When it comes to Third Party Risk Management, it is time to move away from legacy practices and depending on the level of risk maturity.  We have set out 10 Practical steps to prioritise focus and clear vision and strategy that sets the overall direction.  This is essential to tackle the issue strategically, yet proportionally and sustainably.

10 Practical Steps to Establishing TPRM Capabilities

TPRM is a relatively new risk principle, but one that is evolving and maturing rapidly. Establishing the Vision & Strategy requires a coordinated set of top-down efforts and actions including, a Board-established mandate, senior management support, appropriate investment, and cross-stakeholder engagement.

Depending on how third-party management activities have evolved in your firm, functions such as: Risk, Operational Resilience, IT/ Technology, Information Security, Legal & Compliance, and Sourcing & Procurement may be responsible for specific elements of the design and organisational alignment of TPRM supported by a network of incumbent frameworks and processes.

Due to the transversal coverage of TPRM there will likely be several key stakeholder groups involved in contributing to and setting the overall Vision and Strategy. It can be a time and resource intensive exercise and for complex and large firms can often span a multi-year effort to define, design, and deploy the TPRM capability to a sustainable state. Therefore, setting a clear Vision and Strategy is essential to laying the right foundations.

A TPRM programme will need to be established to effect the Vision and Strategy as well as coordinate the activities to define, design, and deploy the necessary TPRM capabilities.

The programme will be better placed to support overcoming any barriers to change and drive efforts in addressing organisational, cultural, technological and data barriers that could impact the ability to determine, assess, manage and control third party risk.

The primary focus at the beginning must be to review and assess how third party-related risks are managed today before defining, designing, and implementing the target state capability. This early approach will identify and bring together the various stakeholder groups, focus minds, and also ascertain the extent of the challenge in order to plan effectively.

To arrive at the target end point, the TPRM programme must establish and document an actionable roadmap to act as a ‘compass’ and provide directional pull to the implementation process from aspiration to delivery mode – supporting the ‘north star’ approach set by the Vision and Strategy.

Having in a place a clear roadmap will ensure that programme governance, execution oversight, and the right programme accountabilities are in place, as well as demonstrating to the Board how the investment in TPRM will be delivered against the Vision and Strategy.

In recent years, attention has been focussed on initiatives such as Operational Resilience and Outsourcing Compliance programmes. As a result, most firms by now should have a clear idea of their most critical and dependent third-party relationships, as well as mapping dependencies.  This is a good starting point for any TPRM Programme to understand the nature and extent of critical third parties within their wider populations.

Leveraging and collaborating with other strategic initiatives will also be mutually beneficial. We have observed Operational Resilience programmes calling for more TPRM focus and capabilities to be   deployed, as key dependencies and gaps are highlighted on the transversal oversight and governance required to manage end-to-end services.

Therefore, it’s important to utilise and work closely with Operational Resilience and Outsourcing Compliance programmes to understand how to fast-track, accelerate and co-ordinate activities when defining their TPRM capabilities.

Many firms are not always fully aware of the capabilities and resources that might already be in place that – either focusses or have touchpoints to specific elements of TPRM – because TPRM is not formalised or harmonised in a holistic manner today. It is simply that current internal capabilities and resources are fragmented.

As a result, firms should undertake a company-wide review to build a full picture of all resources and artefacts currently deployed.

In performing this exercise, you can determine the right level of effort needed to harmonise disparate or fragmented frameworks under a consolidated TPRM framework, as well as identify areas of weakness or gaps to be addressed within the existing skills and capabilities.

The shift towards centralisation is driven by the fragmented and pervasive nature of third-party risk environments today – together with pressures (internal and external) of developing integrated company-wide oversight capabilities to assess, manage, and control a TPRM risk posture.

Various models and structures can be deployed depending on the organisational and legal entity set up.  These range from decentralised – with an emphasis on local or entity ownership for managing third party relationships and their risk – to centralised where the responsibility and management of third party risk oversight is harmonised across the organisation – to a hybrid model taking the best of both worlds of maintaining a decentralised organisational ownership of the relationship complimented by centralised oversight, reporting and governance requirements.

