A practical guide to third-party risk reporting for boards.
Most third-party risk packs we review in board readiness work suffer from the same problem: they are inventories, not decisions. A 40-page register of suppliers is not a board document. A board document is a small number of numbers that, taken together, support a decision to continue, escalate or exit.
The four numbers
We advise non-executives to ask for, and management to publish, four figures every quarter: the proportion of critical services concentrated in a single provider; the number of critical providers without a tested exit plan; the count of overdue assurance activities on critical suppliers; and the value of contracts up for renewal in the next two quarters where the BCP has not been refreshed.
Criticality must be defended, not asserted
Every supplier classified as critical should map to one or more important business services, and the mapping should be visible in the pack. Reclassifications — up or down — are themselves a reporting line. A supplier that quietly drops from critical to material between cycles is exactly the kind of signal supervisors are now asking about.
Exit is a tested capability, not a clause
Under both the PRA's SS2/21 update and the EU's DORA, exit plans must be demonstrably executable. A contract clause is not evidence. A rehearsed cutover, with timing and a named accountable executive, is. We recommend one rehearsal per year for every critical supplier in the top quartile by spend or by service criticality.
A note on tone
The best third-party packs we see are short, candid, and willing to use the word "no". A board that reads twelve pages and walks away with three decisions has been well served. A board that reads ninety pages and walks away with none has not.