When an Isle of Man firm outsources a critical function — IT, monitoring, administration, a whole back office — it hands over the work. It does not hand over the responsibility. That principle is written into the regulatory framework, and it is the single idea that should shape how every regulated firm thinks about its suppliers: the risk stays with you, even when the work doesn't.

The Financial Services Rule Book 2016 is explicit. The Authority's consent is required before a material function is outsourced (rule 8.16), and the FSA's operational-risk guidance is blunt that outsourcing "does not transfer the responsibility to those third parties". You remain accountable to the regulator for an activity a supplier performs on your behalf — including when that supplier fails, is breached, or quietly sub-contracts the work to someone else.

Why this is rising up the agenda

Third-party risk is no longer a back-office detail. The FSA's Supervisory Priorities 2025–2027 explicitly flag outsourcing and third-party dependency as areas of supervisory focus, and the direction internationally is the same: the EU's Digital Operational Resilience Act (DORA) builds an entire oversight regime around critical ICT third-party providers. The reason is simple — firms have concentrated more and more of their critical operations in a handful of suppliers, so a single provider's failure can now take down services across the whole sector.

If you have read our piece on introducer reliance, the logic will be familiar: you can rely on a third party, but you must be able to justify that reliance — and you cannot delegate the consequences of getting it wrong.

We help Isle of Man firms get their outsourcing and third-party arrangements onto a defensible footing.

What good third-party risk management looks like

Managing third-party risk well is a lifecycle, not a one-off form at onboarding. In practice it runs through five stages:

• Due diligence before you commit. Understand who the provider really is, their financial standing, their own controls and resilience, and where they (and their sub-contractors) operate. The depth should match the criticality of what they do for you.
• Risk-rate the relationship. Not every supplier is material. Rate them by how critical the service is and how much harm their failure would cause, and concentrate your effort where it matters.
• Get the contract right. Material arrangements need clear terms on data protection, security, business continuity, sub-contracting, audit/access rights, and exit — not a generic services agreement.
• Monitor on an ongoing basis. A supplier's risk profile changes. Review performance, incidents and any material changes through the life of the relationship, not just at renewal.
• Plan the exit. What happens if the provider fails or you need to leave? An untested exit plan for a critical service is a resilience gap waiting to be found.

The stage firms most often skip is the last two. Onboarding due diligence gets done; ongoing monitoring and a real exit plan often don't — which is precisely where a supplier failure turns into a firm-level crisis.

Concentration and the fourth-party problem

Two risks deserve particular attention on a small island with a concentrated supplier market. The first is concentration: if several of your critical services depend on the same provider, or the same data centre, that single point of failure is now your single point of failure too. The second is fourth-party risk: your supplier's suppliers. If your provider sub-contracts a critical element, the chain of dependency — and the chain of risk — extends beyond your direct contract. Mapping that chain is part of the operational resilience work the FSA's priorities point firms towards.

Governance ties it together

None of this works without ownership. Third-party risk is a board-level responsibility, supported by an up-to-date register of material suppliers, a consistent way of assessing them, and reporting that lets senior management see where the firm is exposed. It is the same theme that runs through IT governance: the board can delegate the work to suppliers, but it owns the risk and must be able to evidence how it manages it.

We help Isle of Man firms build proportionate third-party risk frameworks — supplier registers, risk-based due diligence, the right contractual controls, and the assurance your board (and the Authority) will expect.

Frequently asked questions

Do we need the FSA's permission to outsource?

For a material function, yes — the Financial Services Rule Book 2016 (rule 8.16) requires the Authority's consent before a material function is outsourced. If you are unsure whether a particular arrangement is material, that itself is a question to resolve with the Authority rather than assume.

If a supplier handles it, is the risk theirs?

No. Outsourcing transfers the work, not the responsibility. The FSA's guidance is explicit that responsibility is not transferred to the third party — you remain accountable to the regulator for the outsourced activity, including the provider's failures.

What's the most commonly missed part of third-party risk management?

Ongoing monitoring and a tested exit plan. Most firms do onboarding due diligence; far fewer keep the assessment current or have a workable plan for a critical supplier's failure — which is exactly where a supplier problem becomes a firm-level one.