Beyond Supplier Risk: Governing the Dependencies That Matter Most

For many firms, third-party risk has traditionally sat somewhere between procurement, outsourcing oversight and information security.

A supplier is assessed before appointment. A contract is agreed. Due diligence is completed. Periodic reviews take place. Perhaps an annual risk assessment is refreshed.

All of that remains important. But it is no longer enough.

Today, firms rely on an increasingly complex mix of external technology, infrastructure, data, platforms, specialist services and automated decision-making tools. A customer journey may depend on cloud infrastructure, identity verification, payment processing, communications systems, external data, software providers and outsourced operational support, all working as expected at the same time.

The firm may own the customer relationship. It may own the regulatory obligation. It may own the consequences when something goes wrong.

But it does not necessarily own the systems, people, data or infrastructure on which that outcome depends.

That is why third-party dependency has become a governance issue.

The problem is bigger than supplier management

The phrase “third-party risk” can make the issue sound contained.

It suggests a supplier relationship that can be assessed, monitored and managed through a defined process. In some cases, that remains true. But the more connected a business becomes, the harder it is to separate one supplier from the wider chain of dependencies around it.

A firm may use a cloud provider directly. Its software provider may use the same cloud provider. Its outsourced service partner may rely on another connected platform. An AI-enabled process may draw on external data or an underlying model that the firm has limited ability to interrogate or influence.

The exposure is not simply whether one supplier performs against its contract.

It is whether the firm understands the service it is trying to deliver, what sits beneath it and where a failure could have a wider effect.

That distinction is important.

A supplier may meet its contractual obligations while the firm still faces disruption. A service may remain technically available while data, access, decision-making or recovery capability is compromised. A contract may include exit clauses, but the firm may find that moving away from the provider would take months, involve significant cost or create new risks of its own.

The dependency may be visible. The consequences may not be.

The rise of shared infrastructure

There is another dimension to this: concentration.

In the past, firms often thought about third-party risk in individual terms. What happens if our provider fails? Do we have an alternative? Have we completed the due diligence?

Those are still sensible questions. But many firms are now reliant on the same small group of technology, cloud, data and infrastructure providers. That creates a more systemic challenge.

A disruption affecting one critical provider may affect multiple firms, multiple services and, potentially, multiple parts of the financial system at once.

This does not mean firms should avoid external providers. That would be neither realistic nor necessarily desirable. External technology and specialist expertise can improve services, support innovation and make firms more efficient.

The point is that efficiency can also create dependency.

The more services are concentrated around the same provider, platform or infrastructure, the more important it becomes to understand how disruption would travel. A failure may not remain within one team, one system or one supplier relationship. It may affect customers, operations, regulatory reporting, financial processes, communications and the firm’s ability to make decisions in real time.

This is where third-party risk begins to look less like a procurement issue and more like an operational resilience issue.

The illusion of control

Firms are often rightly focused on the controls they operate themselves.

They may have policies, procedures, approval processes, incident plans, risk assessments and well-defined lines of accountability. But control can become more complicated once an important service depends on someone else’s technology, people or infrastructure.

The firm may be able to assess the provider. It may receive assurance reports. It may have contractual rights to information, audit or notification.

Yet it may still have limited visibility of how the provider manages its own dependencies, how quickly it can recover from a disruption, what competing demands it would face during a wider incident or whether its contingency arrangements would work at the scale required.

This is not an argument against assurance. It is an argument for being clear about what assurance can and cannot provide.

A supplier assessment can establish whether appropriate controls appear to exist. It cannot guarantee that a service will remain available during a significant disruption.

A resilience test can show how a provider responds to one scenario. It may not reveal what happens when several dependencies fail together.

A contract can set expectations. It cannot remove the firm’s accountability for the outcome.

That is the uncomfortable reality at the centre of third-party dependency: responsibility can be shared, but accountability cannot be outsourced.

