.png)
Third-Party Risk Management Policy: Framework, Standards, and Examples
- Julien Haye
- Sep 27
- 25 min read
Introduction: Why Every Organisation Needs to Rethink Third-Party Oversight
Boards and executives increasingly rely on external partners to enable their business strategy and deliver critical services. Technology platforms, outsourcing providers, suppliers, fund administrators, and delivery partners have become extensions of the organisation itself. Reliance on third parties creates efficiency, innovation, and scale, but it also transfers critical risk outside the organisation’s direct control. The trade-off is speed and cost savings on one side, versus visibility and assurance on the other. Without clear accountability, the risks embedded in suppliers and vendors remain hidden until they become systemic.
A growing share of business operations now depends on third parties, from cloud providers hosting critical technology to outsourced administrators, logistics partners, and delivery NGOs. Gartner projects that by 2027, 65% of application workloads will be hosted in public cloud, compared with about 25% in 2020 . In manufacturing, more than 60% of value creation comes from global suppliers rather than in-house production . For non-profits, international NGOs often deliver more than 70% of programmes through local partners .
This level of dependency positions third-party oversight as a strategic enabler that strengthens resilience, supports innovation, and extends organisational capacity. Regulators expect boards to approve outsourcing policies, evidence substitution planning, and assure resilience across the external ecosystem. Procurement leaders must embed due diligence, contract standards, and continuous monitoring into sourcing decisions. Chief Risk Officers (CROs) must connect these operational realities to risk appetite, capital planning, and resilience, ensuring that external dependencies strengthen rather than weaken organisational strategy.
The stakes are clear. A single vendor outage can halt customer services. A data breach through a supplier can trigger regulatory fines and reputational loss. A delivery partner’s misconduct can undermine trust built over decades. Across financial services, energy, and the charity sector alike, boards are being challenged to show not just that they have policies in place, but that these policies work in practice.
The demands are growing because the environment is more complex and interconnected. Supply chains stretch across jurisdictions with geopolitical risk exposing organisation's to unpredictable outcomes. Critical functions are concentrated in a handful of global providers. ESG standards and responsible sourcing expectations are reshaping procurement. Artificial intelligence is entering vendor ecosystems, raising new questions of model risk and accountability. No single checklist is sufficient. Organisations need an integrated framework that brings together policy, standards, culture, and assurance.
In our work with boards and leadership teams, the strongest organisations treat third-party oversight as a strategic capability. They see that effective third-party risk management is not about eliminating outsourcing or vendor partnerships, but about equipping leaders with the governance, foresight, and resilience to use these relationships responsibly.
This article sets out a complete guide to third-party, supplier, and vendor risk management policy. It explores the critical dimensions — from scope and governance, to assurance and cultural enablers, to future trends such as AI and ESG. Together, these elements show how organisations can manage the trade-off between efficiency and assurance, transform high levels of external dependency into a source of resilience and innovation, and position third-party oversight as a genuine strategic capability.
TABLE OF CONTENTS
What Is Third-Party Risk Management (TPRM)?
Third-Party Risk Management (TPRM) is the discipline of identifying, assessing, monitoring, and mitigating the risks that arise when an organisation relies on external entities to deliver products, services, or processes. These third parties can include IT vendors, suppliers of goods, professional service providers, outsourcing partners, and cloud platforms.
The terms third-party, supplier, and vendor risk management are often used interchangeably, yet they carry distinct implications that affect governance, accountability, and compliance. Third party is the broadest category, encompassing any external entity on which the organisation depends. Supplier is most often applied to the provision of goods and physical supply chains, while vendor is typically used for IT and service providers. Financial regulators also make their own distinctions, particularly between outsourcing arrangements and general third-party services, with critical outsourcing subject to heightened requirements under frameworks such as PRA SS2/21, the EBA Outsourcing Guidelines, and DORA.
Clear definitions are the foundation of effective third-party risk management. For boards and senior risk leaders, they set the boundaries of accountability and ensure that all material exposures are captured within the organisation’s risk universe and linked to its risk appetite. For procurement teams, they provide unambiguous criteria for which relationships require due diligence, ongoing monitoring, and escalation. Without this clarity, suppliers can slip through the gaps, leaving blind spots in oversight and compliance. For regulators, definitional precision signals that the organisation distinguishes between standard supplier arrangements and regulated outsourcing, reducing the risk of missing mandatory safeguards such as substitution planning, contractual protections, or notification obligations.
Classification of Third Parties
Third parties vary widely in their impact, from routine suppliers to critical outsourcing partners. In our experience, many organisations lack clarity on what should fall within the scope of their TPRM programme. The overview below provides a high-level starting point that helps boards set accountability, procurement teams apply the right due diligence, and regulators see that oversight is proportionate.
