[OR] [Pillar] [E4] [C2] Types of Third-Party Risks in Operational Resilience

Written by Moh Heng Goh | Apr 17, 2026 10:06:47 AM

eBook 4: Chapter 2

Types of Third-Party Risks in Operational Resilience

Introduction

As financial institutions increasingly rely on third parties to deliver critical services, the nature and complexity of risks arising from these relationships have expanded significantly.

These risks are no longer confined to operational inefficiencies—they now directly threaten the delivery of Critical Business Services (CBS), regulatory compliance, and financial stability.

Regulators such as the Bangko Sentral ng Pilipinas (BSP) under Circular No. 1203 (2024) and Bank Negara Malaysia (BNM) in its Operational Resilience guidance emphasise the need for financial institutions to identify, assess, and manage risks arising from third-party dependencies.

These risks must be understood not only at the vendor level but also in terms of their potential impact on end-to-end service delivery.

Purpose of This Chapter

This chapter aims to provide a structured understanding of the different types of third-party risks relevant to Operational Resilience. By the end of this chapter, readers will:

Identify key categories of third-party risks
Understand how these risks impact critical banking services
Align risk types with regulatory expectations (BSP 1203 and BNM)
Apply risk classification in TPRM and Operational Resilience frameworks

Overview of Third-Party Risk Categories

Third-party risks can be broadly categorised into the following key types:

Operational Risk
Cybersecurity Risk
Compliance and Regulatory Risk
Financial Risk
Reputational Risk
Concentration Risk
Strategic Risk
Fourth-Party (Supply Chain) Risk

Each of these risk types can independently—or collectively—affect the resilience of critical business services.

Detailed Types of Third-Party Risks (Banking Context)

Table: Types of Third-Party Risks with Banking-Specific Examples

Risk Type	Description	Banking Example (CBS Impact)	BSP 1203 / BNM Alignment
Operational Risk	Risk of service disruption due to failure in third-party operations, systems, or processes	A payment processor outage disrupts CBS-2: Payments and Funds Transfer Services, causing transaction failures	BSP requires identification of dependencies supporting CBS and scenario testing; BNM emphasises service continuity under severe disruptions
Cybersecurity Risk	Risk of cyber incidents originating from third parties (e.g., data breach, ransomware)	A cloud service provider is compromised, exposing customer data and disrupting CBS-1: Deposit and Account Services	Both BSP and BNM require integration of cyber resilience into OR and third-party oversight
Compliance & Regulatory Risk	Risk arising from third-party failure to comply with laws, regulations, or contractual obligations	A KYC vendor fails to meet AML requirements, exposing the bank to regulatory penalties	BSP 1203 mandates compliance across outsourcing arrangements; BNM stresses that regulatory accountability remains with the bank
Financial Risk	Risk of third-party financial instability affecting service delivery	A critical vendor becomes insolvent, halting support for core banking systems	Regulators expect due diligence and ongoing financial health monitoring of critical vendors
Reputational Risk	Risk of damage to the bank’s reputation due to third-party actions or failures	A data breach at a fintech partner leads to loss of customer trust in the bank	BSP and BNM highlight customer impact and trust as key resilience considerations
Concentration Risk	Risk arising from over-reliance on a single or a limited number of third parties	Heavy dependence on one cloud provider creates a single point of failure across multiple CBS	BNM explicitly addresses concentration risk; BSP requires mapping of dependencies and vulnerabilities
Strategic Risk	Risk that third-party relationships are misaligned with business objectives or resilience strategy	Outsourcing critical operations without proper control reduces the bank’s ability to recover during disruptions	Regulators emphasise governance, oversight, and alignment with risk appetite
Fourth-Party Risk	Risk arising from subcontractors or downstream providers used by third parties	A telecom provider (fourth party) fails, disrupting connectivity for a bank’s digital banking vendor	Both BSP and BNM expect visibility of extended supply chain dependencies

Regulatory Expectations: BSP 1203 and BNM

Bangko Sentral ng Pilipinas (BSP) – Circular No. 1203 (2024)

BSP requires banks to:

Identify critical business services and their dependencies, including third parties
Conduct Business Impact Analysis (BIA) incorporating third-party risks
Perform scenario testing, including third-party failure scenarios
Ensure end-to-end resilience, even when services are outsourced
Maintain accountability for outsourced activities

👉 Key BSP Insight:

Third-party risk is not transferred—it remains the bank’s responsibility.

Bank Negara Malaysia (BNM) – Operational Resilience Framework

BNM emphasises:

Mapping interdependencies, including third and fourth parties
Managing concentration risk and systemic vulnerabilities
Ensuring impact tolerance levels consider third-party disruptions
Embedding third-party risk into governance and risk appetite frameworks
Conducting severe but plausible scenario testing, including vendor failures

👉 Key BNM Insight:

Operational Resilience must account for risks across the entire service ecosystem, not just internal operations.

Interconnection of Risks

It is important to recognise that third-party risks are interconnected, not isolated.

Example Scenario

A cloud provider outage may trigger:

Operational Risk → Service downtime
Cyber Risk → Potential data integrity concerns
Reputational Risk → Customer dissatisfaction
Regulatory Risk → Failure to meet service obligations

This interconnected nature reinforces the need for a holistic TPRM approach aligned with Operational Resilience.

Applying Risk Types to Critical Business Services (CBS)

To operationalise TPRM within an OR framework, banks should:

Map third-party risks to each CBS

Example: CBS-1 (Deposit Services) → Core banking vendor, KYC provider

Assess risk impact on service delivery

What happens if the vendor fails?

Define impact tolerances

Maximum tolerable downtime (MTD)
Maximum tolerable data loss (MTDL)

Incorporate into scenario testing

Simulate third-party failures

Develop mitigation strategies

Redundancy, alternative providers, contractual safeguards

Third-party risks are multi-dimensional and interconnected
These risks directly affect the delivery of critical banking services
Regulators (BSP and BNM) require end-to-end visibility and accountability
Effective TPRM requires integrating risk types into BIA, scenario testing, and governance frameworks
Managing third-party risk is essential to achieving true Operational Resilience

Understanding the different types of third-party risks is the foundation of an effective TPRM programme. For banks operating in increasingly complex and interconnected ecosystems, these risks can no longer be treated as peripheral concerns.

Instead, they must be actively managed as part of the organisation’s core Operational Resilience strategy.

By aligning third-party risk identification and management with regulatory expectations, such as BSP Circular No. 1203 and BNM’s Operational Resilience framework, financial institutions can strengthen their ability to withstand disruptions—whether they originate internally or externally.

C1	C2	C3	C4

C5	C6	C7	C8

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.



	If you have any questions, click to contact us.

View full post