Organisations typically underestimate the complexity of their supplier estate until a disruption forces the issue. The recurring patterns we see are:

• No consolidated view: Third-party relationships are managed in silos-by procurement, IT, legal, and operations independently. There is no single register that maps dependencies, criticality, and assurance status.

• Inconsistent due diligence: Onboarding assessments vary in depth and rigour across supplier types. The same two-page questionnaire is applied regardless of criticality or risk profile, or nothing is applied at all

• Assurance that stops at the contract: Many organisations conduct due diligence at onboarding and then assume the relationship is managed. Ongoing monitoring-periodic reassessment, incident tracking, financial health checks-is absent or informal.

• Hidden concentration: Critical dependencies on a single supplier, or on multiple suppliers sharing the same underlying infrastructure, create systemic risk that does not appear on any risk register.

• Fourth-party blind spots: Your supplier’s suppliers are your exposure too. Most organisations have no visibility of sub-contractor arrangements or shared technology dependencies two levels down.

• Regulatory expectation gaps: FCA, PRA, DORA, and NIS2 require documented third-party risk frameworks, evidenced oversight, and demonstrable exit capability. Many firms are significantly behind where regulators expect them to be.

The DCR Supplier Relationship & Performance Management (SRPM) Maturity Assessment asks not just ‘are you doing it’ but ‘how well, how consistently, and how sustainably.’ It also surfaces the people–process–technology intersection where most firms find their real weaknesses.

We assess across nine dimensions, benchmarked against:

• UK regulatory requirements: PRA SS2/21, DORA, Consumer Duty

• International standards: ISO 27001, ISO 44001

• Good practice frameworks: CIPS category management, Kraljic supplier segmentation, spend optimisation

1. Governance, Ownership & Capability
2. Inventory & Classification
3. Due Diligence & Onboarding (inc. Contracts)
4. Ongoing Oversight & Performance Management
5. Commercial Management & Value Delivery
6. Concentration & Fourth-Party Risk
7. Lifecycle & Exit
8. Resilience Integration
9. Technology & Tooling

Each dimension is scored on a five-point maturity scale-from ad hoc to optimised-with findings benchmarked against sector peers and a prioritised improvement roadmap produced as output. The assessment is structured to be actionable, not academic: every gap maps to a recommended next step.

Our assessment combines structured interviews with key stakeholders, document and artefact review, and system walkthroughs where relevant. We size the scope to your organisation-a Tier 1 bank with 3,000 suppliers requires a different approach than a scale-up with 80 critical vendors. Both are legitimate starting points.

The SRPM framework is also designed to evolve: as your maturity improves, subsequent assessments track progress against the roadmap, giving leadership a longitudinal view of improvement rather than a one-time snapshot. 

An evidenced baseline across nine dimensions, calibrated against what regulators and auditors would actually find.

• Visibility before it is forced on you: Understand your supplier estate, concentration, and critical dependencies on your own terms-not in response to a regulator’s request or a supplier failure.

• Benchmarked across nine dimensions: A scored, benchmarked view across the full SRPM framework-against regulatory requirements, international standards, and sector peers-giving leadership and the board a calibrated picture of relative maturity.

• Regulatory readiness: A documented, evidenced third-party risk framework aligned to FCA PS7/24, PRA SS2/21, DORA, NIS2, and Consumer Duty-with the maturity evidence to demonstrate it to supervisors.

• People, process and technology in one view: Most maturity gaps are not in policy-they are in the operating model, tooling, and skills that should make the policy real. The SRPM assessment surfaces both.

• A roadmap you can act on: Prioritised by effort and impact, with remediation support available across the full improvement cycle. Progress tracked across subsequent assessments.