Category | Definition | Key Risk Considerations | Examples |
1. Strategic Outsourcing Partners | Core service providers whose failure would significantly impact operations, compliance, or client outcomes | Substitutability, resilience testing, regulatory notification, concentration risk | Business process outsourcers, cloud service providers, payment processors |
2. Critical IT & Technology Vendors | Providers of systems or platforms integral to daily operations | Cybersecurity posture, data privacy, service continuity, licensing rights | Cybersecurity vendors, SaaS platforms, ERP systems, trading/analytics tools |
3. Suppliers of Goods & Services | Entities delivering goods or services that support operations but are not always business-critical | Supply chain reliability, financial stability, ESG practices | Facilities management, logistics, printing, office services |
4. Professional Services & Advisory | Providers of specialist expertise or advisory services | Independence, conflicts of interest, data confidentiality | Legal firms, auditors, consultants, HR advisors |
5. Subcontractors & Fourth Parties | Entities engaged by your third parties to deliver contracted services | Limited visibility, contractual oversight, regulatory expectations | Offshore staffing, sub-custodians, sub-suppliers |
6. Niche & Emerging Providers | Smaller or innovative firms offering new technologies or specialised solutions | Financial resilience, maturity of controls, scalability, IP rights | FinTech start-ups, AI/ML vendors, ESG data providers, social enterprises |
7. Sector-Critical Ecosystem Partners | Industry-specific external entities essential to core sector functioning and regulatory obligations | Systemic concentration risk, compliance obligations, reputational exposure, resilience | Varies by sector |
Government, Regulators & Tax Authorities
| Public entities that organisations must engage with for compliance, licensing, reporting, and fiscal obligations
| Compliance failures, reporting errors, fines/penalties, reputational risk, loss of licence/charity status, systemic dependency on government systems (e.g., tax portals, regulatory filings) | National/regional tax authorities (HMRC, IRS), regulatory agencies (FCA, PRA, SEC), charities regulators, licensing bodies
|
The Strategic Importance of a Third-Party Risk Management Policy
A third-party risk management policy defines how an organisation governs the external partners it relies on for critical services and operations. It sets the boundaries of accountability, translates regulatory requirements into clear standards, and ensures that oversight is applied consistently across suppliers, vendors, and outsourcing arrangements. In practice, the policy is the mechanism that links strategic intent with procurement decisions and day-to-day risk management.
For senior leadership, a formalised policy provides assurance that risks from critical suppliers, vendors, and partners are managed within the organisation’s risk strategy and risk appetite. Boards are increasingly challenged by regulators to evidence how they oversee outsourcing, supplier dependencies, and systemic risks. A written and regularly reviewed policy demonstrates that accountability for third-party risks has been formally defined and endorsed at the governance level. On its own it does not prove that oversight is embedded, but without it organisations struggle to evidence to regulators and stakeholders that third-party risk management is structured rather than informal or reactive.
Strategic alignment connects risk oversight with decision-making at every level. When boards and CROs embed this discipline, they strengthen resilience, protect value, and build long-term trust.
👉 Ready to review your organisation’s strategic alignment?
From a regulatory perspective, the absence of a structured policy is a red flag. Supervisors expect firms to map their approach directly to published requirements, whether it is the FCA and PRA’s outsourcing and third-party risk guidance, DORA in the EU, or interagency statements in the US. A well-designed policy should explicitly reference these obligations, outline how they are operationalised, and ensure that oversight extends to subcontractors and fourth parties where regulators demand it.
For procurement teams, the policy clarifies where responsibility begins and ends. It defines the role of procurement in supplier onboarding, due diligence, and contract management, while also ensuring alignment with risk, compliance, and business owners. Without this clarity, procurement can either become a bottleneck or inadvertently leave critical suppliers outside the scope of assessment. The policy also formalises requirements such as the inclusion of audit rights, exit clauses, and regulatory notifications in contracts — elements that might otherwise be inconsistently applied.
Sector-specific contexts highlight the importance of a robust policy even further:
Asset managers must evidence to both regulators and investors how they monitor custodians, administrators, and benchmark providers. Failures here directly impact fiduciary duty.
Energy providers depend on critical infrastructure operators and regulated trading markets, where weak oversight can trigger systemic disruption.
Charities and non-profits face reputational damage and regulatory sanction if delivery partners misuse funds or breach safeguarding obligations.
In all cases, the policy acts as the single point of truth that brings together risk oversight, procurement practices, and regulatory compliance into a coherent framework. It ensures that third-party risk management is not an ad hoc process but a structured discipline aligned to strategy, resilience, and stakeholder expectations.
Core Elements of a Third-Party Risk Management Policy
A third-party risk management policy is only effective if it sets out the essential building blocks that guide how the organisation classifies, governs, and monitors external relationships. The purpose of the policy is not to duplicate procurement manuals or compliance handbooks, but to establish a governance framework that integrates third-party oversight into enterprise risk management.
