Share with us a complex technology or change challenge - we'll take it from there.

Green Dolphin (TCCR) Limited
Green Dolphin (TCCR) Limited
  • Home
  • Subscribe
  • Our Story
  • Outcomes Delivered
    • Client
    • Community
    • Client Feedback
  • Services
    • Overview
    • Change Assurance
    • Third Party Risk
    • Internal Audit and Risk
    • Technology and Cyber Risk
    • SWIFT Compliance
    • Scenario Testing
    • M&A
    • GRC Support
  • Team
    • Senior Delivery Team
    • Alliance Partners
    • Flex Careers
  • Shareable Tools
    • Interactive Risk Radar
    • SWIFT CSP Readiness
    • Critical Supplier
    • Change Risk Scorecard
  • Blogs and Insights
  • Coffee in the Camper
  • Contact Us

Third Party Risk Management

The regulatory environment for third-party risk has fundamentally shifted.

Overview

The Treasury Select Committee's 2025 findings were unambiguous. Reliance on third parties, from core banking platform vendors to cloud infrastructure providers and payment processors, sits at the heart of the operational resilience challenge facing the sector. Leadership teams know it. Regulators now have a framework to act on it.


The challenge is not simply one of compliance. Third-party relationships introduce concentration risk, opaque supply chains, hidden dependencies in nth-party supply networks, tightly coupled reliance on legacy systems and, critically, a gap between what boards are told and what is actually happening. That gap is where failures occur.


Effective third-party risk management requires the board to ask the right questions, receive credible answers, and have genuine assurance that their material arrangements are mapped, monitored and resilient. The new regulatory framework makes this a formal obligation, not a best practice.


Why now

Three things have changed in the last twelve months. Regulators have moved from principles to prescription, with FCA PS26/2 and PRA PS7/26 introducing a material third-party reporting framework that takes effect from 18 March 2027. Building societies are facing rising supplier complexity and concentration in cloud, payments and core banking, with more dependencies sitting beyond the visibility of traditional supplier registers. And boards are now personally accountable, with the PRA's first SMF18 fine for outsourcing failures setting a clear precedent for what reasonable steps look like. 


What the regulators now require

Boards must oversee material third-party arrangements with the same rigour applied to any significant operational risk. The PRA's January 2026 Dear CEO letters explicitly identified third-party risk and operational resilience as key supervisory priorities. The PRA's 2026/27 Business Plan reinforces the focus on strategic risk management, operational resilience and data risk. The expectation is embedded governance, not periodic review.


For building societies, proportionality matters. The Strong & Simple regime, the removal of the Building Society Sourcebook and the December 2025 joint PRA / FCA mutuals report all signal a regulatory environment calibrated to the scale and business model of mutuals. Our approach reflects that reality. We don't apply Tier 1 bank methodology to a building society balance sheet.


Where most firms still have gaps

In our experience, the most common gaps are: an incomplete register of material arrangements; limited visibility of fourth and nth-party dependencies; inadequate exit planning for critical services; insufficient board-level understanding of concentration risk; and scenario testing that does not genuinely validate recovery capabilities within impact tolerances. 


What we're seeing in 2026

Boards are asking sharper questions about cloud and core banking concentration than they were twelve months ago. PS7/26 register preparation is exposing gaps in fourth-party visibility, not just third. Exit plans for material arrangements are the most common evidence gap we find. And the conversation across BSA forums has shifted from compliance frameworks to intelligence-led, continuous monitoring of supplier risk. 


Approach

We don't do cookie-cutter. Every bank and building society has a different third-party landscape, a different risk appetite and a different board that needs to understand and own the risks they carry. Our approach is tailored, proportionate to the risks faced, the regulatory obligations in scope and the commercial reality of the firm.


This is not a compliance exercise. It is about giving your board and senior leadership genuine confidence that material third-party risks are understood, managed and ready for scrutiny, from the regulator and from your own audit committee.


Register review and gap analysis

We assess the completeness of your material third-party arrangement register against PS26/2 and PS7/26 requirements, identifying gaps in coverage, sub-contractor and nth-party visibility, concentration risk assessment and the quality of contractual protections including access rights, audit rights and exit provisions. 


