![BB OR [D] 6](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20D/BB%20OR%20%5BD%5D%206.jpg?width=2000&height=1333&name=BB%20OR%20%5BD%5D%206.jpg "BB OR [D] 6")
eBook 4: Chapter 5
TPRM Tools, Templates and Scoring Models
Introduction
A robust Third-Party Risk Management (TPRM) framework must be supported by practical tools, structured templates, and consistent scoring models. Without these, organisations struggle to operationalise governance, assess risks consistently, and demonstrate compliance with regulatory expectations.
Regulators such as the Bangko Sentral ng Pilipinas (BSP) and Bank Negara Malaysia (BNM) expect financial institutions to adopt a risk-based, evidence-driven approach to managing third-party risks. This requires standardised templates for vendor inventory, risk assessments, monitoring, and reporting—supported by quantitative scoring models.
This chapter provides Excel-ready templates and scoring methodologies that participants can directly apply in their organisations.
Purpose of This Chapter
By the end of this chapter, readers will:
- Use standardised TPRM templates
- Apply risk scoring models for vendor classification
- Build dashboards and heatmaps for reporting
- Align tools with Operational Resilience and CBS requirements
Section 1: Core TPRM Templates (Excel-Ready)
1.1 Third-Party Inventory Register
Purpose
Maintain a centralised repository of all third-party relationships.
Template
|
Vendor ID |
Vendor Name |
Service Provided |
Linked CBS |
Criticality (H/M/L) |
Contract Start |
Contract End |
Vendor Owner |
Country |
Remarks |
👉 Excel Tip:
- Use dropdown lists for Criticality (High/Medium/Low)
- Apply filters for CBS and Vendor Owner
1.2 Vendor Risk Assessment Template
Purpose
Assess inherent and residual risks across key domains.
Template
|
Risk Category |
Assessment Criteria |
Score (1–5) |
Weight (%) |
Weighted Score |
Remarks |
|
Operational |
Service reliability |
|
20% |
|
|
|
Cybersecurity |
Data protection controls |
|
25% |
|
|
|
Compliance |
Regulatory adherence |
|
15% |
|
|
|
Financial |
Financial stability |
|
15% |
|
|
|
Reputational |
Brand impact |
|
10% |
|
|
|
Concentration |
Dependency level |
|
10% |
|
|
|
Strategic |
Alignment with business |
|
5% |
|
|
|
TOTAL |
|
|
100% |
Auto-calculated |
|
👉 Excel Formula:
- Weighted Score = Score × Weight
- Total Risk Score = SUM(Weighted Scores)
1.3 Vendor Criticality Assessment
Purpose
Determine the importance of the vendor to CBS.
Template
|
Criteria |
Description |
Score (1–5) |
|
CBS Impact |
Supports critical service? |
|
|
Customer Impact |
Affects customers? |
|
|
Regulatory Impact |
Regulatory consequences? |
|
|
Substitutability |
Ease of replacement |
|
|
Recovery Time |
Time to recover service |
|
👉 Classification:
- 20–25 = Critical
- 15–19 = High
- 10–14 = Medium
- <10 = Low
1.4 Vendor Monitoring Dashboard
Purpose
Track ongoing performance and risk indicators.
Template
|
Vendor |
KPI |
Target |
Actual |
Variance |
Risk Level |
Status |
Action |
👉 Excel Tip:
- Use conditional formatting:
- Green = On target
- Amber = Slight deviation
- Red = Breach
1.5 Incident & Issue Log
Purpose
Track third-party incidents affecting CBS.
Template
|
Date |
Vendor |
Incident Type |
CBS Impacted |
Severity |
Root Cause |
Action Taken |
Status |
1.6 Exit Management Checklist
Purpose
Ensure smooth vendor transition.
