![BB OR [D] 6](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20D/BB%20OR%20%5BD%5D%206.jpg?width=2000&height=1333&name=BB%20OR%20%5BD%5D%206.jpg "BB OR [D] 6")
eBook 4: Chapter 4
TPRM Governance and Operating Model
Introduction
An effective Third-Party Risk Management (TPRM) framework cannot function without strong governance and a clearly defined operating model. As third-party dependencies grow in scale and criticality, organisations must ensure that accountability, oversight, and decision-making are well structured across all levels.
Regulators such as the Bangko Sentral ng Pilipinas (BSP) and Bank Negara Malaysia (BNM) emphasise that financial institutions remain fully accountable for risks arising from outsourcing and third-party arrangements.
This requires a governance model that integrates TPRM into enterprise risk management, Operational Resilience, and business operations.
This chapter outlines how to establish a robust TPRM governance structure, including roles and responsibilities (RACI), the Three Lines of Defence model, and an organisational operating model.
Purpose of This Chapter
This chapter provides a structured approach to designing and implementing TPRM governance. By the end of this chapter, readers will:
- Understand governance principles for TPRM
- Apply the Three Lines of Defence (3LoD) model
- Define roles using a RACI framework
- Design an effective TPRM organisational structure
- Align governance with Operational Resilience and regulatory expectations
Governance Principles for TPRM
A strong TPRM governance model should be built on the following principles:
1. Accountability
The organisation retains full accountability for third-party risks—even when services are outsourced.
2. Risk Ownership
Business units owning third-party relationships must also own the associated risks.
3. Independent Oversight
Risk and compliance functions must provide independent challenge and review.
4. End-to-End Visibility
Governance must cover the entire third-party lifecycle and supply chain (including fourth parties).
5. Integration with Operational Resilience
TPRM must be embedded into:
- Critical Business Services (CBS)
- Business Impact Analysis (BIA)
- Scenario Testing
- Crisis Management
The Three Lines of Defence (3LoD) Model
The Three Lines of Defence model provides a clear structure for managing and overseeing third-party risks.
Table: TPRM Roles under the Three Lines of Defence
|
Line of Defence |
Function |
Key Responsibilities in TPRM |
Examples |
|
First Line (Business / Operations) |
Business Units, Procurement, Vendor Owners |
Identify, assess, and manage third-party risks; ensure vendor performance; maintain relationships |
Vendor Manager, Procurement Team |
|
Second Line (Risk & Compliance) |
Risk Management, Compliance, Information Security |
Develop TPRM framework, policies, and risk standards; perform independent risk assessments; monitor compliance |
Operational Risk, IT Risk, Compliance |
|
Third Line (Internal Audit) |
Internal Audit |
Provide independent assurance on the effectiveness of TPRM framework and controls |
Internal Audit Function |
👉 Key Insight:
- First Line = Own the risk
- Second Line = Oversee and challenge the risk
- Third Line = Assure the risk management process
RACI Matrix for TPRM
A RACI (Responsible, Accountable, Consulted, Informed) matrix ensures clarity of roles across the TPRM lifecycle.
Template: TPRM RACI Matrix
|
TPRM Activity |
Business Unit |
Procurement |
Risk Management |
Compliance |
IT/Security |
Internal Audit |
Senior Management |
|
Vendor Identification |
R |
A |
C |
I |
I |
I |
I |
|
Due Diligence |
R |
A |
C |
C |
C |
I |
I |
|
Risk Assessment |
R |
C |
A |
C |
C |
I |
I |
|
Contracting |
R |
A |
C |
C |
C |
I |
I |
|
Ongoing Monitoring |
R |
C |
A |
C |
C |
I |
I |
|
Incident Management |
R |
C |
A |
C |
A |
I |
I |
|
Exit Management |
R |
A |
C |
C |
C |
I |
I |
|
Audit & Assurance |
I |
I |
C |
C |
C |
A |
I |
Legend:
- R = Responsible (executes task)
- A = Accountable (ultimate ownership)
- C = Consulted (provides input)
- I = Informed (kept updated)
TPRM Organisational Structure
Recommended Operating Model
A centralised or hybrid model is typically most effective for banks.