1. Scope and Applicability
The policy must define which relationships fall under its remit, including suppliers, vendors, outsourcing partners, subcontractors, and fourth parties. Clarity here avoids blind spots and ensures that all critical third-party exposures are captured. For example, an IT service provider may fall under “vendor,” while a local delivery NGO for a charity would be a subcontractor. Regulators expect these boundaries to be explicit, particularly where critical outsourcing is involved.
Equally important, scope should be aligned with the organisation’s strategic priorities. A well-designed policy ensures that oversight focuses most on the external partners that enable delivery of the business model. This strategic alignment ensures the TPRM framework supports both regulatory expectations and the execution of the organisation’s long-term objectives.
2. Roles and Responsibilities
Clear ownership of third-party risks is fundamental. The board should approve the policy and retain ultimate accountability. Senior executives, including the CRO, are responsible for oversight and alignment with risk appetite. Procurement plays a frontline role in onboarding and due diligence, while business owners must remain accountable for risks within their areas. Without this clarity, third-party oversight can become fragmented or diluted.
3. Standards and Procedures
A strong policy embeds reference to recognised standards and frameworks, such as ISO 27001 for information security, SOC reports for assurance, or NIST guidelines for cybersecurity. It should also reference relevant regulatory expectations, including FCA/PRA outsourcing rules, DORA, or US interagency guidance. These standards inform due diligence checklists, monitoring requirements, and contract provisions.
4. Risk Assessment and Tiering
The policy should describe how third parties are classified by criticality, using agreed criteria such as substitutability, financial dependency, data access, and regulatory impact. This classification enables proportionate oversight: high-risk or critical vendors require deeper due diligence, tighter contractual terms, and more frequent monitoring than low-risk suppliers.
Crucially, the tiering approach must be anchored in the organisation’s risk appetite. For example, if the board has a low appetite for operational disruption, vendors providing core technology infrastructure should be subject to enhanced resilience testing and substitution planning. If the organisation accepts higher cost volatility but has zero appetite for regulatory breaches, then compliance-heavy suppliers (such as custodians in asset management or safeguarding partners in the charity sector) should attract the most stringent oversight.
By aligning third-party classification to risk appetite, the policy ensures that oversight is not only proportionate but also strategically consistent with the organisation’s objectives and tolerance for risk.
5. Escalation and Reporting
Escalation protocols ensure that when risks exceed defined thresholds, they are surfaced to the right level of management or the board. The policy should specify what triggers escalation, how issues are reported, and how breaches are remediated. Regulators increasingly expect firms to demonstrate that escalation pathways are both defined and tested.
Oversight should not rely on static, annual reviews. Proactive monitoring of vendor performance, financial health, and compliance signals is essential. Our article Monitoring Triggers for Third-Party Vendor Exit explores how to set meaningful triggers and plan exits before disruption occurs.
6. Exit and Substitution Planning
Third-party arrangements must be designed with the end in mind. A policy should mandate exit clauses, substitution analysis, and resilience testing. This ensures that critical services can be replaced or wound down without exposing the organisation to regulatory or operational failure.
For a practical framework on developing exit strategies for critical vendors, see our detailed guide: How to Develop a Third-Party Vendor Exit Strategy. It outlines regulatory context, common triggers for exit, and a step-by-step approach to safeguard resilience.
7. Review and Approval Cycle
Finally, the policy must be subject to periodic review and board re-approval. Third-party risk is dynamic, shaped by market conditions, regulation, and technology. A regular cycle ensures the policy stays aligned with both internal strategy and external obligations.
Third-Party Risk Management Standards
A third-party risk management policy gains authority and credibility when it is anchored in recognised standards. These frameworks provide common benchmarks for assessing third-party resilience, ensuring consistency across due diligence, contracting, and monitoring. For boards and regulators, reference to established standards demonstrates that oversight is not arbitrary but aligned with industry good practice and regulatory expectation.
International and Industry Standards
ISO 27001 (Information Security) – widely used to validate that vendors manage data securely.
ISO 22301 (Business Continuity) – demonstrates resilience planning and continuity capabilities.
SOC 1 and SOC 2 Reports – independent assurance on financial controls (SOC 1) and information security, availability, and confidentiality (SOC 2).
NIST Cybersecurity Framework – a reference for evaluating cyber maturity, particularly in critical IT and technology vendors.
COBIT – used for governance of IT and control frameworks.
These standards provide procurement and risk teams with practical assurance tools: certification or assurance reports can be embedded into onboarding, renewal, and continuous monitoring requirements.
Regulatory Guidance and Expectations
Supervisory bodies go beyond recommending good practice; they set explicit obligations for third-party oversight. Examples include:
UK (FCA/PRA) – Supervisory Statement SS2/21 on outsourcing and third-party risk management, requiring boards to approve outsourcing policies and ensure critical arrangements are substitutable.
UK (Bank of England PS16/24 & CP17/24): Recent policies introduce resilience standards for Critical Third Parties (CTPs) and extend incident reporting and third-party oversight requirements across the sector. Read our analysis of PS16/24 and our breakdown of CP17/24.
