![BB OR [D] 6](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20D/BB%20OR%20%5BD%5D%206.jpg?width=2000&height=1333&name=BB%20OR%20%5BD%5D%206.jpg "BB OR [D] 6")
![[Pillar] [Banner] [C4] Third-Party Risk Management](https://no-cache.hubspot.com/cta/default/3893111/17b06bdf-83ed-4b7f-9778-61a40cbf17f0.png)
eBook 4: Chapter 7
TPRM Regulatory Compliance Checklist
Introduction
As regulatory expectations evolve, financial institutions are increasingly required to demonstrate that their Third-Party Risk Management (TPRM) practices are not only effective but also compliant, auditable, and aligned with Operational Resilience frameworks.
Regulators such as the Bangko Sentral ng Pilipinas (BSP) and Bank Negara Malaysia (BNM) emphasise that institutions remain fully accountable for third-party risks, even when services are outsourced.
In parallel, ISO 22301 provides internationally recognised standards for ensuring business continuity and resilience, including managing external dependencies.
This chapter provides a comprehensive compliance checklist that organisations can use to assess their TPRM maturity, identify gaps, and prepare for regulatory reviews or audits.
Purpose of This Chapter
By the end of this chapter, readers will:
- Understand key regulatory expectations for TPRM
- Use a structured compliance checklist aligned with BSP, BNM, and ISO 22301
- Identify gaps in current TPRM practices
- Support internal audits and regulatory assessments
Section 1: Compliance Framework Overview
Key Regulatory Themes
|
Theme |
BSP 1203 |
BNM |
ISO 22301 |
|
Governance |
Accountability for third parties |
Board oversight |
Leadership & commitment |
|
Risk Management |
Risk identification & assessment |
Risk-based approach |
Risk & opportunity planning |
|
Dependency Mapping |
CBS dependencies required |
Interdependency mapping |
Business continuity analysis |
|
Scenario Testing |
Severe but plausible scenarios |
Stress testing |
Exercising & testing |
|
Monitoring |
Continuous oversight |
Ongoing risk monitoring |
Performance evaluation |
|
Incident Response |
Recovery capability |
Crisis response integration |
Incident response & recovery |
Section 2: TPRM Compliance Checklist
2.1 Governance and Oversight
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status (Y/N/Partial) |
Remarks |
|
Board-approved TPRM framework |
✔ |
✔ |
✔ |
TPRM policy document |
|
|
|
Defined roles and responsibilities (RACI) |
✔ |
✔ |
✔ |
Governance structure |
|
|
|
Three Lines of Defence implemented |
✔ |
✔ |
✔ |
Risk framework |
|
|
|
Senior management oversight |
✔ |
✔ |
✔ |
Committee minutes |
|
|
2.2 Third-Party Risk Identification and Assessment
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Vendor inventory maintained |
✔ |
✔ |
✔ |
Vendor register |
|
|
|
Criticality assessment aligned to CBS |
✔ |
✔ |
✔ |
CBS mapping |
|
|
|
Risk-based classification of vendors |
✔ |
✔ |
✔ |
Risk scoring model |
|
|
|
Fourth-party risks identified |
✔ |
✔ |
✔ |
Dependency mapping |
|
|
2.3 Due Diligence and Onboarding
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Pre-engagement risk assessment |
✔ |
✔ |
✔ |
Risk assessment reports |
|
|
|
Financial due diligence performed |
✔ |
✔ |
|
Financial reports |
|
|
|
Cybersecurity controls assessed |
✔ |
✔ |
✔ |
Security certifications |
|
|
|
Business continuity capability verified |
✔ |
✔ |
✔ |
BCP/DR test results |
|
|
2.4 Contracting and Risk Mitigation
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
SLA defined and monitored |
✔ |
✔ |
✔ |
Contracts |
|
|
|
Business continuity clauses included |
✔ |
✔ |
✔ |
Contract clauses |
|
|
|
Incident reporting requirements defined |
✔ |
✔ |
✔ |
SLA terms |
|
|
|
Audit rights established |
✔ |
✔ |
✔ |
Contract terms |
|
|
2.5 Ongoing Monitoring and Review
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Continuous vendor monitoring |
✔ |
✔ |
✔ |
Monitoring reports |
|
|
|
Periodic risk reassessment |
✔ |
✔ |
✔ |
Risk review logs |
|
|
|
SLA performance tracking |
✔ |
✔ |
✔ |
KPI dashboards |
|
|
|
Financial health monitoring |
✔ |
✔ |
|
Financial updates |
|
|
2.6 Scenario Testing and Resilience Validation
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Third-party failure scenarios defined |
✔ |
✔ |
✔ |
Scenario library |
|
|
|
Severe but plausible scenarios tested |
✔ |
✔ |
✔ |
Test reports |
|
|
|
Impact tolerance (MTD/MTDL) validated |
