Navigating the PRA’s SS2/21 Third-Party Risk Management Requirements with Connected Risk

In March 2022, a pivotal shift occurred in the regulatory landscape for financial institutions in the UK, orchestrated by the Bank of England’s Prudential Regulation Authority (PRA). This came in the form of a new Supervisory Statement, known as SS2/21, which laid down a comprehensive framework for managing outsourcing and third-party risks. Its enactment was not just a regulatory adjustment; it was a forward-looking approach to bolstering business resilience in an era increasingly reliant on digital technologies, including cloud computing. This blog post delves into the intricate details of SS2/21, its objectives, and the expectations it sets for regulated firms, offering insights into how organizations can navigate these requirements to ensure compliance and minimize risks.

Understanding the Objectives of SS2/21

At its core, SS2/21 aims to enhance the operational resilience of UK banks, investment firms, insurance companies, and the UK branches of overseas banks and insurance firms. This ambition is realized through a set of directives that encourage the adoption of cloud services and other modern technologies, ensuring that these advances do not compromise the integrity and reliability of financial services. SS2/21 operates in harmony with the broader regulatory framework, including the PRA Rulebook and SS1/21 on operational resilience, as well as integrating the European Banking Authority’s (EBA) Guidelines on outsourcing arrangements.

A notable feature of SS2/21 is its delineation between material outsourcing arrangements and non-outsourcing third-party engagements. This distinction is crucial as it dictates the level of scrutiny and due diligence required, tailoring the regulatory approach to the risk profile of each arrangement.

Key Areas of Focus in SS2/21

SS2/21 outlines several critical areas for regulated firms to address, including:

  • Data Security: Ensuring the confidentiality, integrity, and availability of data handled by third parties.
  • Access, Audit, and Information Rights: Establishing the right to review and audit third-party services to ensure compliance and security.
  • Sub-outsourcing: Managing risks associated with further outsourcing by third-party vendors.
  • Business Continuity and Exit Strategies: Preparing for and mitigating the impact of potential disruptions in third-party services.

Navigating Third-Party Risk Management with Connected Risk

To meet the demands of SS2/21, organizations must adopt a robust third-party risk management strategy. The Connected Risk Third-Party Risk Management Solution emerges as a valuable ally in this context, offering a suite of tools designed to align with the PRA’s expectations.

Materiality Assessment and Due Diligence: Connected Risk aids firms in conducting thorough materiality assessments for vendors upon onboarding and periodically thereafter. This is a critical step to identify which third parties are considered material and thus subject to more stringent oversight.

Compliance and Risk Reporting: The solution offers extensive capabilities for risk and compliance reporting, making it easier for firms to demonstrate adherence to regulatory frameworks and to identify and mitigate risks associated with outsourcing and third-party engagements.

Addressing Specific SS2/21 Requirements: Connected Risk’s solution is designed to tackle the specific areas of focus highlighted in SS2/21. This includes tools for RFx management, contract lifecycle management, privacy impact assessments, and incident response, among others. Each of these features plays a vital role in ensuring that organizations can effectively manage the risks associated with their third-party relationships.


The activation of SS2/21 by the PRA marks a significant step towards enhancing the resilience of the financial sector in the face of evolving technologies and outsourcing practices. Compliance with this supervisory statement requires a comprehensive approach to third-party risk management, emphasizing the importance of due diligence, continuous monitoring, and effective governance. Solutions like Connected Risk offer the necessary tools and capabilities to meet these regulatory requirements, providing a pathway for organizations to safeguard their operations and maintain trust in an increasingly interconnected and digital financial landscape.

Like this article?

Share on Facebook
Share on LinkedIn
Share on XING

Talk to an Expert

"*" indicates required fields

Are you looking for support?

If you're looking for product support, please login to our support center by clicking here.

First, what's your name?*
This field is for validation purposes and should be left unchanged.

Submit a Pricing Request

"*" indicates required fields

First, what's your name?*
This field is for validation purposes and should be left unchanged.

Submit an RFP Request

"*" indicates required fields

First, what's your name?*
Which solution does your RFP require a response on?*
Drop files here or
Accepted file types: pdf, doc, docx, Max. file size: 1 MB, Max. files: 4.
    This field is for validation purposes and should be left unchanged.

    GDPR Cookie Consent with Real Cookie Banner Skip to content