Organisational complexity, unclear roles and responsibilities, and fragmented governance structures are clear obstacles that can negatively impact the effectiveness of the TPRM engagement model across the three-lines of defence – preventing vertical and horizontal alignment.

We often observe multiple business units, legal entities and control functions have a degree of involvement in third party management.  In going through the exercises in reviewing the current framework environment to address fragmentation as well as defining the TPRM target operating model, the TPRM programme will be able to identify and implement improvements needed to establish a holistic TPRM Risk & Control Framework.

This will ensure clarity, consistency, and, above all, effectiveness of the target state TPRM engagement model across the three lines.

An integrated TPRM Risk & Control Framework will help support horizontal and vertical stakeholder groups to understand their involvement and role within TPRM by establishing a common set of risk and control standards for evaluating and managing the firm’s third-party risk and control expectations across the three-lines.

The specific design and implementation of a TPRM Risk & Control Framework will vary according to your risk management and control maturity and culture, together with the nature, scale and complexity of the third-party population and the services they provide as well as internal intricacies.

Risk assessments should be an ongoing activity throughout the lifecycle model starting with a full assessment from the outset of the relationship – by applying a set of tiered risk factors depending on the type of third party and nature of the services or products provided.

It will be important to apply the appropriate risk segmentation set out in the TPRM Framework according to the tiered levels of inherent risk from low-risk relationships to moderate risk that should be monitored, to the most critical and complex relationships that represent higher levels of risk to the firm that require the strongest levels of management, oversight, and control.

Implementing a lifecycle approach within the TPRM framework will support firms to take a workflow approach to TPRM as well as implement a comprehensive and effective framework that is risk-centric and risk-adjusted throughout.  Therefore, risk management principles should be embedded within each component of the third-party lifecycle covering risk-based processes to identify, assess, and rate risk.

Implementing a transversal risk-based lifecycle does come with a number of barriers and challenges. The most common challenge we see relates to risk fragmentation and inconsistent risk taxonomies across the TPRM stakeholder groups, especially with risk ratings and criticality assessments which makes it difficult (in the absence of a centralised TPRM capability) to aggregate the risk to create, manage, monitor, and control a third-party risk profile for senior decision making.

Firms can often struggle to integrate the right foundation blocks into their strategic frameworks.  Focus should be on strategic alignment and a functional cascade of the Enterprise-wide Risk Management Framework and Operational Risk Management Framework to the TPRM Framework.  Successful strategic alignment and functionality will better enable a top-down integration of risk appetite statements and metrics combined with framework standards, and functional alignment. In doing so, this will ensure a clear demarcation between the three lines of defence as well as oversight, governance, reporting, and transparency.

A framework alignment and cascade model will enhance and drive a level of embeddedness and standardisation throughout the firm. But firms’ often struggle to align and stack the right foundation blocks to enable effective alignment.

There is still heavy reliance on fragmented manual processes with a myriad of documents, spreadsheets, and duplicative reporting information leading to a genuine need to address risk data, process workflows, and disparate technological solutions. Utilising TPRM technologies and reporting tools to improve and automate oversight and governance tasks will enable aggregation of risk and provide robust intelligence. But this will also require initiating a TPRM data strategy to ensure data quality and integrity.

The first priority on the road to a technology platform is to address the completeness of the third-party population by having a fully centralised inventory of all third-party relationships; and secondly reading across the regulatory and compliance requirements to support risk identification and categorisation activities. TPRM policies, procedures, and process monitoring must be enabled through integrated risk-centric tools to improve the holistic monitoring and control of third-party risk. Together with automated risk workflows, firms’ will be in a better place to oversee and govern their third party risk environments.

Look to utilise technology to help automate and streamline processes and establish a technology and data architecture that delivers the right level of agility, which will aid senior decision making by integrating and connecting  oversight, risk management, and governance processes that will vastly improve the accuracy of risk intelligence.

Mathew Wells

Mathew Wells


To adopt and embed a holistic TPRM capability and be fully equipped to address third party risk, firms can follow the 10 Practical Steps detailed in this Insight Paper. Your current maturity level will determine what your first step looks like, however, in beginning to take these steps, the journey towards an embedded holistic TPRM model is in sight.

Download the Insight Paper