EU (EBA Outsourcing Guidelines & DORA) – requiring full contract inventories, oversight of subcontractors, and operational resilience testing.
US (OCC/FDIC/Federal Reserve Interagency Guidance) – emphasising due diligence, ongoing monitoring, and board accountability for critical third-party risks.
A credible TPRM policy should map its provisions directly against these regulatory requirements, ensuring there are no gaps between policy commitments and supervisory expectations.
Procurement and Operational Integration
For procurement teams, standards provide a consistent baseline for vendor evaluation. ISO certifications, SOC reports, and independent audit findings can reduce duplication in due diligence while still meeting risk management requirements. Where vendors lack certification, the policy should require compensating controls, such as enhanced questionnaires or onsite assessments.
Sector-Specific Applications
Financial services and banking: Apply regulatory outsourcing standards (e.g., FCA/PRA SS2/21, DORA, OCC guidance) to payment processors, cloud providers, and market infrastructure. SOC 1/2 and ISO 27001 are often mandated for core IT and custodial services.
Healthcare and life sciences: Must apply HIPAA (US), GDPR (EU), and ISO 27001 to vendors handling patient data. ISO 22301 and NIST standards are referenced for clinical trial continuity, supply chains for medical devices, and pharmaceutical manufacturing partners.
Manufacturing and industrials: Depend on ISO 9001 (quality management) and ISO 28000 (supply chain security). TPRM covers tier-one and tier-two suppliers of components and raw materials, with added focus on ESG standards and ethical sourcing.
Technology and SaaS providers: Use SOC 2 and ISO 27001 as the default baseline for cloud and platform vendors. NIST frameworks support cyber maturity assessments, especially for SaaS and AI service providers. Increasingly, ISO 27701 (privacy) is being requested for data-intensive third parties.
Retail and e-commerce: Apply PCI DSS to payment processors, ISO 27001 for e-commerce platforms, and SOC 2 for logistics or fulfilment technology. Vendor oversight extends to third-party logistics providers and marketing data platforms.
Government and public sector: Reference NIST and ISO standards for cyber, continuity, and supply chain assurance. Defence or critical infrastructure vendors are subject to additional national security standards (e.g., CMMC in the US, Cyber Essentials in the UK).
The Third-Party Risk Management Framework
While a policy sets the rules, the framework shows how those rules are applied in practice. A third-party risk management framework typically follows a lifecycle approach: from identifying and onboarding a new third party, to monitoring performance and risks during the relationship, through to exit or renewal. Regulators expect firms not only to describe this lifecycle but to demonstrate that it is embedded, consistent, and tested.
Strategic alignment should act as a filter across the lifecycle, ensuring that third-party oversight is not just procedural but actively supports the organisation’s business model, risk appetite, and long-term objectives. This is often where organisations fall short: the mechanics exist, but the strategic lens is missing.
1. Onboarding and Due Diligence
Every new third-party relationship should begin with a structured risk assessment. This includes financial stability checks, information security evaluations, ESG assessments, and regulatory compliance verification. Procurement plays a frontline role here, ensuring that due diligence is proportionate to the risk tier of the supplier or vendor. Regulators emphasise the need for board oversight of critical outsourcing arrangements, with some requiring notification before engagement begins.
Due diligence should not only verify financial stability, information security, ESG, and compliance. It should also assess strategic fit: does this third party enable critical capabilities the business depends on, and is the level of dependency acceptable within the board’s risk appetite? Procurement plays a frontline role here, ensuring effort is proportionate to both risk tier and strategic importance.
2. Contracting and Risk Allocation
Contracts must capture the risk controls identified during onboarding. This includes service-level agreements, audit rights, data protection clauses, liability allocation, and exit provisions. For regulated industries, certain clauses are non-negotiable, such as subcontracting restrictions or requirements to notify regulators of material changes. For procurement teams, the framework ensures these requirements are consistently built into template contracts, avoiding uneven application.
Contracts must capture not only controls and compliance obligations but also reflect strategic priorities such as resilience, innovation, and ESG commitments. For example, if sustainability is a board priority, relevant obligations should be hardwired into supplier contracts.
3. Ongoing Monitoring and Assurance
Once a third party is engaged, monitoring must be continuous. This can include periodic due diligence updates, review of assurance reports (e.g., SOC 2), site visits, and performance reviews against KPIs. Technology and RegTech solutions now enable continuous monitoring of cyber posture, financial health, and sanctions exposure. Boards and CROs expect this monitoring to be risk-based more intensive for critical providers, lighter-touch for low-risk suppliers.
Monitoring should test not just operational performance but also whether the relationship continues to align with strategic objectives. For example, is a technology partner still enabling innovation, or has it become a concentration risk that limits flexibility? Boards and CROs should see reporting that links vendor performance back to risk appetite and business goals.
Our own polling of risk leaders on LinkedIn shows that 73% of organisations only review critical third-party vendor risk annually or on an ad hoc basis, while just 27% conduct quarterly reviews. Not a single respondent reported real-time or continuous monitoring. This gap between regulatory expectations and actual practice highlights why boards and CROs must push for more proactive monitoring, supported by technology and clear escalation triggers.
👉 To see how these principles come together in practice, explore our Integrated Risk Management Pathway™. It sets out how boards and executives can align appetite, tolerance, capacity, and control design into a single framework that strengthens governance and decision-making.
4. Escalation and Issue Management
The framework should define how issues are detected, reported, and resolved. Escalation thresholds such as missed SLAs, data breaches, or regulatory breaches — must be clear and tested. Regulators increasingly scrutinise escalation pathways, challenging boards on whether issues are raised quickly and acted on consistently. For procurement, the framework provides a clear route for escalating supplier concerns without fear of business pushback.
Escalation criteria should include not only breaches of SLAs or compliance failures but also strategic triggers such as over-reliance on a single provider, misalignment with ESG commitments, or changes in the vendor’s ownership that alter strategic compatibility.
5. Exit and Renewal
No third-party arrangement is permanent. The framework should require exit strategies, substitution planning, and periodic assessments of whether the relationship remains fit-for-purpose. Critical providers should be subject to resilience testing that demonstrates how services could be replaced if they fail. For renewals, the framework mandates reassessment avoiding automatic rollovers that may entrench legacy risks.
Exit and renewal decisions should always test strategic alignment. A provider may be operationally sound but no longer fit the organisation’s evolving strategy (e.g., reliance on a vendor that slows digital transformation, or a partner that no longer meets stakeholder ESG expectations). Renewal should never be automatic; it should reassess both risk and strategic relevance.
Lessons from Supplier and Vendor Failures
Policies and frameworks are only effective if they work in practice. Organisations across sectors have learned, sometimes painfully, that gaps in supplier and vendor oversight can create material risks to operations, compliance, and reputation. Applying a policy consistently across the supplier base, with proportionate oversight, is the difference between a framework on paper and a framework that protects stakeholders.
Even the strongest policies can fail if oversight is weak or incomplete. Across sectors, organisations have learned that third-party dependencies can create systemic vulnerabilities. These examples show how governance gaps translate into real-world consequences.
Target: Cyber Breach via a Third-Party Supplier
In 2013, attackers infiltrated Target’s network through a heating and ventilation vendor with privileged system access. Malware was deployed on point-of-sale devices, exposing over 40 million payment cards and costing the company hundreds of millions of dollars in settlements and remediation. The breach demonstrated how even a minor supplier can introduce disproportionate risk when access rights and monitoring are poorly controlled.
TSB Bank: Outsourcing Oversight Failure
TSB’s 2018 IT migration, outsourced to a critical service provider, left millions of customers locked out of their accounts for weeks. Regulators fined the bank £48.65m for widespread failings in oversight and governance. The incident underscored the danger of relying on vendor assurances without independent testing, contingency planning, or board-level scrutiny.
Oxfam: Safeguarding and Delivery Partner Risk
In 2018, safeguarding failures among Oxfam’s delivery partners in Haiti triggered a statutory Charity Commission inquiry and warnings that up to £29m of EU funding was at risk. Although the misconduct occurred within partner operations, accountability ultimately rested with Oxfam’s leadership. The case illustrates how reputational and regulatory consequences extend directly to boards when partner oversight is weak.
Common Risk Scenarios
Operational disruption – A critical IT vendor suffers an outage, halting access to customer systems. Without proper monitoring and exit planning, service interruption cascades across the organisation.
Cyber and data breaches – A supplier with weak information security controls becomes the entry point for an attack. This has been the root cause of several high-profile breaches where regulators and customers held the hiring organisation accountable.
Financial distress – A vendor’s insolvency disrupts essential supply chains, particularly where the organisation failed to monitor financial health.
Compliance and conduct issues – A subcontractor engages in unethical or unlawful practices, creating reputational fallout for the primary organisation.
For a deeper dive into how to model and test these risks, see our resource on Scenario Testing & Impact Tolerance. It explains how to design scenarios, set impact tolerances, and embed testing into your resilience programme, ensuring that oversight extends beyond risk registers to real-world preparedness
How the Framework Works in Practice
Risk tiering in action: A cloud provider classified as “critical” receives deep due diligence (penetration tests, SOC 2 reviews, site visits), while a stationery supplier only requires a basic financial check.
Contract enforcement: Audit rights in a facilities contract are exercised after repeated service failures, prompting remediation and demonstrating control to regulators.
Continuous monitoring: A sanctions screening alert flags a logistics partner’s new ownership link to a high-risk jurisdiction, triggering enhanced due diligence and escalation to the board.
The Procurement Dimension
Procurement teams operationalise these controls daily. Their responsibilities include verifying certifications, embedding contract clauses, and escalating red flags. Without policy backing, procurement can be pressured to prioritise speed or cost over due diligence. A well-defined policy ensures procurement has both the authority and the mandate to apply consistent controls across the supply base.