Table: TPRM Organisational Structure
|
Role |
Function |
Key Responsibilities |
|
Board of Directors |
Oversight |
Approve risk appetite, review TPRM framework |
|
Senior Management |
Governance |
Ensure implementation of the TPRM strategy |
|
TPRM Function (Central Team) |
Coordination |
Develop a framework, maintain vendor inventory, and report |
|
Business Units |
Execution |
Manage vendors, perform risk assessments |
|
Procurement |
Sourcing |
Vendor selection, contract negotiation |
|
Risk & Compliance |
Oversight |
Policy setting, risk monitoring, regulatory alignment |
|
IT & Cybersecurity |
Technical Risk |
Assess technology and cyber risks |
|
Internal Audit |
Assurance |
Audit TPRM effectiveness |
TPRM Governance Committees
Example: TPRM Governance Committee Structure
|
Committee |
Purpose |
Members |
Frequency |
|
Board Risk Committee |
Strategic oversight of third-party risk |
Board members, CRO |
Quarterly |
|
Operational Risk Committee |
Monitor TPRM risks and issues |
Risk, Compliance, Business Heads |
Monthly |
|
Vendor Risk Committee |
Review high-risk vendors |
TPRM team, IT, Procurement |
Monthly |
|
Crisis Management Team |
Handle major disruptions |
Senior Management, BCM Team |
As needed |
Policy and Standards Framework
Key TPRM Policies
|
Policy |
Description |
|
TPRM Policy |
Defines overall governance and framework |
|
Outsourcing Policy |
Covers regulatory requirements |
|
Information Security Policy |
Defines cyber risk expectations |
|
Business Continuity Policy |
Ensures vendor resilience capability |
|
Vendor Risk Assessment Standard |
Defines risk scoring methodology |
Integration with Operational Resilience
Table: Governance Alignment with OR Components
|
OR Component |
Governance Requirement |
|
Critical Business Services (CBS) |
Assign ownership of the vendor-supported CBS |
|
Business Impact Analysis (BIA) |
Ensure third-party dependencies are assessed |
|
Impact Tolerance |
Define governance for breach escalation |
|
Scenario Testing |
Include governance roles in simulations |
|
Crisis Management |
Define escalation and decision-making authority |
Escalation and Reporting Framework
Template: TPRM Risk Escalation Matrix
|
Risk Level |
Description |
Escalation Level |
Reporting Frequency |
Action Required |
|
Low |
Minimal impact |
Business Unit |
Quarterly |
Monitor |
|
Medium |
Moderate impact |
Risk Committee |
Monthly |
Mitigation plan |
|
High |
Significant CBS impact |
Senior Management |
Immediate |
Immediate action |
|
Critical |
Severe disruption |
Board |
Immediate |
Crisis response |
Key Success Factors
- Clear ownership and accountability across all lines
- Strong central coordination (TPRM function)
- Effective cross-functional collaboration
- Integration with Operational Resilience and BCM
- Continuous training and awareness
Key Takeaways
- Governance is the foundation of effective TPRM
- The Three Lines of Defence ensure proper oversight
- A RACI model eliminates ambiguity in responsibilities
- A structured organisational model enables execution at scale
- Strong governance ensures compliance with BSP 1203 and BNM expectations
A well-defined governance and operating model is essential to ensure that Third-Party Risk Management is consistently applied, effectively monitored, and fully aligned with organisational objectives.
By establishing clear roles, responsibilities, and oversight mechanisms, financial institutions can manage third-party risks with confidence and accountability.
Embedding TPRM within the Three Lines of Defence, supported by a robust RACI framework and organisational structure, ensures that risks are not only identified but actively managed throughout the lifecycle.
When integrated with Operational Resilience, this governance model enables organisations to maintain the continuity of critical services—even in the face of third-party disruptions.
![[Pillar] [3_4] [Banner] [C4] Third-Party Risk Management](https://no-cache.hubspot.com/cta/default/3893111/1ab1982e-100b-41e9-b830-23583eeb5b97.png)
| C1 | C2 | C3 | C4 |
![[OR] [Pillar] [E4] [C1] Introduction to TPRM](https://no-cache.hubspot.com/cta/default/3893111/82945f27-604a-406d-83f2-9df0180e126f.png) |
![[OR] [Pillar] [E4] [C2] Types of Third-Party Risks](https://no-cache.hubspot.com/cta/default/3893111/714cfc41-261a-42e0-9c2d-f517bd787323.png) |
![[OR] [Pillar] [E4] [C3] Framework and Lifecycle](https://no-cache.hubspot.com/cta/default/3893111/e8b02e92-416f-4ab2-bb4e-0499db349f40.png) |
![[OR] [Pillar] [E4] [C4] Governance and Operating Model](https://no-cache.hubspot.com/cta/default/3893111/34bdac31-acb4-4daa-8d16-ff1b5ab43747.png) |
| C5 | C6 | C7 | C8 |
![[OR] [Pillar] [E4] [C5] Tools, Templates and Scoring Models](https://no-cache.hubspot.com/cta/default/3893111/453d5c46-1981-4519-bfee-4d9e4aa32d21.png) |
![[OR] [Pillar] [E4] [C6] Scenario Testing for Third-Party Failures](https://no-cache.hubspot.com/cta/default/3893111/dc829fbf-e80f-45bb-bfbd-fa660f70095b.png) |
![[OR] [Pillar] [E4] [C7] Regulatory Compliance Checklist](https://no-cache.hubspot.com/cta/default/3893111/7e12ff2a-59e6-40cc-ac60-e0b17bcfd00e.png) |
![[OR] [Pillar] [E4] [C8] Case Study_ Implementation in Banking](https://no-cache.hubspot.com/cta/default/3893111/51d31b0f-dbf9-44ef-a127-999420c9fbd4.png) |
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
