As regulatory expectations evolve, financial institutions are increasingly required to demonstrate that their Third-Party Risk Management (TPRM) practices are not only effective but also compliant, auditable, and aligned with Operational Resilience frameworks.
Regulators such as the Bangko Sentral ng Pilipinas (BSP) and Bank Negara Malaysia (BNM) emphasise that institutions remain fully accountable for third-party risks, even when services are outsourced.
In parallel, ISO 22301 provides internationally recognised standards for ensuring business continuity and resilience, including managing external dependencies.
This chapter provides a comprehensive compliance checklist that organisations can use to assess their TPRM maturity, identify gaps, and prepare for regulatory reviews or audits.
By the end of this chapter, readers will:
|
Theme |
BSP 1203 |
BNM |
ISO 22301 |
|
Governance |
Accountability for third parties |
Board oversight |
Leadership & commitment |
|
Risk Management |
Risk identification & assessment |
Risk-based approach |
Risk & opportunity planning |
|
Dependency Mapping |
CBS dependencies required |
Interdependency mapping |
Business continuity analysis |
|
Scenario Testing |
Severe but plausible scenarios |
Stress testing |
Exercising & testing |
|
Monitoring |
Continuous oversight |
Ongoing risk monitoring |
Performance evaluation |
|
Incident Response |
Recovery capability |
Crisis response integration |
Incident response & recovery |
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status (Y/N/Partial) |
Remarks |
|
Board-approved TPRM framework |
✔ |
✔ |
✔ |
TPRM policy document |
|
|
|
Defined roles and responsibilities (RACI) |
✔ |
✔ |
✔ |
Governance structure |
|
|
|
Three Lines of Defence implemented |
✔ |
✔ |
✔ |
Risk framework |
|
|
|
Senior management oversight |
✔ |
✔ |
✔ |
Committee minutes |
|
|
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Vendor inventory maintained |
✔ |
✔ |
✔ |
Vendor register |
|
|
|
Criticality assessment aligned to CBS |
✔ |
✔ |
✔ |
CBS mapping |
|
|
|
Risk-based classification of vendors |
✔ |
✔ |
✔ |
Risk scoring model |
|
|
|
Fourth-party risks identified |
✔ |
✔ |
✔ |
Dependency mapping |
|
|
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Pre-engagement risk assessment |
✔ |
✔ |
✔ |
Risk assessment reports |
|
|
|
Financial due diligence performed |
✔ |
✔ |
|
Financial reports |
|
|
|
Cybersecurity controls assessed |
✔ |
✔ |
✔ |
Security certifications |
|
|
|
Business continuity capability verified |
✔ |
✔ |
✔ |
BCP/DR test results |
|
|
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
SLA defined and monitored |
✔ |
✔ |
✔ |
Contracts |
|
|
|
Business continuity clauses included |
✔ |
✔ |
✔ |
Contract clauses |
|
|
|
Incident reporting requirements defined |
✔ |
✔ |
✔ |
SLA terms |
|
|
|
Audit rights established |
✔ |
✔ |
✔ |
Contract terms |
|
|
2.5 Ongoing Monitoring and Review
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Continuous vendor monitoring |
✔ |
✔ |
✔ |
Monitoring reports |
|
|
|
Periodic risk reassessment |
✔ |
✔ |
✔ |
Risk review logs |
|
|
|
SLA performance tracking |
✔ |
✔ |
✔ |
KPI dashboards |
|
|
|
Financial health monitoring |
✔ |
✔ |
|
Financial updates |
|
|
2.6 Scenario Testing and Resilience Validation
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Third-party failure scenarios defined |
✔ |
✔ |
✔ |
Scenario library |
|
|
|
Severe but plausible scenarios tested |
✔ |
✔ |
✔ |
Test reports |
|
|
|
Impact tolerance (MTD/MTDL) validated |
✔ |
✔ |
✔ |
BIA reports |
|
|
|
Lessons learned documented |
✔ |
✔ |
✔ |
Post-test reviews |
|
|
2.7 Incident Management and Recovery
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Incident response plan includes vendors |
✔ |
✔ |
✔ |
IR plan |
|
|
|
Escalation procedures defined |
✔ |
✔ |
✔ |
Escalation matrix |
|
|
|
Recovery strategies tested |
✔ |
✔ |
✔ |
DR test results |
|
|
|
Regulatory reporting capability |
✔ |
✔ |
|
Incident reports |
|
|
2.8 Exit and Offboarding Management
|
Requirement |
BSP 1203 |
BNM |
ISO 22301 |
Evidence Required |
Status |
Remarks |
|
Exit strategy defined |
✔ |
✔ |
✔ |
Exit plans |
|
|
|
Data return/destruction ensured |
✔ |
✔ |
✔ |
Data logs |
|
|
|
Service continuity maintained |
✔ |
✔ |
✔ |
Transition plans |
|
|
3.1 Scoring Methodology
|
Score |
Description |
|
2 |
Fully Compliant |
|
1 |
Partially Compliant |
|
0 |
Not Compliant |
3.2 Compliance Score Calculation
Formula:
Total Score ÷ Maximum Score × 100%
3.3 Maturity Levels
|
Score (%) |
Maturity Level |
|
85–100% |
Mature |
|
70–84% |
Established |
|
50–69% |
Developing |
|
<50% |
Initial |
|
Requirement |
Current Status |
Gap Identified |
Risk Impact |
Recommended Action |
Owner |
Timeline |
Example
|
Requirement |
Current Status |
Gap |
Risk Impact |
Action |
Owner |
Timeline |
|
Scenario testing |
Partial |
No vendor scenarios |
High |
Develop scenarios |
Risk |
3 months |
|
Area |
Audit Focus |
|
Governance |
Policy, roles, oversight |
|
Risk Assessment |
Risk scoring accuracy |
|
Monitoring |
SLA tracking |
|
Scenario Testing |
Coverage and results |
|
Compliance |
Regulatory alignment |
|
Report Type |
Frequency |
Audience |
|
TPRM Dashboard |
Monthly |
Senior Management |
|
Risk Report |
Quarterly |
Board |
|
Incident Report |
Ad hoc |
Regulators |
Regulatory compliance in Third-Party Risk Management is not merely a checkbox exercise—it is a critical component of ensuring Operational Resilience.
By aligning TPRM practices with BSP Circular No. 1203, BNM expectations, and ISO 22301 standards, organisations can establish a robust and defensible framework for managing third-party risks.
This compliance checklist provides a practical tool for organisations to assess their current state, identify weaknesses, and implement targeted improvements.
When used effectively, it not only supports regulatory compliance but also strengthens the organisation’s ability to maintain critical business services in the face of disruption.
| C1 | C2 | C3 | C4 |
| C5 | C6 | C7 | C8 |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|