How to Build a Third-Party Risk Management Policy
TPRM policy requires more than copying a template. It should reflect the organisation’s strategy, risk appetite, regulatory environment, and operating model. A strong policy provides a clear, actionable roadmap for managing supplier, vendor, and outsourcing risks in a way that supports long-term business objectives as well as compliance.
Step 1: Define Scope and Objectives
Set out the purpose of the policy and the relationships it covers including suppliers, vendors, outsourcing partners, subcontractors, and fourth/nth parties. Scope should not only close blind spots but also align with strategic priorities, ensuring that oversight is concentrated on the external partners that enable critical business delivery.
CRO focus: Align scope with the organisation’s risk appetite and resilience objectives.
Regulator lens: Show that critical outsourcing is recognised as distinct from general suppliers.
Procurement perspective: Provide clarity on which relationships procurement must assess and manage.
Step 2: Map to Regulatory and Industry Standards
Reference the frameworks and regulatory guidance that shape obligations. This ensures the policy is grounded in compliance requirements and linked to good practice.
Examples: FCA/PRA outsourcing rules, Bank of England’s PS16/24 on Critical Third Parties, CP17/24 on incident and third-party reporting, DORA, OCC/FDIC guidance, ISO 27001, SOC reports, NIST.
Sector tailoring: Custodians and fund administrators for asset managers; SCADA vendors for energy firms; delivery partners for charities.
Step 3: Establish Roles and Responsibilities
Define who owns third-party risk management. The board retains ultimate accountability, executives oversee governance, procurement manages onboarding and contracting, and business owners remain accountable for their suppliers.
Regulators expect explicit escalation lines.
Procurement requires authority reinforced in the policy to resist pressure to cut corners.
Step 4: Define the Risk Assessment and Tiering Approach
Explain how third parties are classified by criticality and risk, using criteria such as data access, substitutability, financial dependency, and regulatory impact. The tiering approach must be anchored in the organisation’s risk appetite.
High-risk vendors: Enhanced due diligence, audit rights, resilience testing, and board visibility.
Low-risk suppliers: Proportionate, lighter-touch checks. By linking classification to appetite, oversight intensity reflects the risks the board is least willing to accept.
Step 5: Embed Standards into Contracts and Processes
Mandate the use of audit rights, termination clauses, subcontracting restrictions, and regulatory notification obligations in contracts.
This ensures regulatory expectations are operationalised.
For procurement, it standardises contract language and avoids inconsistent application.
Step 6: Build Escalation and Reporting Mechanisms
Define thresholds for escalation (e.g., service failures, breaches, financial distress, or strategic misalignment) and how these are reported to senior management or the board.
Regulators increasingly challenge firms to demonstrate these pathways are tested, not just written down.
Step 7: Plan for Exit and Substitution
Require exit strategies, substitution analysis, and resilience testing for critical third parties. Exit planning should not only be written but tested through scenario exercises to validate resilience and impact tolerance.
Avoid over-reliance on providers that cannot be replaced.
In regulated sectors, substitution planning is a supervisory expectation.
Step 8: Review and Approve Regularly
Commit to a review cycle , at least annually or whenever regulatory requirements change. Require board approval to reinforce accountability and demonstrate that third-party oversight remains aligned to strategic priorities.
Third-Party Risk Management Policy Example
A well-structured third-party risk managementpolicy should be concise, practical, and aligned with regulatory expectations. Below is an example outline that organisations can adapt to their sector and operating model. It demonstrates the core sections regulators, boards, and procurement teams will expect to see.
Example Policy Structure
1. Purpose and Objectives
State why the policy exists: to manage risks arising from third parties, safeguard operational resilience, protect customers and stakeholders, and comply with regulatory requirements.
2. Scope
Define which relationships are covered (suppliers, vendors, outsourcing partners, subcontractors, and fourth parties).
Clarify exclusions, if any (e.g., one-off low-value transactions below a threshold).
3. Governance and Accountability
Assign ultimate accountability to the board.
Specify executive responsibility (CRO, COO, CISO, or equivalent).
Define roles of procurement, business owners, and second/third lines of defence.
4. Applicable Standards and Regulatory References
List applicable frameworks (ISO 27001, ISO 22301, SOC 2, NIST).
Map to regulatory requirements (FCA/PRA SS2/21, DORA, OCC/FDIC guidance, sector-specific standards).
5. Risk Assessment and Tiering
Define criteria for classifying third parties (criticality, substitutability, access to sensitive data, financial dependency).
Outline how tiering determines due diligence depth and monitoring intensity.
6. Due Diligence Requirements
Baseline checks for all third parties (financial health, compliance history, sanctions).
Enhanced due diligence for high-risk/critical providers (site visits, penetration testing, independent assurance reports).
7. Contractual Requirements
Minimum mandatory clauses: service levels, audit rights, subcontracting restrictions, exit clauses, data protection, liability allocation.
