An effective Third-Party Risk Management (TPRM) framework cannot function without strong governance and a clearly defined operating model. As third-party dependencies grow in scale and criticality, organisations must ensure that accountability, oversight, and decision-making are well structured across all levels.
Regulators such as the Bangko Sentral ng Pilipinas (BSP) and Bank Negara Malaysia (BNM) emphasise that financial institutions remain fully accountable for risks arising from outsourcing and third-party arrangements.
This requires a governance model that integrates TPRM into enterprise risk management, Operational Resilience, and business operations.
This chapter outlines how to establish a robust TPRM governance structure, including roles and responsibilities (RACI), the Three Lines of Defence model, and an organisational operating model.
This chapter provides a structured approach to designing and implementing TPRM governance. By the end of this chapter, readers will:
A strong TPRM governance model should be built on the following principles:
1. Accountability
The organisation retains full accountability for third-party risks—even when services are outsourced.
2. Risk Ownership
Business units owning third-party relationships must also own the associated risks.
3. Independent Oversight
Risk and compliance functions must provide independent challenge and review.
4. End-to-End Visibility
Governance must cover the entire third-party lifecycle and supply chain (including fourth parties).
5. Integration with Operational Resilience
TPRM must be embedded into:
The Three Lines of Defence model provides a clear structure for managing and overseeing third-party risks.
|
Line of Defence |
Function |
Key Responsibilities in TPRM |
Examples |
|
First Line (Business / Operations) |
Business Units, Procurement, Vendor Owners |
Identify, assess, and manage third-party risks; ensure vendor performance; maintain relationships |
Vendor Manager, Procurement Team |
|
Second Line (Risk & Compliance) |
Risk Management, Compliance, Information Security |
Develop TPRM framework, policies, and risk standards; perform independent risk assessments; monitor compliance |
Operational Risk, IT Risk, Compliance |
|
Third Line (Internal Audit) |
Internal Audit |
Provide independent assurance on the effectiveness of TPRM framework and controls |
Internal Audit Function |
👉 Key Insight:
A RACI (Responsible, Accountable, Consulted, Informed) matrix ensures clarity of roles across the TPRM lifecycle.
|
TPRM Activity |
Business Unit |
Procurement |
Risk Management |
Compliance |
IT/Security |
Internal Audit |
Senior Management |
|
Vendor Identification |
R |
A |
C |
I |
I |
I |
I |
|
Due Diligence |
R |
A |
C |
C |
C |
I |
I |
|
Risk Assessment |
R |
C |
A |
C |
C |
I |
I |
|
Contracting |
R |
A |
C |
C |
C |
I |
I |
|
Ongoing Monitoring |
R |
C |
A |
C |
C |
I |
I |
|
Incident Management |
R |
C |
A |
C |
A |
I |
I |
|
Exit Management |
R |
A |
C |
C |
C |
I |
I |
|
Audit & Assurance |
I |
I |
C |
C |
C |
A |
I |
Legend:
A centralised or hybrid model is typically most effective for banks.
|
Role |
Function |
Key Responsibilities |
|
Board of Directors |
Oversight |
Approve risk appetite, review TPRM framework |
|
Senior Management |
Governance |
Ensure implementation of the TPRM strategy |
|
TPRM Function (Central Team) |
Coordination |
Develop a framework, maintain vendor inventory, and report |
|
Business Units |
Execution |
Manage vendors, perform risk assessments |
|
Procurement |
Sourcing |
Vendor selection, contract negotiation |
|
Risk & Compliance |
Oversight |
Policy setting, risk monitoring, regulatory alignment |
|
IT & Cybersecurity |
Technical Risk |
Assess technology and cyber risks |
|
Internal Audit |
Assurance |
Audit TPRM effectiveness |
|
Committee |
Purpose |
Members |
Frequency |
|
Board Risk Committee |
Strategic oversight of third-party risk |
Board members, CRO |
Quarterly |
|
Operational Risk Committee |
Monitor TPRM risks and issues |
Risk, Compliance, Business Heads |
Monthly |
|
Vendor Risk Committee |
Review high-risk vendors |
TPRM team, IT, Procurement |
Monthly |
|
Crisis Management Team |
Handle major disruptions |
Senior Management, BCM Team |
As needed |
|
Policy |
Description |
|
TPRM Policy |
Defines overall governance and framework |
|
Outsourcing Policy |
Covers regulatory requirements |
|
Information Security Policy |
Defines cyber risk expectations |
|
Business Continuity Policy |
Ensures vendor resilience capability |
|
Vendor Risk Assessment Standard |
Defines risk scoring methodology |
|
OR Component |
Governance Requirement |
|
Critical Business Services (CBS) |
Assign ownership of the vendor-supported CBS |
|
Business Impact Analysis (BIA) |
Ensure third-party dependencies are assessed |
|
Impact Tolerance |
Define governance for breach escalation |
|
Scenario Testing |
Include governance roles in simulations |
|
Crisis Management |
Define escalation and decision-making authority |
|
Risk Level |
Description |
Escalation Level |
Reporting Frequency |
Action Required |
|
Low |
Minimal impact |
Business Unit |
Quarterly |
Monitor |
|
Medium |
Moderate impact |
Risk Committee |
Monthly |
Mitigation plan |
|
High |
Significant CBS impact |
Senior Management |
Immediate |
Immediate action |
|
Critical |
Severe disruption |
Board |
Immediate |
Crisis response |
A well-defined governance and operating model is essential to ensure that Third-Party Risk Management is consistently applied, effectively monitored, and fully aligned with organisational objectives.
By establishing clear roles, responsibilities, and oversight mechanisms, financial institutions can manage third-party risks with confidence and accountability.
Embedding TPRM within the Three Lines of Defence, supported by a robust RACI framework and organisational structure, ensures that risks are not only identified but actively managed throughout the lifecycle.
When integrated with Operational Resilience, this governance model enables organisations to maintain the continuity of critical services—even in the face of third-party disruptions.
| C1 | C2 | C3 | C4 |
| C5 | C6 | C7 | C8 |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|