Dependency mapping and concentration risk

We map the dependencies between your important business services and the third parties that support them, surfacing concentration risk, single points of failure, hidden dependencies and supply chain nodes that regulators will scrutinise. We pay particular attention to cloud and hyperscaler arrangements, where concentration is now a board-level concern. 


Exit and substitutability assessment

We review the credibility and completeness of exit plans for critical services, testing whether they would work in practice under stressed conditions, whether timescales are realistic and whether the board has visibility of the substitutable options available to them. 


Scenario testing and resilience validation

We support the design and independent review of third-party scenario tests, applying the PRA's expectation that tests are rigorous and realistic, not paperwork exercises. We identify where assumptions are too optimistic and where recovery capabilities are untested, including in stressed exit scenarios. 


Board reporting and regulatory readiness

We help boards understand what they need to know, providing proportionate management information, coaching for non-executive directors and senior management functions on the right questions to ask of management and suppliers, and assurance that the firm is ready for regulatory engagement on third-party risk. The PRA's first SMF18 fine, issued for failures in third-party outsourcing oversight, set the tone for what is now expected of senior managers. Our coaching builds the baseline understanding that helps SMFs take reasonable steps and evidence them. 

 

Why choose Green Dolphin


  • Sector credibility: Building societies and banks are our specialism. Our senior team have worked inside building societies, banks and insurers in roles including Board Risk Advisor, CTO, CISO and Head of Technology and Change Audit. We understand the BSA, the Strong & Simple regime, and the proportionality boards expect when engaging external assurance.
  • Risk reduction: A focus on delivering quality at every step so that you can take confidence that risk reduction and opportunities to accelerate value are understood.
  • Audit discipline: We apply genuine audit methodology, evidence-based, proportionate, and designed to provide boards with decision-making confidence rather than a report that sits on a shelf.
  • Proportionate and commercial: An understanding that budgets are not infinite and therefore our support needs to be proportionate to the risks faced, regulatory expectations and commercial realities.
  • Independence: Unlike other consultancies, we maintain full independence from all suppliers. That means we are straight talking and we don't promote, co-create or take introductory referrals.

Referenceable - Just Ask Us

Please let us put you in touch with your peers at other building societies, insurers and banks so you can hear first hand how we've built confidence through genuine risk reduction.


Typical Green Dolphin Effort: 


Health Check: 3 days


ASK US TO REVIEW A CHALLENGE YOU ARE FACING

Why "we have a register" is the wrong answer

The PRA's Strong & Simple regime, the removal of the Building Society Sourcebook on 1 January 2026, and the December 2025 joint PRA / FCA mutuals report all point in the same direction. Building societies are expected to manage third-party risk seriously, but in a way that is calibrated to their scale, business model and the 30 million members the sector serves. 

Five questions every building society board should be asking now:

Access here

Subscribe for insights you can act on:

Case Study

Evidence-Based Assurance That Reduced Third-Party Risk Exposure

Challenge

A Building Society had accumulated a complex web of third-party arrangements over many years. A core banking platform, a hyperscaler cloud environment, a managed payments provider, multiple fintech integrations and a range of critical operational suppliers, each individually managed, but never collectively mapped, owned or stress-tested as a whole.


The Society's situation reflected what BSA members are now openly discussing at conferences and in webinars: the gap between historical supplier oversight and what PS7/26 will require from 18 March 2027. The FCA and PRA published PS26/2 and PS7/26 in March 2026, introducing a new material third-party reporting framework requiring firms to notify regulators of new or changed material arrangements, maintain a comprehensive register and submit it annually. The PRA's January 2026 Dear CEO letters had already placed third-party risk and operational resilience at the top of supervisory priorities. The Critical Third Parties regime had been live since 1 January 2025.

The Board and Executive had legitimate concerns. They suspected the register of material arrangements was incomplete. They were uncertain whether contractual protections, including audit rights, access rights and exit provisions, were in place and enforceable. They had received assurance from management that arrangements were being managed effectively, but they lacked the independent, evidence-based view that would allow them to fulfil their oversight responsibilities with confidence.


