![BB OR [D] 6](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20D/BB%20OR%20%5BD%5D%206.jpg?width=2000&height=1333&name=BB%20OR%20%5BD%5D%206.jpg "BB OR [D] 6")
![[Pillar] [Banner] [C4] Third-Party Risk Management](https://no-cache.hubspot.com/cta/default/3893111/17b06bdf-83ed-4b7f-9778-61a40cbf17f0.png)
eBook 4: Chapter 2
Types of Third-Party Risks in Operational Resilience
Introduction
As financial institutions increasingly rely on third parties to deliver critical services, the nature and complexity of risks arising from these relationships have expanded significantly.
These risks are no longer confined to operational inefficiencies—they now directly threaten the delivery of Critical Business Services (CBS), regulatory compliance, and financial stability.
Regulators such as the Bangko Sentral ng Pilipinas (BSP) under Circular No. 1203 (2024) and Bank Negara Malaysia (BNM) in its Operational Resilience guidance emphasise the need for financial institutions to identify, assess, and manage risks arising from third-party dependencies.
These risks must be understood not only at the vendor level but also in terms of their potential impact on end-to-end service delivery.
Purpose of This Chapter
This chapter aims to provide a structured understanding of the different types of third-party risks relevant to Operational Resilience. By the end of this chapter, readers will:
- Identify key categories of third-party risks
- Understand how these risks impact critical banking services
- Align risk types with regulatory expectations (BSP 1203 and BNM)
- Apply risk classification in TPRM and Operational Resilience frameworks
Overview of Third-Party Risk Categories
Third-party risks can be broadly categorised into the following key types:
- Operational Risk
- Cybersecurity Risk
- Compliance and Regulatory Risk
- Financial Risk
- Reputational Risk
- Concentration Risk
- Strategic Risk
- Fourth-Party (Supply Chain) Risk
Each of these risk types can independently—or collectively—affect the resilience of critical business services.
Detailed Types of Third-Party Risks (Banking Context)
Table: Types of Third-Party Risks with Banking-Specific Examples
|
Risk Type |
Description |
Banking Example (CBS Impact) |
BSP 1203 / BNM Alignment |
|
Operational Risk |
Risk of service disruption due to failure in third-party operations, systems, or processes |
A payment processor outage disrupts CBS-2: Payments and Funds Transfer Services, causing transaction failures |
BSP requires identification of dependencies supporting CBS and scenario testing; BNM emphasises service continuity under severe disruptions |
|
Cybersecurity Risk |
Risk of cyber incidents originating from third parties (e.g., data breach, ransomware) |
A cloud service provider is compromised, exposing customer data and disrupting CBS-1: Deposit and Account Services |
Both BSP and BNM require integration of cyber resilience into OR and third-party oversight |
|
Compliance & Regulatory Risk |
Risk arising from third-party failure to comply with laws, regulations, or contractual obligations |
A KYC vendor fails to meet AML requirements, exposing the bank to regulatory penalties |
BSP 1203 mandates compliance across outsourcing arrangements; BNM stresses that regulatory accountability remains with the bank |
|
Financial Risk |
Risk of third-party financial instability affecting service delivery |
A critical vendor becomes insolvent, halting support for core banking systems |
Regulators expect due diligence and ongoing financial health monitoring of critical vendors |
|
Reputational Risk |
Risk of damage to the bank’s reputation due to third-party actions or failures |
A data breach at a fintech partner leads to loss of customer trust in the bank |
BSP and BNM highlight customer impact and trust as key resilience considerations |
|
Concentration Risk |
Risk arising from over-reliance on a single or a limited number of third parties |
Heavy dependence on one cloud provider creates a single point of failure across multiple CBS |
BNM explicitly addresses concentration risk; BSP requires mapping of dependencies and vulnerabilities |
|
Strategic Risk |
Risk that third-party relationships are misaligned with business objectives or resilience strategy |
Outsourcing critical operations without proper control reduces the bank’s ability to recover during disruptions |
Regulators emphasise governance, oversight, and alignment with risk appetite |
|
Fourth-Party Risk |
Risk arising from subcontractors or downstream providers used by third parties |
A telecom provider (fourth party) fails, disrupting connectivity for a bank’s digital banking vendor |
Both BSP and BNM expect visibility of extended supply chain dependencies |
Regulatory Expectations: BSP 1203 and BNM
Bangko Sentral ng Pilipinas (BSP) – Circular No. 1203 (2024)
BSP requires banks to:
- Identify critical business services and their dependencies, including third parties
- Conduct Business Impact Analysis (BIA) incorporating third-party risks
- Perform scenario testing, including third-party failure scenarios
- Ensure end-to-end resilience, even when services are outsourced
- Maintain accountability for outsourced activities
👉 Key BSP Insight:
Third-party risk is not transferred—it remains the bank’s responsibility.
