Outsourcing a service does not outsource the risk, writes Robert Hannigan, Chairman of International Business, at the platform BlueVoyant.
In 2026, third-party risk management (TPRM) will move from a background compliance task to one of the most strategically important priorities for UK financial services firms. This shift is rapid and unavoidable. Financial institutions now operate under intense regulatory scrutiny from the Financial Conduct Authority (FCA), PRA and Bank of England, while cross border firms must also align with the EU DORA regulation. Regulators are no longer satisfied with point in time controls or annual questionnaires. They expect real-time evidence of resilience, continuous monitoring, and the ability to withstand disruption that originates deep within digital supply chains.
This heightened focus reflects reality. Cloud, AI and other critical digital services have consolidated around a small number of dominant providers, creating systemic dependencies that extend far beyond traditional outsourcing arrangements. A single outage, cyber incident or operational failure at one of these providers can cascade across multiple institutions and even the wider financial system.
As a result, firms must maintain accurate registers of critical suppliers, demonstrate ongoing resilience, and prepare for the designation of Critical Third Parties (CTPs). This is a regulatory mechanism that will bring unprecedented oversight to the most influential technology providers.
Crucially, accountability remains firmly with the regulated firm. Regulators have been explicit: outsourcing a service does not outsource the risk. Even when failures originate outside the organisation, responsibility for resilience, continuity and customer protection stays inhouse. This principle is shaping every aspect of TPRM in 2026.
Risk landscape
Alongside regulatory pressure, firms are grappling with growing complexity across fourth, fifth and Nthparty relationships. Incidents increasingly originate deep within vendor ecosystems, at subcontractors, cloud dependencies or embedded software providers that sit far beyond the first tier of suppliers. Yet, many organisations still lack end-to-end visibility of these extended supply chains.
At the same time, new incident reporting frameworks are raising expectations and introducing stricter, standardised requirements for reporting operational incidents and material third-party arrangements. Firms must detect and classify incidents quickly enough to meet accelerated timelines, coordinate multistage reporting with incomplete information, and harmonise UK rules with EU DORA templates. Without integrated tooling and real-time monitoring, these expectations become extremely difficult to meet.
The rapid adoption of AI adds another layer of complexity. Much of the AI used in UK financial services is delivered or supported by third parties, creating new risks around model transparency, explainability and accountability. Over one third of AI use cases rely on vendor supplied models, yet many firms lack full visibility into how these models operate or what dependencies they introduce. Regulators are increasingly concerned that AI driven third-party risk could amplify systemic vulnerabilities if not governed effectively.
The message for 2026 is clear: resilience must be demonstrated through evidence, testing and preparedness. Firms unable to prove they can withstand third-party failure will face increasing supervisory pressure.
Maturity gap
Over the past six years, we’ve seen TPRM mature from a basic awareness effort into a formal operational function. But maturity does not always translate into effectiveness. Our most recent report, The State of Supply Chain Defense2 shows that despite heavy investment in tools, teams and processes, many organisations struggle with internal resistance, limited alignment and a widening gap between programme maturity and true organisational commitment.
Most programmes are still driven by compliance requirements rather than genuine risk reduction, even though 98% of UK respondents were negatively impacted by a third-party cyber incident in the past year3. With nearly all organisations expecting their vendor ecosystems to grow, the attack surface is expanding faster than support structures. The result is a landscape where silos persist, visibility is limited, and risk reduction remains secondary to box ticking.
Sector strain
The financial services sector stands out in this year’s findings as a sector under strain. Seventy percent of UK organisations describe their TPRM programmes as early or developing, suggesting that many are still building foundational capabilities. Internal resistance is a major barrier, with 26% citing it as their biggest challenge.
Perhaps the most concerning finding is the lack of senior leadership engagement. Only 10% of organisations brief executives on security monthly or more frequently, despite all UK financial services firms being negatively impacted by third-party cyber breaches in the past year. This disconnect between operational reality and executive oversight is a clear sign of systemic issues.
In this sector, ownership of TPRM often sits within finance departments rather than security functions, and programmes are frequently driven by annual contract value rather than risk exposure. This approach may satisfy procurement cycles, but it does little to strengthen resilience or reduce the likelihood of third-party failure.
From compliance to confidence
The main take-away from 2025 is unmistakable: without organisational alignment, even the most sophisticated TPRM programmes will fail to deliver meaningful outcomes. Integrated systems, cross functional collaboration and a genuine commitment to risk reduction – not just compliance – will determine which financial services firms thrive in 2026, and which remain trapped in reactive, box checking cycles.
The financial organisations that succeed will be those that treat TPRM as a strategic capability rather than an administrative burden. By embedding TPRM into core decision making, they will gain the visibility needed across the entire supply chain, build realistic exit strategies, test resilience against real world scenarios, and ensure that senior leadership fully understands the stakes.
Financial systems are defined by deep interconnectedness. Therefore, the strength of a firm’s third-party ecosystem is now as critical as the strength of its internal controls. Institutions that embrace TPRM as a driver of resilience, not just compliance, will not only meet regulatory expectations but also build a foundation of trust, stability and long-term competitive advantage in an increasingly complex digital economy.