The stakes were clear. Regulatory scrutiny was intensifying. An incomplete or indefensible register, weak exit planning for a critical supplier, or a material incident traced to a third-party dependency the Board could not account for would expose the Society and its members to outcomes no one was prepared to accept. What they needed was not another internal review. They needed independent assurance that was senior-led, audit-disciplined and built to withstand external scrutiny.


Approach

A senior-led, experience-driven assessment that combined audit discipline with genuine third-party risk delivery experience, not a generic maturity framework or a compliance checklist. The focus was on the realities of the Society's specific arrangements: the decisions being made, the risks being carried and whether the evidence supported the assurances being given to the Board.


A structured but proportionate assessment was designed to give the Society an honest, independent view without duplicating internal effort or creating unnecessary burden. Targeted interviews with relationship owners, review of existing contracts and delivery artefacts, and triangulation against available management information allowed a clear picture to be built quickly. Where gaps existed, in contractual protections, in register coverage, in nth-party visibility or in concentration risk awareness, they were identified with supporting evidence and a practical path to resolution.


The assessment was anchored to the expectations now driving supervisory scrutiny:


  • Register completeness and accuracy, assessed against the PS26/2 and PS7/26 framework, including sub-contractors, hidden dependencies and supply chain nodes not previously captured.
  • Contractual protections for material arrangements, including audit rights, regulatory access, data protection obligations, exit provisions and concentration risk controls.
  • Dependency mapping against important business services, surfacing single points of failure, fourth-party exposure and concentration risk across cloud and technology providers, aligned to the PRA's 2026 supervisory focus.
  • Exit and substitutability planning, tested for credibility under stressed conditions, particularly for the Society's highest-criticality supplier relationships where exit timescales were unrealistic or untested.
  • Scenario testing and resilience validation, reviewing whether existing tests genuinely validated third-party recovery capabilities within impact tolerances, or relied on assumptions regulators would challenge.
  • Board grip and information quality, assessing whether management information gave the Board genuine visibility of third-party performance, incident status and risk exposure, or created a false sense of control.


Throughout the engagement, the Board received coaching to strengthen their ability to ask the right questions of management and suppliers, developing a baseline understanding of the obligations they now carry and the specific risks their third-party landscape presents. Early findings were shared in real time, giving the Executive the opportunity to act on emerging risks before they were escalated into formal reporting. 


Outcome

Material gaps that had accumulated over years of individually managed supplier relationships were identified, evidenced and addressed systematically rather than reactively. The Society's register of third-party arrangements was brought into line with PS26/2 and PS7/26 requirements ahead of the 2027 deadline, not under pressure. Several material arrangements lacked enforceable audit and exit rights; these were identified and remediated at the next contractual opportunity.


Concentration risk, previously understood only at the level of individual relationships, was surfaced as a board-level issue for the first time. The mapping of third-party dependencies against important business services made clear where a single supplier failure could breach impact tolerances, and where the Society had less resilience than it believed. Hidden dependencies in the supply chain, not previously visible to the Board, were brought into the open. Exit planning for the most critical supplier relationships was found to be largely theoretical; credible, tested plans were developed in their place.

The PRA's supervisory priorities, including board accountability, dependency mapping, scenario testing rigour and third-party concentration risk, were addressed with documented evidence at every point. When the Society's internal audit function subsequently reviewed the area, they found a materially stronger control environment, with clear ownership, documented decisions and a register that reflected reality.


The Board had the evidence to fulfil their oversight responsibilities. The regulators had a register they could rely on. And the members the Society exists to serve were protected from risks that had been accumulating, largely unseen, for years.

© Green Dolphin (TCCR) Limited
Company registered in England and Wales (NO.16855006)


NCSC Cyber Essentials Certified 2026 (No.8fe63bb4-be60-4c2a-81f7-8cad1848de4d)


Good Business Charter Accredited 2026


VAT Registration 513 0298 23


All rights reserved.

Powered by

  • Subscribe
  • LinkedIn Page
  • Policies
  • Trustpilot Reviews
  • Contact Us
  • About Us

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept