A robust Third-Party Risk Management (TPRM) framework must be supported by practical tools, structured templates, and consistent scoring models. Without these, organisations struggle to operationalise governance, assess risks consistently, and demonstrate compliance with regulatory expectations.
Regulators such as the Bangko Sentral ng Pilipinas (BSP) and Bank Negara Malaysia (BNM) expect financial institutions to adopt a risk-based, evidence-driven approach to managing third-party risks. This requires standardised templates for vendor inventory, risk assessments, monitoring, and reportingโsupported by quantitative scoring models.
This chapter provides Excel-ready templates and scoring methodologies that participants can directly apply in their organisations.
By the end of this chapter, readers will:
Purpose
Maintain a centralised repository of all third-party relationships.
Template
|
Vendor ID |
Vendor Name |
Service Provided |
Linked CBS |
Criticality (H/M/L) |
Contract Start |
Contract End |
Vendor Owner |
Country |
Remarks |
๐ Excel Tip:
Purpose
Assess inherent and residual risks across key domains.
Template
|
Risk Category |
Assessment Criteria |
Score (1โ5) |
Weight (%) |
Weighted Score |
Remarks |
|
Operational |
Service reliability |
|
20% |
|
|
|
Cybersecurity |
Data protection controls |
|
25% |
|
|
|
Compliance |
Regulatory adherence |
|
15% |
|
|
|
Financial |
Financial stability |
|
15% |
|
|
|
Reputational |
Brand impact |
|
10% |
|
|
|
Concentration |
Dependency level |
|
10% |
|
|
|
Strategic |
Alignment with business |
|
5% |
|
|
|
TOTAL |
|
|
100% |
Auto-calculated |
|
๐ Excel Formula:
Purpose
Determine the importance of the vendor to CBS.
Template
|
Criteria |
Description |
Score (1โ5) |
|
CBS Impact |
Supports critical service? |
|
|
Customer Impact |
Affects customers? |
|
|
Regulatory Impact |
Regulatory consequences? |
|
|
Substitutability |
Ease of replacement |
|
|
Recovery Time |
Time to recover service |
|
๐ Classification:
Purpose
Track ongoing performance and risk indicators.
Template
|
Vendor |
KPI |
Target |
Actual |
Variance |
Risk Level |
Status |
Action |
๐ Excel Tip:
Purpose
Track third-party incidents affecting CBS.
Template
|
Date |
Vendor |
Incident Type |
CBS Impacted |
Severity |
Root Cause |
Action Taken |
Status |
1.6 Exit Management Checklist
Purpose
Ensure smooth vendor transition.
Template
|
Activity |
Owner |
Status |
Due Date |
Remarks |
|
Data return/destruction |
|
|
|
|
|
Transition plan |
|
|
|
|
|
Contract closure |
|
|
|
|
Scoring Scale
|
Score |
Description |
|
1 |
Very Low |
|
2 |
Low |
|
3 |
Moderate |
|
4 |
High |
|
5 |
Very High |
Formula:
Residual Risk = Inherent Risk ร (1 โ Control Effectiveness %)
Example:
|
Vendor |
Inherent Risk |
Control Effectiveness |
Residual Risk |
|
Vendor A |
4.5 |
60% |
1.8 |
|
Score Range |
Risk Level |
|
4.0 โ 5.0 |
Critical |
|
3.0 โ 3.9 |
High |
|
2.0 โ 2.9 |
Medium |
|
1.0 โ 1.9 |
Low |
Template (Excel Matrix)
|
Impact โ / Likelihood โ |
Low |
Medium |
High |
|
High Impact |
Medium |
High |
Critical |
|
Medium Impact |
Low |
Medium |
High |
|
Low Impact |
Low |
Low |
Medium |
๐ Excel Tip:
Use color gradients:
|
Metric |
Description |
|
Total Vendors |
Total number of third parties |
|
Critical Vendors |
Number supporting CBS |
|
High-Risk Vendors |
Vendors with high/critical risk |
|
SLA Breaches |
Number of performance breaches |
|
Open Incidents |
Active vendor-related issues |
|
Compliance Status |
% compliant vendors |
|
Category |
Metric |
Value |
Trend |
|
Risk |
High-Risk Vendors |
12 |
โ |
|
Performance |
SLA Compliance |
95% |
โ |
|
Incidents |
Open Issues |
5 |
โ |
๐ Excel Tip:
Mapping Templates to OR Components
|
OR Component |
TPRM Tool |
|
CBS Mapping |
Vendor Inventory |
|
BIA |
Criticality Assessment |
|
Scenario Testing |
Incident Log + Risk Scoring |
|
Impact Tolerance |
Risk Heatmap |
|
Crisis Management |
Incident Dashboard |
Section 5: Implementation Roadmap
Step-by-Step Deployment
|
Step |
Action |
|
1 |
Create Vendor Inventory |
|
2 |
Perform Risk & Criticality Assessment |
|
3 |
Apply Scoring Model |
|
4 |
Classify Vendors |
|
5 |
Implement the Monitoring Dashboard |
|
6 |
Conduct Scenario Testing |
|
7 |
Report to Management |
The effective management of third-party risk depends not only on frameworks and governance but also on the practical tools used to implement them.
By adopting structured templates and quantitative scoring models, organisations can transform TPRM from a theoretical concept into a measurable, actionable discipline.
These Excel-ready tools provide a foundation for consistent risk assessment, proactive monitoring, and informed decision-makingโensuring alignment with regulatory expectations, including BSP Circular No. 1203 and BNM Operational Resilience guidelines.
When integrated with Operational Resilience, these tools empower organisations to maintain the continuity of critical business services, even in the face of third-party disruptions.
| C1 | C2 | C3 | C4 |
| C5 | C6 | C7 | C8 |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|