Third-Party and Outsourcing Risk Assurance
Regulated firms are responsible for what their suppliers do on their behalf. Most cannot demonstrate that their oversight of critical outsourcers and third parties is adequate. We provide the independent assurance that closes that gap.
The oversight gap most firms have
Most firms have a third-party risk policy and a vendor register. Fewer have an oversight framework that is operating as the board expects. Common gaps include: critical third parties that have not been subject to meaningful oversight review since they were onboarded; concentration risk that has not been assessed at portfolio level; and exit planning that exists in documents but has never been tested.
The FCA has found these gaps consistently across its supervisory engagement. Internal audit that reviews the policy and confirms the vendor register exists is not providing the assurance the regulator expects.
Our approach
We scope third-party risk assurance around your actual risk exposure, not around a generic template. That means starting with which third parties are genuinely critical to your operations or regulated activities, what would happen if they failed, and whether your oversight arrangements are proportionate to that dependency. From there we design the right assurance programme for your firm.
Five service components for third-party risk assurance
Structured around the full lifecycle of third-party risk, from onboarding through to exit.
Third-party risk framework review
Assessment of your overall third-party risk management framework against FCA SYSC 8, PRA expectations and DORA where applicable. Covers policy, risk appetite, oversight governance, escalation and reporting. Identifies design gaps before a supervisory review does.
Critical third-party and outsourcing audit
Deep-dive assurance over one or more critical outsourcers or material third parties. Tests whether your oversight is operating effectively in practice, not just documented in the contract. Includes review of service levels, sub-outsourcing, audit rights and exit planning.
Vendor onboarding and due diligence review
Assessment of your onboarding and due diligence process for new third parties. Tests whether risk assessments are proportionate, whether approval governance is functioning, and whether ongoing monitoring obligations are being met after onboarding.
Concentration risk and portfolio assessment
Portfolio-level review of third-party dependencies to identify concentration risk, single points of failure and gaps in business continuity planning. Includes assessment of cloud provider and critical infrastructure dependencies that boards often underestimate.
Exit planning and operational resilience testing
Assessment of whether your exit plans for critical outsourcers are credible and tested, including sub-outsourcer substitutability, data portability and transition planning. Connects directly to FCA and PRA operational resilience expectations.
AML and financial crime third-party oversight
Specific assurance over outsourced AML, KYC, screening and onboarding operations. Tests whether the firm's oversight of outsourced financial crime controls meets MLR 2017 requirements and whether reliance on group-level frameworks is adequately evidenced.
Firms with material outsourcing or supplier dependencies
- Financial services firms with material outsourcing arrangements subject to FCA SYSC 8 or PRA requirements
- Firms connected to EU operations facing DORA ICT third-party risk management obligations
- Internal audit functions that need to expand third-party coverage but lack the specialist framework knowledge
- Firms that have outsourced AML, KYC or financial crime operations and need independent assurance over the arrangement
- Boards and audit committees that want assurance over concentration risk and critical third-party dependencies
Third-party risk in your audit plan or on the regulator's radar?
We scope third-party assurance around your actual dependencies and regulatory obligations, not a generic template. Let us know what you are dealing with.