What Evidence Do Regulators Expect For Third-Party Risk Management?

They expect clear, consistent, and provable evidence that third-party risks are identified, assessed, monitored, and governed throughout the supplier lifecycle.

In regulated sectors such as financial services, banking, insurance, defence, aerospace & security, organisations must be able to demonstrate - not just describe - how third-party risk is managed in practice.

Why Evidence Matters More Than Ever in TPRM

Modern regulations increasingly emphasise accountability across the supply chain, including:

• FCA and PRA expectations for outsourcing and third-party oversight

• DORA requirements for ICT and operational resilience

• ESG, sustainability, and modern slavery obligations

• Cybersecurity and data protection regulations

In this environment, regulators ask not just “Do you manage third-party risk?” but:

“Can you prove it - consistently, across your entire supplier base?”

Gaps in evidence often result in:

• Audit findings or remediation actions

• Delays during inspections

• Increased regulatory scrutiny

• Reputational damage

What Auditors And Regulators Look For In Practice

1. Evidence of due diligence and risk assessment

Regulators expect to see proof that third parties are assessed before onboarding and throughout the relationship.

This includes evidence of:

• Defined onboarding criteria and risk thresholds

• Risk-based assessments aligned to supplier criticality

• Documented review of financial, operational, cyber, compliance, and ESG risks

• Clear justification for onboarding decisions

Common audit question:
How do you determine which third parties require enhanced due diligence?

2. Consistent, justifiable risk decisions

Evidence must show that decisions are:

• Based on consistent criteria

• Applied proportionately across the supplier base

• Clearly documented

Regulators often test:

• Whether similar suppliers are treated consistently

• Whether exceptions are justified and approved

• Whether risk acceptance is supported by evidence

Common audit question:
Why was this supplier approved despite elevated risk indicators?

3. Ongoing monitoring and lifecycle oversight

TPRM evidence must demonstrate that risk management does not stop at onboarding.

Expected evidence includes:

• Regular reassessments for high-risk suppliers

• Monitoring of certifications, insurance, and regulatory status

• Triggers for reassessment (e.g. incidents, breaches, mergers)

• Evidence of follow-up actions and remediation

Common audit question:
How do you know supplier risk has not increased since onboarding?

4. Governance, ownership, and accountability

Regulators expect third-party risk to have clear ownership and oversight.

Evidence should show:

• Defined roles across procurement, risk, compliance, IT, and audit

• Escalation paths for high-risk suppliers

• Senior management oversight where required

• Board or committee reporting on third-party risk exposure

Common audit question:
Who owns third-party risk - and how is that ownership enforced?

TPRM Evidence Checklist: What You Should Be Able to Produce

Organisations should be able to provide the following evidence on request.

Supplier and third-party inventory

• Complete, up-to-date list of third parties

• Clear identification of critical and high-risk suppliers

Risk assessment records

• Standardised risk assessments

• Risk scoring or tiering logic

• Evidence requirements by risk level

Decision and approval trails

• Documented onboarding approvals

• Risk acceptance or rejection rationale

• Exception handling records

Monitoring and review evidence

• Reassessment schedules

• Alerts or triggers for review

• Remediation tracking

Governance and oversight

• Role definitions and accountability

• Management reporting

• Audit trails across the lifecycle

If this evidence cannot be produced quickly and consistently, regulators will often view the framework as immature - regardless of how strong the policies appear.

Why Evidence Gaps Commonly Appear

Even well-intentioned organisations struggle with evidence because:

• Data is spread across teams and systems

• Supplier information is outdated or inconsistent

• One-to-one due diligence creates duplication and fatigue

• Monitoring relies on manual follow-ups

This is where many TPRM programmes break down under audit pressure.

How Shared Assurance Strengthens TPRM Evidence

Shared assurance models help address the evidence challenge by embedding evidence generation into the process itself.

Through platforms like FSQS and JOSCAR, Hellios supports TPRM evidence requirements by:

• Standardising assurance questionnaires

• Validating supplier data centrally

• Maintaining refresh cycles

• Providing audit-ready dashboards and reporting

This allows organisations to demonstrate:

• Consistent assessment across third parties

• Up-to-date assurance data

• Clear audit trails without manual reconstruction

Key Takeaway: Regulators Expect Proof, Not Promises

Third-party risk management is no longer assessed on intent alone.

Regulators expect:

• Clear, structured evidence

• Consistent decision-making

• Ongoing oversight

• Defensible audit trails

Organisations that build evidence into their TPRM framework - rather than scrambling for it during audits - are better positioned to meet regulatory expectations with confidence.