Bank Negara Malaysia (BNM) – Operational Resilience Framework
BNM emphasises:
- Mapping interdependencies, including third and fourth parties
- Managing concentration risk and systemic vulnerabilities
- Ensuring impact tolerance levels consider third-party disruptions
- Embedding third-party risk into governance and risk appetite frameworks
- Conducting severe but plausible scenario testing, including vendor failures
👉 Key BNM Insight:
Operational Resilience must account for risks across the entire service ecosystem, not just internal operations.
Interconnection of Risks
It is important to recognise that third-party risks are interconnected, not isolated.
Example Scenario
A cloud provider outage may trigger:
- Operational Risk → Service downtime
- Cyber Risk → Potential data integrity concerns
- Reputational Risk → Customer dissatisfaction
- Regulatory Risk → Failure to meet service obligations
This interconnected nature reinforces the need for a holistic TPRM approach aligned with Operational Resilience.
Applying Risk Types to Critical Business Services (CBS)
To operationalise TPRM within an OR framework, banks should:
- Map third-party risks to each CBS
- Example: CBS-1 (Deposit Services) → Core banking vendor, KYC provider
- Assess risk impact on service delivery
- What happens if the vendor fails?
- Define impact tolerances
- Maximum tolerable downtime (MTD)
- Maximum tolerable data loss (MTDL)
- Incorporate into scenario testing
- Simulate third-party failures
- Develop mitigation strategies
- Redundancy, alternative providers, contractual safeguards
- Third-party risks are multi-dimensional and interconnected
- These risks directly affect the delivery of critical banking services
- Regulators (BSP and BNM) require end-to-end visibility and accountability
- Effective TPRM requires integrating risk types into BIA, scenario testing, and governance frameworks
- Managing third-party risk is essential to achieving true Operational Resilience
Understanding the different types of third-party risks is the foundation of an effective TPRM programme. For banks operating in increasingly complex and interconnected ecosystems, these risks can no longer be treated as peripheral concerns.
Instead, they must be actively managed as part of the organisation’s core Operational Resilience strategy.
By aligning third-party risk identification and management with regulatory expectations, such as BSP Circular No. 1203 and BNM’s Operational Resilience framework, financial institutions can strengthen their ability to withstand disruptions—whether they originate internally or externally.
![[Pillar] [3_4] [Banner] [C4] Third-Party Risk Management](https://no-cache.hubspot.com/cta/default/3893111/1ab1982e-100b-41e9-b830-23583eeb5b97.png)
| C1 | C2 | C3 | C4 |
![[OR] [Pillar] [E4] [C1] Introduction to TPRM](https://no-cache.hubspot.com/cta/default/3893111/82945f27-604a-406d-83f2-9df0180e126f.png) |
![[OR] [Pillar] [E4] [C2] Types of Third-Party Risks](https://no-cache.hubspot.com/cta/default/3893111/714cfc41-261a-42e0-9c2d-f517bd787323.png) |
![[OR] [Pillar] [E4] [C3] Framework and Lifecycle](https://no-cache.hubspot.com/cta/default/3893111/e8b02e92-416f-4ab2-bb4e-0499db349f40.png) |
![[OR] [Pillar] [E4] [C4] Governance and Operating Model](https://no-cache.hubspot.com/cta/default/3893111/34bdac31-acb4-4daa-8d16-ff1b5ab43747.png) |
| C5 | C6 | C7 | C8 |
![[OR] [Pillar] [E4] [C5] Tools, Templates and Scoring Models](https://no-cache.hubspot.com/cta/default/3893111/453d5c46-1981-4519-bfee-4d9e4aa32d21.png) |
![[OR] [Pillar] [E4] [C6] Scenario Testing for Third-Party Failures](https://no-cache.hubspot.com/cta/default/3893111/dc829fbf-e80f-45bb-bfbd-fa660f70095b.png) |
![[OR] [Pillar] [E4] [C7] Regulatory Compliance Checklist](https://no-cache.hubspot.com/cta/default/3893111/7e12ff2a-59e6-40cc-ac60-e0b17bcfd00e.png) |
![[OR] [Pillar] [E4] [C8] Case Study_ Implementation in Banking](https://no-cache.hubspot.com/cta/default/3893111/51d31b0f-dbf9-44ef-a127-999420c9fbd4.png) |
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
