How do FS firms deal with Third-Party Risk Management (TPRM)?

As we are moving to an era of heavy reliance on third-party relationships alongside stronger scrutiny from the regulator, how should Financial Services approach TPRM?

TPRM - Increasing pressure

Firms using third-party relationships are facing increasing scrutiny from the regulators and as a result are looking to transform their risk management capabilities by taking a more proactive approach to TPRM.  

A robust TPRM function is key for managing an organisation’s risk levels. The damage that can be done to firms not managing third parties appropriately can be vast and include loss of customer data and significant reputational damage. 

Where should TPRM sit within an organisation?

TPRM can sit within various business units depending on an organisation’s structure; there is no best practice operating model example. Many organisations involve multiple departments such as procurement, information security, operational risk and compliance to provide input to manage the risks related to engaging third parties. Depending on a firm’s internal structure, they may also choose to focus TPRM through either a centralised, mixed or decentralised model. A recent survey found that there is a clear trend towards a centralised model for managing third-party relationships, given the required input from the multiple business lines. A centralised model allows the organisation to track common risks across third parties and identify emerging trends that may require a response. 

What is needed for an effective TPRM function? 

A clear TPRM framework is key to providing an end-to-end view of the risks associated with third-party relationships and ensuring firms are managing those risks effectively. TPRM must be incorporated into an organisation’s overall risk appetite in order to establish clear roles for stakeholders to identify and manage risks. 

Additionally, there must be cohesion between the various business lines that contribute to the TPRM function when it comes to governance and processes. Departments such as procurement, operational risk, compliance and IT must all have input allowing for joint decision making to ensure an effective risk management process.

Third party risk monitoring should not stop after the on-boarding process; the ongoing, proactive monitoring of third-party relationships must be carried out to ensure implications of potential failures in the due diligence processes are limited. This ongoing monitoring needs to be tailored to the third-party risk profiles dependent on the levels of risk associated with them.


By having a robust and effective TPRM function, an organisation can gain many advantages, including out-performing competitors and avoiding regulatory fines along with reputational damage.

Overall, there needs to be more collaboration across business lines to drive increased quality assurance work to identify the operational risks associated with third-party relationships. Collaboration is not only happening within organisations, as the industry seems to be moving towards a more streamlined model of TPRM whereby multiple organisations are working together to ensure the ongoing, effective monitoring of their third-party providers.

Within financial services effectiveness around TPRM is increasing, however so is regulatory scrutiny. This means that there are still improvements to be made. Greater understanding of TPRM must be embedded across an organisation in order to manage and mitigate risks.

Topics: Featured, Risk Management, Investment Management, Insurance, Banking, Technology Media and Telecoms

September 19, 2019
Talk to an expert

Saskia Cox
Written by Saskia Cox

Saskia works within FourthLine's interim Investments & Protection team as a consultant specialising in legal, conduct regulation and cyber risk.