![BB OR [D] 6](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20D/BB%20OR%20%5BD%5D%206.jpg?width=2000&height=1333&name=BB%20OR%20%5BD%5D%206.jpg "BB OR [D] 6")
eBook 4: Chapter 7
TPRM Regulatory Compliance Checklist
Introduction
This chapter presents a practical case study illustrating how financial institutions implement Third-Party Risk Management (TPRM) as part of their Operational Resilience (OR) programmes.
Using two representative institutions—a Philippine bank aligned with BSP Circular No. 1203 (2024) and a Malaysian bank aligned with BNM Operational Resilience expectations—this case study demonstrates how TPRM frameworks, governance, tools, and scenario testing are applied in real-world contexts.
The case study integrates concepts covered throughout this eBook, including:
-
Critical Business Services (CBS)
-
Third-party risk identification and classification
-
TPRM lifecycle and governance
-
Scenario testing and impact tolerance
Regulatory compliance and reporting
Purpose of This Chapter
By the end of this chapter, readers will:
- Understand how TPRM is implemented in practice
- See how frameworks translate into operational execution
- Learn from real-world challenges and solutions
- Apply lessons to their own organisations
Section 1: Case Study Overview
Profile of Institutions
|
Attribute |
Philippine Bank |
Malaysia Bank |
|
Regulatory Framework |
BSP Circular No. 1203 |
BNM Operational Resilience |
|
Business Focus |
Retail and commercial banking |
Universal banking |
|
Key CBS |
CBS-1 Deposit Services, CBS-2 Payments |
CBS-1 Deposits, CBS-2 Digital Banking |
|
Third-Party Dependency |
High (IT, KYC, Payments) |
High (Cloud, Fintech, Outsourcing) |
Section 2: Identifying Critical Business Services (CBS)
Example CBS Mapping
|
CBS |
Description |
Key Third Parties |
|
CBS-1 Deposit Services |
Account management, transactions |
Core banking vendor, KYC provider |
|
CBS-2 Payments |
Funds transfer, clearing |
Payment gateway, telecom provider |
|
CBS-3 Digital Banking |
Mobile and online banking |
Cloud provider, cybersecurity vendor |
👉 Implementation Insight:
Both banks began by mapping CBS and identifying third-party dependencies, as required by BSP and BNM.
Section 3: TPRM Framework Implementation
Step 1: Vendor Inventory and Classification
|
Vendor |
Service |
CBS |
Criticality |
Risk Level |
|
Core Banking Vendor |
Core system |
CBS-1 |
Critical |
High |
|
Cloud Provider |
Infrastructure |
CBS-3 |
Critical |
High |
|
KYC Vendor |
Customer verification |
CBS-1 |
High |
Medium |
Outcome:
- Philippine Bank identified 120 vendors, with 25 classified as critical
- Malaysia Bank identified 150 vendors, with 30 critical
Step 2: Risk Assessment and Scoring
|
Vendor |
Inherent Risk |
Control Effectiveness |
Residual Risk |
|
Cloud Provider |
5.0 |
60% |
2.0 |
|
Payment Gateway |
4.5 |
50% |
2.25 |
Insight:
- High reliance on cloud services increased cyber and concentration risk
- Both banks enhanced monitoring for high-risk vendors
Step 3: Governance and Operating Model
|
Element |
Philippine Bank |
Malaysia Bank |
|
3 Lines of Defence |
Implemented |
Implemented |
|
TPRM Function |
Centralised |
Hybrid |
|
Board Oversight |
Quarterly reporting |
Integrated into OR governance |
Section 4: Scenario Testing for Third-Party Failures
Scenario 1: Cloud Provider Outage
|
Item |
Philippine Bank |
Malaysia Bank |
|
CBS Impacted |
CBS-1, CBS-3 |
CBS-2, CBS-3 |
|
Impact |
Digital banking outage |
Payment disruption |
|
MTD |
4 hours |
2 hours |
|
Outcome |
Within tolerance |
Exceeded tolerance |
Lessons Learned
- Philippine Bank improved its failover capability
- Malaysia Bank implemented a multi-cloud strategy
Scenario 2: Payment Gateway Failure
|
Item |
Philippine Bank |
Malaysia Bank |
|
CBS Impacted |
CBS-2 |
CBS-2 |
|
Impact |
Transaction delays |
Transaction failure |
|
Response |
Queue transactions |
Switch to backup vendor |
|
Outcome |
Partial success |
Successful recovery |
Scenario 3: Vendor Cyberattack
|
Item |
Philippine Bank |
Malaysia Bank |
|
CBS Impacted |
CBS-1 |
CBS-3 |
|
Impact |
Data exposure risk |
Service disruption |
|
Response |
Incident response activation |
Isolate affected systems |
|
Outcome |
Managed |
Improved controls required |
Section 5: Compliance Alignment
Regulatory Compliance Assessment
|
Area |
Philippine Bank (BSP) |
Malaysia Bank (BNM) |
|
CBS Mapping |
Fully compliant |
Fully compliant |
|
Third-Party Risk Assessment |
Fully compliant |
Fully compliant |
|
Scenario Testing |
Partial |
Fully compliant |
|
Monitoring |
Established |
Mature |
Section 6: Challenges and Solutions
Key Challenges
|
Challenge |
Impact |
Solution |
|
Lack of vendor visibility |
Incomplete risk view |
Implement vendor inventory |
|
Over-reliance on a single vendor |
Concentration risk |
Introduce redundancy |
|
Limited scenario testing |
Weak resilience validation |
Develop scenario library |
|
Data from vendors is not timely |
Monitoring gaps |
Automate reporting |
Section 7: Key Success Factors
1. Strong Governance
Clear accountability across business, risk, and audit.
