St Georges Strategy

Signals / Third-party risk

Dependencies that look internal when they fail

The exploded third-party page behind the weekly brief. It translates vendor, model-provider, cloud, processor, and outsourcing signals into ownership and evidence questions.

Supporting evidence

Five more third-party signals

The shortlist above carries the leadership read. These five more rows link external signals to the dependency questions they create for procurement, resilience, technology, and risk owners.

  1. 06

    Agentic AI suppliers create permission and audit-log questions

    Monitoring / Financial Times / 2026-06-30
  2. 07

    Outsourced technology remains inside the firm's resilience accountability

    Primary / FCA outsourcing and resilience
  3. 08

    ICT risk governance should connect supplier access, monitoring, and continuity

    Primary / EBA ICT risk guidelines
  4. 09

    Material outsourcing still needs audit, subcontracting, and exit evidence

    Primary / EBA outsourcing guidelines
  5. 10

    Concentration risk should be aggregated across business lines

    Primary / FSB financial innovation

Why it made the weekly brief

The editorial judgement

Third-party risk matters when the external provider effectively becomes part of the firm's control environment, customer journey, or regulatory evidence base.

So what

Outsourced does not mean externally owned

The customer, supervisor, and board will often experience a vendor failure as the firm's failure. The weekly brief should make that accountability visible.

Who cares

Procurement, technology, resilience, legal, compliance, data, and business owners

Third-party risk cuts across contract terms, control assurance, incident response, data lineage, exit planning, and customer impact.

Evidence needed

Criticality, ownership, concentration, control rights, and exit practicality

Good assurance should show who owns the dependency, what rights exist, what evidence is available, and how the firm would operate during failure.

Control evidence checklist

What the reader should ask for

This checklist gives a third-party or resilience owner enough prompts to test the current evidence pack.

Archive and source trail

How this topic should compound over time

Third-party risk is cumulative: the value comes from seeing repeated dependency patterns across providers, services, and regulatory expectations over time.