Reference templates and standard wording.
8. Ongoing Monitoring
Frequency and type of monitoring by risk tier.
Use of assurance reports, certifications, continuous monitoring tools.
Requirement to document findings and escalate breaches.
9. Escalation and Issue Management
Define triggers (missed SLAs, data breaches, regulatory breaches, financial distress).
Describe escalation pathway from procurement to executive to board.
10. Exit and Termination
Require exit strategies for all critical providers.
Mandate substitution planning and resilience testing.
11. Training and Awareness
Commit to periodic training for procurement teams, business owners, and oversight functions.
12. Policy Review and Approval
Annual or regulatory-triggered reviews.
Board approval required for updates.
Operational resilience is achieved when organisations integrate strategy, governance, and culture into a consistent framework. Boards and CROs that embed resilience into daily operations demonstrate strength, adaptability, and confidence to stakeholders.
👉 Ready to strengthen your operational resilience?
Measuring and Assuring Third-Party Risk
A third-party risk management policy is only credible if it can be measured and assured. Boards and regulators expect evidence that controls are working in practice, not just documented on paper. This requires clear metrics, structured assurance, and transparent reporting.
Key Risk Indicators (KRIs)
Organisations should establish a set of KRIs that provide early warning of third-party issues. Common examples include:
Percentage of critical suppliers with up-to-date due diligence completed.
Frequency of service-level agreement (SLA) breaches.
Number of unresolved audit findings or overdue remediation actions.
Financial health or credit rating downgrades of key suppliers.
Incidents of data breaches or cyber alerts linked to vendors.
These indicators should be aligned with the organisation’s risk appetite thresholds, so that breaches automatically trigger escalation.
Assurance Mechanisms
Assurance goes beyond internal monitoring. Organisations should embed multiple layers of independent validation, including:
External assurance reports (SOC 1/SOC 2, ISO certifications, penetration testing).
Internal audit reviews of the third-party risk management framework and critical suppliers.
Board oversight through regular reporting, dashboards, and scenario testing.
For regulators, assurance is the test of whether oversight is meaningful. They will expect evidence that firms do not simply collect assurance reports, but review them critically and act on deficiencies.
Stress Testing and Scenario Analysis
For critical vendors and outsourcing arrangements, assurance should extend to resilience testing. This can include:
Simulating the sudden loss of a critical vendor.
Testing the effectiveness of exit and substitution plans.
Running cyber incident or data breach scenarios linked to third parties.
Assessing the impact of supplier insolvency or geopolitical disruption.
Stress tests provide boards with visibility of systemic dependencies and give regulators confidence that exit planning is not theoretical.
The Procurement Dimension
Procurement plays a frontline role in assurance by monitoring contract compliance, tracking supplier performance, and escalating issues. A policy-backed framework ensures procurement metrics (e.g., due diligence completion rates, supplier breaches) are incorporated into enterprise risk reporting rather than remaining siloed.
Sector Applications
Asset managers (UK/EU): Regulators (FCA, ESMA) require evidence of oversight of custodians, administrators, and index providers, including substitution testing, NAV error tracking, and operational resilience assessments.
Banks (US/EU): OCC, FDIC, and ECB guidance requires independent validation of outsourcing and cloud providers. Assurance often includes stress testing reliance on a handful of hyperscale cloud vendors.
Energy providers (global): Assurance focuses on critical infrastructure vendors and contractors, often tied to national security, environmental standards, and grid stability. In the US, NERC CIP standards apply; in the EU, NIS2 sets the bar.
Healthcare and life sciences (US/EU): Vendor oversight extends to HIPAA/GDPR compliance, pharmaceutical supply chains, and medical device safety testing. Independent validation of clinical trial and data providers is mandatory.
Manufacturing (Asia/EU): Assurance must track quality, ESG, and labour standards across extended supply chains, often in high-risk geographies. ISO 9001, ISO 28000, and supplier audit programmes are common.
Technology providers (global): Continuous monitoring of SaaS, cloud, and AI vendors is now expected. SOC 2, ISO 27001, and ISO 27701 are baseline assurance standards.
Charities and NGOs (UK/international): Donors and regulators require evidence of safeguarding, financial controls, and AML/CTF compliance among local delivery partners, especially in higher-risk jurisdictions.
Cultural and Behavioural Dimensions of Third-Party Risk Management
Third-party risk management is not just a technical or contractual exercise. Its effectiveness depends on the behaviours, incentives, and culture of the organisation. Even with the strongest policy in place, risks can be missed if people are reluctant to escalate issues, procurement is pressured to prioritise cost over control, or suppliers are not held to account consistently.
The Role of Organisational Culture
A culture that values transparency and accountability ensures third-party risks are surfaced early. Staff must feel safe to raise concerns about vendors or delivery partners without fear of blame or commercial pushback. Boards and executives set the tone by rewarding proactive identification of supplier issues rather than punishing “bad news.”
