As organisations deepen their reliance on third parties, managing these relationships requires more than periodic due diligence—it demands a structured, end-to-end framework embedded within the organisation’s Operational Resilience strategy.
A robust Third-Party Risk Management (TPRM) framework enables financial institutions to systematically identify, assess, monitor, and mitigate risks arising from third-party dependencies across the entire lifecycle of engagement.
This lifecycle approach ensures that risks are proactively managed from initial planning through onboarding, ongoing monitoring, and eventual exit.
Regulators such as the Bangko Sentral ng Pilipinas (BSP) and Bank Negara Malaysia (BNM) emphasise that TPRM must be integrated into governance, risk management, Business Impact Analysis (BIA), and scenario testing—ensuring resilience of Critical Business Services (CBS) even when supported by external providers.
Purpose of This Chapter
This chapter provides a practical framework and lifecycle model for implementing TPRM. By the end of this chapter, readers will:
Overview of the TPRM Lifecycle
The TPRM lifecycle consists of seven key stages:
Stage 1: Planning & Risk Identification
Objective
Identify third parties supporting Critical Business Services (CBS) and determine their risk exposure.
Template: Third-Party Inventory and Criticality Mapping
|
Third Party |
Service Provided |
Linked CBS |
Criticality Level (High/Med/Low) |
Dependency Type (People/Process/Tech/3rd Party) |
Impact if Disrupted |
Remarks |
|
Core Banking Vendor |
Core banking system |
CBS-1 Deposit Services |
High |
Technology |
Full service outage |
Critical vendor |
|
Payment Gateway Provider |
Transaction processing |
CBS-2 Payments |
High |
Technology |
Transaction failure |
Requires redundancy |
👉 Regulatory Alignment
Stage 2: Due Diligence & Onboarding
Objective
Assess third-party capability, resilience, and compliance before engagement.
Template: Due Diligence Checklist
|
Assessment Area |
Key Questions |
Evidence Required |
Status (Pass/Fail/Partial) |
Remarks |
|
Financial Stability |
Is the vendor financially viable? |
Financial statements |
|
|
|
Operational Capability |
Can the vendor meet service requirements? |
SLA history, certifications |
|
|
|
Cybersecurity |
Are security controls adequate? |
ISO 27001, audit reports |
|
|
|
Compliance |
Meets regulatory requirements? |
Policies, compliance reports |
|
|
|
Business Continuity |
Has BCP/DR plans? |
BCP documentation, test results |
|
|
Stage 3: Risk Assessment & Classification
Objective
Categorise vendors based on risk and criticality.
Template: Third-Party Risk Assessment Matrix
|
Third Party |
Inherent Risk (High/Med/Low) |
Control Effectiveness |
Residual Risk |
Risk Category |
CBS Impact |
Action Required |
|
Cloud Provider |
High |
Medium |
High |
Cyber/Operational |
CBS-1, CBS-2 |
Enhance controls |
|
KYC Vendor |
Medium |
High |
Low |
Compliance |
CBS-1 |
Monitor |
👉 Best Practice:
Focus resources on high-risk, high-impact vendors supporting CBS.
Stage 4: Contracting & Risk Mitigation
Objective
Embed resilience and risk controls into contractual agreements.
Template: Key Contractual Clauses for TPRM
|
Clause Type |
Description |
Example Requirement |
|
Service Level Agreement (SLA) |
Defines performance expectations |
99.9% uptime |
|
Business Continuity |
Ensures resilience capability |
Annual DR testing required |
|
Incident Reporting |
Defines reporting timelines |
Notify within 2 hours |
|
Audit Rights |
Allows oversight |
Bank can audit vendor annually |
|
Exit Strategy |
Ensures continuity on termination |
Transition plan within 30 days |
👉 Regulatory Alignment
Stage 5: Ongoing Monitoring
Objective
Continuously monitor vendor performance and risk exposure.
Template: Vendor Monitoring Dashboard
|
Third Party |
KPI/SLA Metric |
Current Performance |
Risk Indicator |
Status (Green/Amber/Red) |
Action |
|
Payment Processor |
Uptime |
99.5% |
Increasing incidents |
Amber |
Review SLA |
|
Cloud Provider |
Response Time |
Within SLA |
Stable |
Green |
Continue monitoring |
Monitoring Activities:
Stage 6: Incident Management & Response
Objective
Ensure effective response to third-party disruptions.
Template: Third-Party Incident Response Plan
|
Incident Type |
Third Party |
Impacted CBS |
Escalation Level |
Response Action |
Recovery Time Objective (RTO) |
Remarks |
|
System Outage |
Cloud Provider |
CBS-1 |
High |
Activate DR site |
2 hours |
Critical scenario |
|
Data Breach |
Vendor X |
CBS-1 |
Critical |
Notify regulator |
Immediate |
Regulatory impact |
👉 Regulatory Requirement:
Both BSP and BNM require scenario testing involving third-party failures.
Stage 7: Exit & Offboarding
Objective
Ensure safe and seamless termination of third-party relationships.
Template: Exit Management Checklist
|
Activity |
Description |
Status |
Remarks |
|
Data Return/Destruction |
Ensure secure handling of data |
|
|
|
Knowledge Transfer |
Transition to new vendor |
|
|
|
Service Continuity |
Avoid disruption to CBS |
|
|
|
Contract Closure |
Formal termination |
|
|
Integration with Operational Resilience
TPRM must be embedded into key OR components:
|
OR Component |
TPRM Integration |
|
Business Impact Analysis (BIA) |
Include third-party dependencies |
|
Critical Business Services (CBS) |
Map vendors to each CBS |
|
Scenario Testing |
Simulate vendor failures |
|
Impact Tolerance |
Define limits considering vendor disruption |
|
Crisis Management |
Include vendors in response plans |
End-to-End TPRM Lifecycle Summary
|
Stage |
Key Output |
OR Alignment |
|
Planning |
Vendor inventory |
CBS mapping |
|
Due Diligence |
Risk profile |
Risk identification |
|
Risk Assessment |
Risk classification |
BIA |
|
Contracting |
Risk controls |
Governance |
|
Monitoring |
Performance tracking |
Continuous resilience |
|
Incident Response |
Recovery actions |
Scenario testing |
|
Exit |
Transition plan |
Service continuity |
Key Takeaways
Conclusion
A well-structured TPRM framework is essential for managing the growing complexity of third-party dependencies in modern banking. By adopting a lifecycle approach, financial institutions can proactively manage risks at every stage of the vendor relationship—from onboarding to exit.
Aligning TPRM with Operational Resilience frameworks and regulatory expectations, such as BSP Circular No. 1203 and BNM guidelines, ensures that banks are not only compliant but also capable of maintaining critical service delivery under adverse conditions.
Ultimately, effective TPRM transforms third-party relationships into resilient partnerships, strengthening the organisation’s ability to withstand, adapt to, and recover from disruptions.
| C1 | C2 | C3 | C4 |
| C5 | C6 | C7 | C8 |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|