations over time.