Incentives and Conflicts of Interest
Conflicts often arise when cost savings or speed of delivery are prioritised over resilience. Procurement teams may be pressured to onboard vendors quickly, while business lines may push for the cheapest supplier regardless of due diligence outcomes. A strong culture aligns incentives with risk appetite, ensuring that long-term resilience and compliance are valued as much as price or speed.
Escalation and Psychological Safety
Escalation pathways only work if staff feel empowered to use them. In some organisations, raising concerns about a major supplier can be seen as disruptive or career-limiting. Embedding psychological safety into culture — where staff know their concerns will be taken seriously — is critical to ensuring third-party risks are escalated in time to prevent incidents.
The Risk Within provides a roadmap for embedding psychological safety into risk management. It identifies critical touch points across the risk lifecycle and offers clear actions to align leadership, culture, and governance. It is designed to help risk functions integrate more deeply into the business and strengthen decision-making at every level.
Supplier Relationship Management
Culture also extends beyond the organisation. How companies engage with suppliers shapes behaviour. If vendors see that issues will be met with constructive problem-solving rather than punitive measures, they are more likely to be transparent about weaknesses. Conversely, a blame-heavy approach can encourage concealment and late disclosure of problems.
Future Trends: The Next Frontier of Third-Party Risk Management
Third-party risk management is no longer just about compliance with today’s standards. The external environment is shifting rapidly, and boards need to prepare for the challenges that will shape oversight in the years ahead. Five trends stand out as priorities for organisations seeking to build resilience and maintain stakeholder trust.
1. AI, Automation, and Data Sovereignty
AI-driven monitoring tools are transforming how vendors are assessed, from cyber posture to financial health. The opportunity is speed and scale; the challenge is over-reliance on algorithms, bias in models, and emerging rules on data sovereignty and AI governance.
2. Systemic Dependencies and Concentration Risk
Reliance on a small number of global providers — cloud platforms, custodians, market operators — creates exposures that cannot easily be substituted. Regulators are moving toward sector-wide resilience testing, and boards must treat concentration risk as a strategic issue, not just an operational one.
3. ESG and Responsible Sourcing
ESG expectations are hardening into regulation. From renewable energy firms embedding climate and human rights audits in supply chains, to asset managers scrutinising benchmark providers, responsible sourcing is now a condition for trust. The EU’s supply chain due diligence rules highlight the direction of travel.
4. Integration into Resilience and Capital Planning
Advanced organisations are embedding third-party risk into ICAAP/ICARA, operational resilience frameworks, and impact tolerance metrics. This elevates oversight from process to strategy, linking vendor dependencies directly to recovery capacity, financial resilience, and board-level risk appetite.
5. Transparency and Stakeholder Trust
Stakeholders increasingly want visibility of how third-party risks are managed. Leading organisations are publishing resilience testing results, supplier audit outcomes, and ESG compliance metrics. Transparency shifts TPRM from a compliance exercise to a lever of stakeholder confidence and public trust.
Conclusion & Next Steps
Third-party, supplier, and vendor relationships have become core to how organisations operate and deliver value. With cloud providers, administrators, logistics partners, and delivery NGOs now embedded in the value chain, oversight of these relationships cannot be treated as compliance alone. A modern third-party risk management policy must anchor oversight in strategy and risk appetite, demonstrate accountability to regulators, and give procurement the clarity to act consistently.
The most effective organisations use their TPRM policy as a strategic filter: aligning scope with business priorities, applying tiering based on risk appetite, embedding standards into contracts, and testing resilience through scenario analysis. Assurance is not just collecting reports but demonstrating through metrics, monitoring, and independent validation that external dependencies are under control and strategically aligned.
Regulators across the UK, EU, US, and beyond are raising expectations, from FCA/PRA rules to DORA and new Bank of England policies on critical third parties. Stakeholders are demanding the same through ESG commitments and transparency. Boards that fail to respond risk blind spots, operational shocks, and reputational harm.
At the same time, forward-looking organisations are already adapting to the next frontier: AI-enabled monitoring, ESG due diligence, systemic dependency testing, integration into capital planning, and transparency as a source of trust. These trends show that third-party oversight is not simply a defensive shield but a strategic capability.
The imperative is clear: now is the time to review your third-party risk management policy, test its alignment with strategy and risk appetite, and ensure it reflects both regulatory requirements and the realities of your operating model. The organisations that succeed will not just protect themselves from vendor failures; they will build resilience, enable innovation, and strengthen trust with regulators, investors, and stakeholders.
About the Author: Julien Haye
Managing Director of Aevitium LTD and former Chief Risk Officer with over 26 years of experience in global financial services and non-profit organisations. Known for his pragmatic, people-first approach, Julien specialises in transforming risk and compliance into strategic enablers. He is the author of The Risk Within: Cultivating Psychological Safety for Strategic Decision-Making and hosts the RiskMasters podcast, where he shares insights from risk leaders and change makers.
