[OR] [Pillar] [E4] [C8] Case Study – Implementing TPRM for Operational Resilience

eBook 4: Chapter 7

TPRM Regulatory Compliance Checklist

Introduction

This chapter presents a practical case study illustrating how financial institutions implement Third-Party Risk Management (TPRM) as part of their Operational Resilience (OR) programmes. 

Using two representative institutions—a Philippine bank aligned with BSP Circular No. 1203 (2024) and a Malaysian bank aligned with BNM Operational Resilience expectations—this case study demonstrates how TPRM frameworks, governance, tools, and scenario testing are applied in real-world contexts.

The case study integrates concepts covered throughout this eBook, including:

• Critical Business Services (CBS) 

• Third-party risk identification and classification 

• TPRM lifecycle and governance 

• Scenario testing and impact tolerance 

Regulatory compliance and reporting 

Purpose of This Chapter

By the end of this chapter, readers will:

• Understand how TPRM is implemented in practice
• See how frameworks translate into operational execution
• Learn from real-world challenges and solutions
• Apply lessons to their own organisations

Section 1: Case Study Overview

Profile of Institutions

Section 2: Identifying Critical Business Services (CBS)

Example CBS Mapping

👉 Implementation Insight:

Both banks began by mapping CBS and identifying third-party dependencies, as required by BSP and BNM.

Section 3: TPRM Framework Implementation

Step 1: Vendor Inventory and Classification

Outcome:

• Philippine Bank identified 120 vendors, with 25 classified as critical
• Malaysia Bank identified 150 vendors, with 30 critical

Step 2: Risk Assessment and Scoring

Insight:

• High reliance on cloud services increased cyber and concentration risk
• Both banks enhanced monitoring for high-risk vendors

Step 3: Governance and Operating Model

Section 4: Scenario Testing for Third-Party Failures

Scenario 1: Cloud Provider Outage

Lessons Learned

• Philippine Bank improved its failover capability
• Malaysia Bank implemented a multi-cloud strategy

Scenario 2: Payment Gateway Failure

Scenario 3: Vendor Cyberattack

Section 5: Compliance Alignment

Regulatory Compliance Assessment

Section 6: Challenges and Solutions

Key Challenges

Section 7: Key Success Factors

1. Strong Governance

Clear accountability across business, risk, and audit.

2. CBS-Centric Approach

Focus on services rather than individual vendors.

3. Risk-Based Prioritisation

Focus on high-risk and critical vendors.

4. Continuous Monitoring

Use dashboards and KPIs.

5. Scenario Testing

Validate resilience under real conditions.

Section 8: Implementation Roadmap (Practical Guide)

Recommended Steps for Participants

• TPRM is critical to Operational Resilience
• CBS mapping is the foundation of effective implementation
• Scenario testing reveals real vulnerabilities
• Governance ensures accountability and oversight
• Regulatory alignment strengthens resilience and compliance

This case study demonstrates that implementing Third-Party Risk Management is a journey that requires structured frameworks, strong governance, and continuous improvement.

Both the Philippine and Malaysian banks illustrate how TPRM can be effectively embedded into Operational Resilience programmes to ensure the continuity of critical business services.

By adopting a CBS-driven approach, integrating scenario testing, and aligning with regulatory expectations, including BSP Circular No. 1203 and BNM guidelines, organisations can transform third-party dependencies into controlled, resilient partnerships.

Ultimately, successful TPRM implementation enables organisations not only to comply with regulations but also to build a robust, adaptive, and future-ready operational resilience capability.