2. CBS-Centric Approach
Focus on services rather than individual vendors.
3. Risk-Based Prioritisation
Focus on high-risk and critical vendors.
4. Continuous Monitoring
Use dashboards and KPIs.
5. Scenario Testing
Validate resilience under real conditions.
Section 8: Implementation Roadmap (Practical Guide)
Recommended Steps for Participants
|
Step |
Action |
|
1 |
Identify CBS |
|
2 |
Map third-party dependencies |
|
3 |
Perform risk assessment |
|
4 |
Establish governance |
|
5 |
Implement monitoring tools |
|
6 |
Conduct scenario testing |
|
7 |
Align with regulatory requirements |
- TPRM is critical to Operational Resilience
- CBS mapping is the foundation of effective implementation
- Scenario testing reveals real vulnerabilities
- Governance ensures accountability and oversight
- Regulatory alignment strengthens resilience and compliance
This case study demonstrates that implementing Third-Party Risk Management is a journey that requires structured frameworks, strong governance, and continuous improvement.
Both the Philippine and Malaysian banks illustrate how TPRM can be effectively embedded into Operational Resilience programmes to ensure the continuity of critical business services.
By adopting a CBS-driven approach, integrating scenario testing, and aligning with regulatory expectations, including BSP Circular No. 1203 and BNM guidelines, organisations can transform third-party dependencies into controlled, resilient partnerships.
Ultimately, successful TPRM implementation enables organisations not only to comply with regulations but also to build a robust, adaptive, and future-ready operational resilience capability.
![[Pillar] [3_4] [Banner] [C4] Third-Party Risk Management](https://no-cache.hubspot.com/cta/default/3893111/1ab1982e-100b-41e9-b830-23583eeb5b97.png)
| C1 | C2 | C3 | C4 |
![[OR] [Pillar] [E4] [C1] Introduction to TPRM](https://no-cache.hubspot.com/cta/default/3893111/82945f27-604a-406d-83f2-9df0180e126f.png) |
![[OR] [Pillar] [E4] [C2] Types of Third-Party Risks](https://no-cache.hubspot.com/cta/default/3893111/714cfc41-261a-42e0-9c2d-f517bd787323.png) |
![[OR] [Pillar] [E4] [C3] Framework and Lifecycle](https://no-cache.hubspot.com/cta/default/3893111/e8b02e92-416f-4ab2-bb4e-0499db349f40.png) |
![[OR] [Pillar] [E4] [C4] Governance and Operating Model](https://no-cache.hubspot.com/cta/default/3893111/34bdac31-acb4-4daa-8d16-ff1b5ab43747.png) |
| C5 | C6 | C7 | C8 |
![[OR] [Pillar] [E4] [C5] Tools, Templates and Scoring Models](https://no-cache.hubspot.com/cta/default/3893111/453d5c46-1981-4519-bfee-4d9e4aa32d21.png) |
![[OR] [Pillar] [E4] [C6] Scenario Testing for Third-Party Failures](https://no-cache.hubspot.com/cta/default/3893111/dc829fbf-e80f-45bb-bfbd-fa660f70095b.png) |
![[OR] [Pillar] [E4] [C7] Regulatory Compliance Checklist](https://no-cache.hubspot.com/cta/default/3893111/7e12ff2a-59e6-40cc-ac60-e0b17bcfd00e.png) |
![[OR] [Pillar] [E4] [C8] Case Study_ Implementation in Banking](https://no-cache.hubspot.com/cta/default/3893111/51d31b0f-dbf9-44ef-a127-999420c9fbd4.png) |
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