Mapping the service, not just the supplier

One of the most practical shifts firms can make is to move from supplier-led thinking to service-led thinking.

The starting point should not only be: “Which third parties do we use?”

It should also be: “What important business services do we provide, and what would stop us delivering them?”

That requires a fuller view of the people, processes, technology, information, facilities and third parties that support a service. It means understanding the dependencies that sit behind the customer-facing outcome, including those that may not be immediately visible in a supplier register.

For example, a customer-facing platform may depend on a software provider. But the wider service may also rely on a cloud environment, external data, identity verification, customer communications, internal operations teams and an outsourced support function.

Each component may have its own owner, contract, risk assessment and control framework.

The customer, however, experiences only one service.

That is why mapping matters. It helps firms identify where several processes depend on the same provider, where a supposedly isolated issue could create a wider impact and where contingency plans are based more on assumption than evidence.

It also helps reveal an awkward but important question: what happens if there is no realistic alternative?

Exit planning is not the same as exit capability

Many third-party arrangements include an exit plan. That is sensible. But an exit plan on paper is not necessarily evidence that a firm can exit in practice.

A meaningful exit strategy needs to consider much more than notice periods and contractual obligations. It should address data portability, access to records, technical migration, replacement suppliers, internal capability, customer impact, operational disruption and the time required to make the change safely.

For some services, exit may be possible but slow.

For others, the practical challenge may be less about leaving the provider altogether and more about maintaining a minimum viable service during disruption. That might involve manual processes, prioritised customer support, alternative communications channels or a reduced but controlled operating model.

The aim is not to assume that every dependency can be removed quickly. It is to understand the limits of what is possible before the firm needs to find out under pressure.

A governance question, not simply a risk question

Third-party dependency crosses organisational boundaries.

Procurement may understand the commercial arrangement. Technology may understand the architecture. Operations may understand the service impact. Information security may assess cyber exposure. Compliance may consider regulatory obligations. Risk may maintain the framework. Internal audit may provide independent assurance.

Each function can hold an important part of the picture.

But the picture is incomplete if no one can bring those perspectives together and answer a more fundamental question: where are we dependent, what would failure mean and who is accountable for the decision to accept that exposure?

This is where governance needs to become more practical.

Boards and senior management do not need every supplier detail. They do need a clear view of the dependencies that could materially affect important services, customer outcomes, regulatory obligations or the firm’s ability to respond to disruption.

They should understand where concentration exists, where recovery assumptions have not been tested, where contingency is weak and where the organisation would struggle to operate without a particular provider or service.

That is not about creating another supplier dashboard.

It is about making sure that decision-makers can see the risks that sit beyond the organisation’s formal boundaries.

Questions worth asking

A more mature approach to third-party dependency starts with a small number of clear questions:

  • Which important business services rely on third parties, directly or indirectly?
  • Where do several services depend on the same provider, platform or infrastructure?
  • What would happen if access to a service, system or data source was lost suddenly?
  • How long could the business continue operating within acceptable limits?
  • What assumptions are being made about recovery, substitution or exit?
  • Have those assumptions been tested in realistic scenarios?
  • Who owns the decision to accept a dependency where there is no quick or credible alternative?

These are not questions for procurement alone. They are questions for operational resilience, technology, risk, compliance, audit and senior management.

Looking beyond the contract

Third-party relationships will remain central to how modern firms operate. The issue is not whether to use them. It is whether the organisation can see clearly enough through them.

Contracts, due diligence and assurance reports all have a place. But they should be part of a wider understanding of dependency, service impact and accountability.

The firms that manage third-party risk well will not be those with the longest supplier registers or the most detailed questionnaires.

They will be the ones who understand where they are exposed, what matters most when a dependency fails and what they can realistically do about it.

Because the risk a firm does not own can still become the outcome it has to explain.

Stay up to date with the latest stories from the world of governance, risk, audit and compliance >>>

Facebook
Twitter
LinkedIn