Skip to content
About Us Agora platform ORX News platform Create an account
Login

Showing results for ""

Unfortunately, no results match your current query

    BCBS third-party risk principles: What you need to know

    POSTED BY
    false
    BCBS third-party risk principles: What you need to know
    3:17

    The Basel Committee on Banking Supervision (BCBS) has just issued its new “Principles for the Sound Management of Third‑Party Risk,” released in December 2025. The twelve principles update and expand on earlier outsourcing guidance from 2005 reflecting the evolution of more diverse and complex third and nth party ecosystem. Their publication follows an earlier consultation carried out in July 2024. Here’s our initial reaction to this latest development.

    What the principles cover

    The principles cover the entire lifecycle of third-party relationships from initial risk assessment and due diligence through to termination. A key message is that firms are fully accountable for their outsourced or third-party services, and they must manage relationships effectively, e.g. through robust controls.

    In practical terms, the guidance features expectations around:

    • Strong board governance and oversight of third-party arrangements
    • Comprehensive risk assessments and due diligence ahead of entering into new arrangements
    • Maintenance of up-to-date registers of all third-party service provider arrangements and key nth parties
    •  Management and monitoring of suppliers’ performance and related risks on an ongoing basis (proportionate to the risks and criticality of the arrangement)
    • The use of clear and robust contracts as part of third and nth party risk management
    • Regularly tested and effective business continuity management to ensure the impact of disruption caused by third-party failures is minimised
    • Maintenance of exit plans for planned and unplanned termination of third-party arrangements
    The document also sets out the role of supervisors in evaluating third-party risk management, understanding potential systemic risks and promoting coordination and dialogue across sectors and borders where relevant. 

    ORX’s feedback on the principles – a good baseline for effective third-party risk management

    • The principles offer a strong foundation for effective third-party risk management (TPRM), while also accommodating other/different regulatory requirements. This is a welcome step toward harmonising expectations across jurisdictions and reducing regulatory fragmentation.
    • The application of the principles is intended to be proportionate to the size, complexity, business model and risk profile of the institution itself as well as the risks and criticality of its third-party service providers. This helps firms prioritise resources and focus their efforts.
    • The guidance provides a clear link to operational resilience, acknowledging that disruptions often originate outside the immediate control of organisations themselves. By embedding resilience into third-party oversight, the principles recognise the close interconnection between third-party and resilience risk, promoting a more aligned approach.
    • The BCBS recognise that third-party oversight requires a multifaceted approach. This may involve the use of questionnaires, testing and audits as well as utilisation of data and tooling for ongoing monitoring.
    • The principles broadly reflect the direction of travel seen in the industry, as covered in our recent Third Party Risk Management practice paper. Current industry priorities around optimising robustness of supplier contracts, addressing concentration risk and managing downstream supply chain risks are all recognised within the principles.

    Areas for further development in the BCBS principles

    The principles do promote a good baseline approach. However, given discussions with our third-party risk management community, there are a few further areas the BCBS could consider:

    • How, in practice, relevant data, systems and reporting should interconnect to provide real-time insights into third-party performance and risk exposures, ultimately supporting broader risk management.
    • The recent ORX paper highlights that third-party risk often spans multiple regions or business areas in large or global institutions. The guidance could further emphasise the need for standardised and consistent management of third-party arrangements and risks across institutions.
    • While the guidance sets out how supervisors could monitor systemic risk and promote coordination and dialogue across sectors, the guidelines could further address this significant challenge by providing further expectations for:
      • How the industry should address systemic risk either individually or collectively
      • Supervisors to actively oversee systemic risk concerns

    Our initiative on third-party risk management

    As part of our ongoing Third Party Ecosystem Risk Management Initiative, we are currently undertaking two pieces of work:

    • A second practice paper, building on our previous output and exploring topics such as how firms are driving efficiencies in TPRM practice and exit strategies
      • This is expected in March/April
    • A benchmarking exercise, looking at roles and responsibilities as well as controls across key activities along the TPRM process/lifecycle
      • Headline findings will be incorporated in the paper mentioned above

    ORX members get access to our Third Party Ecosystem Risk Management Initiative:

    Third Party Ecosystem Risk Management    A practical guide to strengthening third party risk management and building resilience across your organisation.  

     
    contact-icon

    Want to be a part of our ORX community?

    Become a member of our community focused on operational and non-financial risk

    Latest blogs and updates