Template
|
Activity |
Owner |
Status |
Due Date |
Remarks |
|
Data return/destruction |
|
|
|
|
|
Transition plan |
|
|
|
|
|
Contract closure |
|
|
|
|
Section 2: Risk Scoring Models
2.1 Inherent Risk Scoring Model
Scoring Scale
|
Score |
Description |
|
1 |
Very Low |
|
2 |
Low |
|
3 |
Moderate |
|
4 |
High |
|
5 |
Very High |
2.2 Residual Risk Calculation
Formula:
Residual Risk = Inherent Risk × (1 – Control Effectiveness %)
Example:
|
Vendor |
Inherent Risk |
Control Effectiveness |
Residual Risk |
|
Vendor A |
4.5 |
60% |
1.8 |
2.3 Risk Rating Classification
|
Score Range |
Risk Level |
|
4.0 – 5.0 |
Critical |
|
3.0 – 3.9 |
High |
|
2.0 – 2.9 |
Medium |
|
1.0 – 1.9 |
Low |
2.4 Vendor Risk Heatmap
Template (Excel Matrix)
|
Impact ↓ / Likelihood → |
Low |
Medium |
High |
|
High Impact |
Medium |
High |
Critical |
|
Medium Impact |
Low |
Medium |
High |
|
Low Impact |
Low |
Low |
Medium |
👉 Excel Tip:
Use color gradients:
- Red = Critical
- Orange = High
- Yellow = Medium
- Green = Low
Section 3: TPRM Dashboard (Executive Reporting)
3.1 Sample Dashboard Metrics
|
Metric |
Description |
|
Total Vendors |
Total number of third parties |
|
Critical Vendors |
Number supporting CBS |
|
High-Risk Vendors |
Vendors with high/critical risk |
|
SLA Breaches |
Number of performance breaches |
|
Open Incidents |
Active vendor-related issues |
|
Compliance Status |
% compliant vendors |
3.2 Dashboard Layout (Excel)
|
Category |
Metric |
Value |
Trend |
|
Risk |
High-Risk Vendors |
12 |
↑ |
|
Performance |
SLA Compliance |
95% |
→ |
|
Incidents |
Open Issues |
5 |
↓ |
👉 Excel Tip:
- Use pivot tables
- Add charts (bar, pie, trend lines)
Section 4: Integration with Operational Resilience
Mapping Templates to OR Components
|
OR Component |
TPRM Tool |
|
CBS Mapping |
Vendor Inventory |
|
BIA |
Criticality Assessment |
|
Scenario Testing |
Incident Log + Risk Scoring |
|
Impact Tolerance |
Risk Heatmap |
|
Crisis Management |
Incident Dashboard |
Section 5: Implementation Roadmap
Step-by-Step Deployment
|
Step |
Action |
|
1 |
Create Vendor Inventory |
|
2 |
Perform Risk & Criticality Assessment |
|
3 |
Apply Scoring Model |
|
4 |
Classify Vendors |
|
5 |
Implement the Monitoring Dashboard |
|
6 |
Conduct Scenario Testing |
|
7 |
Report to Management |
Key Takeaways
- Standardised templates ensure consistency and auditability
- Scoring models enable objective risk classification
- Dashboards provide real-time visibility for decision-making
- Tools must align with CBS and Operational Resilience frameworks
- Excel-based models are practical and scalable for implementation
The effective management of third-party risk depends not only on frameworks and governance but also on the practical tools used to implement them.
By adopting structured templates and quantitative scoring models, organisations can transform TPRM from a theoretical concept into a measurable, actionable discipline.
These Excel-ready tools provide a foundation for consistent risk assessment, proactive monitoring, and informed decision-making—ensuring alignment with regulatory expectations, including BSP Circular No. 1203 and BNM Operational Resilience guidelines.
When integrated with Operational Resilience, these tools empower organisations to maintain the continuity of critical business services, even in the face of third-party disruptions.
![[Pillar] [3_4] [Banner] [C4] Third-Party Risk Management](https://no-cache.hubspot.com/cta/default/3893111/1ab1982e-100b-41e9-b830-23583eeb5b97.png)
| C1 | C2 | C3 | C4 |
![[OR] [Pillar] [E4] [C1] Introduction to TPRM](https://no-cache.hubspot.com/cta/default/3893111/82945f27-604a-406d-83f2-9df0180e126f.png) |
![[OR] [Pillar] [E4] [C2] Types of Third-Party Risks](https://no-cache.hubspot.com/cta/default/3893111/714cfc41-261a-42e0-9c2d-f517bd787323.png) |
![[OR] [Pillar] [E4] [C3] Framework and Lifecycle](https://no-cache.hubspot.com/cta/default/3893111/e8b02e92-416f-4ab2-bb4e-0499db349f40.png) |
![[OR] [Pillar] [E4] [C4] Governance and Operating Model](https://no-cache.hubspot.com/cta/default/3893111/34bdac31-acb4-4daa-8d16-ff1b5ab43747.png) |
| C5 | C6 | C7 | C8 |
![[OR] [Pillar] [E4] [C5] Tools, Templates and Scoring Models](https://no-cache.hubspot.com/cta/default/3893111/453d5c46-1981-4519-bfee-4d9e4aa32d21.png) |
![[OR] [Pillar] [E4] [C6] Scenario Testing for Third-Party Failures](https://no-cache.hubspot.com/cta/default/3893111/dc829fbf-e80f-45bb-bfbd-fa660f70095b.png) |
![[OR] [Pillar] [E4] [C7] Regulatory Compliance Checklist](https://no-cache.hubspot.com/cta/default/3893111/7e12ff2a-59e6-40cc-ac60-e0b17bcfd00e.png) |
![[OR] [Pillar] [E4] [C8] Case Study_ Implementation in Banking](https://no-cache.hubspot.com/cta/default/3893111/51d31b0f-dbf9-44ef-a127-999420c9fbd4.png) |
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
