When technology feels like control
There’s been a lot of discussion recently around allegations involving a compliance technology provider. Whether those claims are substantiated or not is ultimately a secondary question. What’s more interesting is the depth of the reaction reveals most firms weren’t surprised that something could go wrong. They were surprised at how difficult it would be to prove that it hadn’t.
That distinction is important not because firms are doing nothing, but because much of what exists today still sits closer to confidence than evidence. And evidence is where the regulatory burden is heading.
The problem isn’t the provider
The broader picture is that most of those addressing the problem on social media are framing it solely as a vendor issues. That’s very tempting to move responsibility away from the real problem facing multiple industries. In a drive towards increased automation in an environment with increased vendor ‘capability’, most firms don’t actually know in a precise, operational sense how their technology delivers the outcomes they are accountable for.
- They know what it’s supposed to do.
- They know what they bought it for.
- They know what the outputs look like.
But if you ask a slightly different question of “how does this system function or behave in a stressed or challenged situation?” or “can I evidence the functions for this system in the first place?” the answer is often much less clear.
This is precisely how the governance gap has evolved relative to technology.
The shift no one is explicitly calling out
If you read the FCA’s latest work on operational incident and third-party reporting [Read the Elira Insights Piece attached], the focus is on third parties’ increasing supply of services by means of transformative technological innovations like AI. The increased FCA focus and supervision in this space echoes the deepening interconnectedness of industry as a whole and therefore the increased risk of systemic risk where failure occurs.
Structurally, regulators are building the ability to see how firms operate in practice rather than how they describe themselves.
The enhanced view on real conditions, how systems, data, and third parties behave, can only really work if the data is structured, timely, and comparable across firms.
Meaning that the question is no longer whether a firm has controls but whether those controls can be observed, tested, and understood externally.
And that’s where technology quietly becomes the focal point because most of what firms rely on today – data flows, monitoring, reporting, even decision-making, sits inside systems they did not build.
Operational resilience has raised the bar
The FCA is explicit that operational risk is increasingly driven by third parties, with incidents propagating across shared infrastructure and interconnected services.
At the same time, firms are now expected to:
- Identify incidents quickly
- Classify them using judgement and
- Report them in structured form, often within 24 hours
The increasing demands on organisations requires that firms understand their systems, their data, and their dependencies well enough to make defensible decisions in real time.
The question firms should be asking
The default question in most organisations is still “Is this provider solving the high level problem statement?”
A more useful question is: “What assurance do we have that this delivers the outcome we are accountable for, in our environment, under pressure?”
The answer to that question doesn’t sit in a certification, a demo or a client list. It sits in how the system interacts with your data, your processes, and your edge cases.
In order to map potential governance gaps, we would start with mapping services against the new definition of a ‘material third party arrangement’ and seeing where technology plays a role:
A third party arrangement which is of such importance that a disruption or failure in the performance of the product or service provided to the firm could:
- Cause intolerable levels of harm to the firm’s clients;
- Pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; or
- Cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the FCA’s Principles for Business, or under SYSC 15A (operational resilience).
What this looks like in practice
There is a way to make this more tangible, without turning it into a technical exercise. It starts by being precise about the problem.
You should start by asking:
- What risk are we actually trying to control,
- Where does that risk sit in the process and,
- What would good look like, in a way that could be evidenced.
From there, everything becomes easier to challenge.
- You can map where the system sits in that process.
- You can see what it depends on.
- You can test how it behaves when inputs are incomplete or unexpected.
- You can identify where human judgement still sits alongside it.
And importantly, you can define what it does not do.
How a more robust vendor selection process actually changes the outcome
This is where Elira can help you. A lot of the issues firms are now facing don’t originate at the point of failure. They start much earlier at selection.
Due diligence tends to answer whether a vendor meets expected standards for the high level problem statement and whether there are supporting case studies from other clients.
What it rarely answers is:
- What exactly are we relying on this system to do?
- Where does it sit in our control environment?
- What assumptions are we making about its behaviour?
- And what would failure actually look like in our operating model?
Most vendor processes still optimise for comparison, not understanding. They focus on features, pricing, and perceived market credibility. On paper, that feels rigorous but in practice, it often leads to decisions that are difficult to justify once the system is live.
Features only have meaning in the context of a clearly defined problem and a specific operating model. Without that, comparison becomes shallow. Two tools may look similar, or one may appear more advanced, but neither is being assessed against what the firm actually needs to evidence, control, or deliver. The real risk – integration gaps, data dependencies, points of failure – is simply pushed downstream.
A more robust approach shifts the emphasis earlier and starts by being precise about the problem. From there, vendor assessment becomes less about what a system can do in theory, and more about how it will operate within your environment.
That means understanding how it integrates, what it depends on, where judgement still sits, and how outputs will actually be used. It also means being explicit about limitations, what the tool won’t cover, and where residual risk remains.
This is where the Elira approach is deliberately different. We structure selection around operating reality, not vendor positioning. It forces clarity on the problem before comparison begins, and frames vendor assessment in terms of integration, dependency, and outcome, not just functionality.
Not because that guarantees a “better” vendor, but because it results in something far more valuable: a setup that can be explained, challenged, and evidenced when it matters.
Final thought
Though it can feel like it, technology cannot outsource risk, but it does make accountability harder to see which is exactly what the regulatory direction is responding to.
The firms that will navigate this well can clearly explain and evidence how those tools actually work within their business.
Critical third parties assessments are getting increasingly more interwoven with technological knowledge and experience – not just to enable direct assessment of vendors but to also challenge critical third parties that rely on technology to provide your service.