✔ |
✔ |
✔ |
BIA reports |
|
|
|
Lessons learned documented |
✔ |
✔ |
✔ |
Post-test reviews |
|
|
2.7 Incident Management and Recovery
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Incident response plan includes vendors |
✔ |
✔ |
✔ |
IR plan |
|
|
|
Escalation procedures defined |
✔ |
✔ |
✔ |
Escalation matrix |
|
|
|
Recovery strategies tested |
✔ |
✔ |
✔ |
DR test results |
|
|
|
Regulatory reporting capability |
✔ |
✔ |
|
Incident reports |
|
|
2.8 Exit and Offboarding Management
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Exit strategy defined |
✔ |
✔ |
✔ |
Exit plans |
|
|
|
Data return/destruction ensured |
✔ |
✔ |
✔ |
Data logs |
|
|
|
Service continuity maintained |
✔ |
✔ |
✔ |
Transition plans |
|
|
Section 3: Compliance Scoring Model
3.1 Scoring Methodology
|
Score |
Description |
|
2 |
Fully Compliant |
|
1 |
Partially Compliant |
|
0 |
Not Compliant |
3.2 Compliance Score Calculation
Formula:
Total Score ÷ Maximum Score × 100%
3.3 Maturity Levels
|
Score (%) |
Maturity Level |
|
85–100% |
Mature |
|
70–84% |
Established |
|
50–69% |
Developing |
|
<50% |
Initial |
Section 4: Gap Analysis and Remediation Plan
Template: Gap Analysis
|
Requirement |
Current Status |
Gap Identified |
Risk Impact |
Recommended Action |
Owner |
Timeline |
Example
|
Requirement |
Current Status |
Gap |
Risk Impact |
Action |
Owner |
Timeline |
|
Scenario testing |
Partial |
No vendor scenarios |
High |
Develop scenarios |
Risk |
3 months |
Section 5: Audit and Reporting
Internal Audit Checklist
|
Area |
Audit Focus |
|
Governance |
Policy, roles, oversight |
|
Risk Assessment |
Risk scoring accuracy |
|
Monitoring |
SLA tracking |
|
Scenario Testing |
Coverage and results |
|
Compliance |
Regulatory alignment |
Reporting to Management
|
Report Type |
Frequency |
Audience |
|
TPRM Dashboard |
Monthly |
Senior Management |
|
Risk Report |
Quarterly |
Board |
|
Incident Report |
Ad hoc |
Regulators |
- TPRM compliance requires a structured, evidence-based assessment
- BSP, BNM, and ISO 22301 share common principles of resilience and accountability
- A checklist approach ensures audit readiness and consistency
- Scoring models provide a measurable maturity assessment
- Gap analysis drives continuous improvement
Regulatory compliance in Third-Party Risk Management is not merely a checkbox exercise—it is a critical component of ensuring Operational Resilience.
By aligning TPRM practices with BSP Circular No. 1203, BNM expectations, and ISO 22301 standards, organisations can establish a robust and defensible framework for managing third-party risks.
This compliance checklist provides a practical tool for organisations to assess their current state, identify weaknesses, and implement targeted improvements.
When used effectively, it not only supports regulatory compliance but also strengthens the organisation’s ability to maintain critical business services in the face of disruption.
![[Pillar] [3_4] [Banner] [C4] Third-Party Risk Management](https://no-cache.hubspot.com/cta/default/3893111/1ab1982e-100b-41e9-b830-23583eeb5b97.png)
| C1 | C2 | C3 | C4 |
![[OR] [Pillar] [E4] [C1] Introduction to TPRM](https://no-cache.hubspot.com/cta/default/3893111/82945f27-604a-406d-83f2-9df0180e126f.png) |
![[OR] [Pillar] [E4] [C2] Types of Third-Party Risks](https://no-cache.hubspot.com/cta/default/3893111/714cfc41-261a-42e0-9c2d-f517bd787323.png) |
![[OR] [Pillar] [E4] [C3] Framework and Lifecycle](https://no-cache.hubspot.com/cta/default/3893111/e8b02e92-416f-4ab2-bb4e-0499db349f40.png) |
![[OR] [Pillar] [E4] [C4] Governance and Operating Model](https://no-cache.hubspot.com/cta/default/3893111/34bdac31-acb4-4daa-8d16-ff1b5ab43747.png) |
| C5 | C6 | C7 | C8 |
![[OR] [Pillar] [E4] [C5] Tools, Templates and Scoring Models](https://no-cache.hubspot.com/cta/default/3893111/453d5c46-1981-4519-bfee-4d9e4aa32d21.png) |
![[OR] [Pillar] [E4] [C6] Scenario Testing for Third-Party Failures](https://no-cache.hubspot.com/cta/default/3893111/dc829fbf-e80f-45bb-bfbd-fa660f70095b.png) |
![[OR] [Pillar] [E4] [C7] Regulatory Compliance Checklist](https://no-cache.hubspot.com/cta/default/3893111/7e12ff2a-59e6-40cc-ac60-e0b17bcfd00e.png) |
![[OR] [Pillar] [E4] [C8] Case Study_ Implementation in Banking](https://no-cache.hubspot.com/cta/default/3893111/51d31b0f-dbf9-44ef-a127-999420c9fbd4.png) |
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
