St Georges Strategy

Signals / Third-party risk

Dependencies that look internal when they fail

The exploded third-party page behind the weekly brief. It translates vendor, model-provider, cloud, processor, and outsourcing signals into ownership and evidence questions.

Curated memory

Still material

These signals remain live after editorial review. Most stay for up to 90 days; exceptional structural anchors can remain for six months with a recorded reason.

  1. 90-day windowReviewed 9 Jul

    Agentic AI suppliers create permission and audit-log questions

    Monitoring / Financial Times / 2026-06-30
  2. Longer-term anchorReviewed 9 Jul

    FCA one-year review: third-party vulnerability identification still needs more work despite mapping progress

    Primary / FCA / 2026-03-27
  3. Structural referenceReviewed 9 Jul

    ICT risk governance should connect supplier access, monitoring, and continuity

    Primary / EBA ICT risk guidelines
  4. Structural referenceReviewed 9 Jul

    Material outsourcing still needs audit, subcontracting, and exit evidence

    Primary / EBA outsourcing guidelines
  5. 90-day windowReviewed 9 Jul

    FSB consults on sound practices for AI adoption, including third-party and vendor concentration risk oversight

    Primary / FSB / 2026-06-10

Why it made the weekly brief

The editorial judgement

Third-party risk matters when the external provider effectively becomes part of the firm's control environment, customer journey, or regulatory evidence base.

So what

Outsourced does not mean externally owned

The customer, supervisor, and board will often experience a vendor failure as the firm's failure. The weekly brief should make that accountability visible.

Who cares

Procurement, technology, resilience, legal, compliance, data, and business owners

Third-party risk cuts across contract terms, control assurance, incident response, data lineage, exit planning, and customer impact.

Evidence needed

Criticality, ownership, concentration, control rights, and exit practicality

Good assurance should show who owns the dependency, what rights exist, what evidence is available, and how the firm would operate during failure.

Third-party evidence checklist

What the reader should ask for

This checklist gives a third-party or resilience owner enough prompts to test the current evidence pack.

Archive and source trail

How this topic should compound over time

Third-party risk is cumulative: the value comes from seeing repeated dependency patterns across providers, services, and regulatory expectations over time.