Third party risk management (TPRM) is a strategic priority for boards and senior executives. As outsourcing and supplier diversification accelerate, so does the complexity of managing third party and downstream risks.
Drawing on data and insights from an initiative run with over 60 ORX member firms, this article explores headline findings from our recent TPRM practice paper (available to all ORX members) and provides seven practical steps to help improve TPRM practice.
Headlines from the ORX TPRM initiative
TPRM is a priority for financial firms
TPRM is a strategic priority and a significant risk management concern across financial services. Our initiative shows that boards and senior management are embedding TPRM into business strategy, focusing especially on outsourcing, supplier diversification, and concentration risk.
Most financial firms have dedicated TPRM functions
Three quarters of organisations surveyed have a dedicated TPRM function which sits in either the first or second line of defence. A third of respondents have set up their function in the last three years, and two-thirds have increased their TPRM resources in the past two or three years. These teams are sometimes clustered with related functions such as operational resilience and business continuity risk to enable better coordination.
Concentration risk management is a priority focus
While identification of third-party concentration risk has improved, most firms want to enhance their practice. This is especially true for the measurement and management of downstream (fourth/nth party) risk.
Fourth and nth party risk management is challenging
Most organisations rely on third parties to disclose/manage fourth and nth parties. But, getting assurances that downstream suppliers are being managed effectively is difficult. Some address this by clarifying contractual responsibilities for monitoring and control.
Seven steps to improve your TRPM practice
Based on our study, here are seven steps you can take to improve your TPRM practice and drive alignment with the operational and non-financial risk framework. ORX members can download the TRPM practice paper to read more detail and explore our findings in full.
1. Incorporate TPRM into business strategy development
Examples of this include:
- Setting the overall outsourcing strategy: Define which processes and services should be outsourced vs. retained in house
- Setting a strategy for concentration risk: Determine where offshore services can be located, considering factors such as concentration of operations and geopolitical risk exposure
- Setting a strategy for the supplier mix: Choose whether to diversify third parties to reduce concentration risk or rationalise the supplier base to improve operational efficiency
2. Standardise and optimise the TPRM approach across the organisation
Make sure the importance of a consistent approach is understood by key stakeholders. This is particularly important given the transversal nature of third party risk. Two ways of doing this are:
- Ensure processes and practices, e.g. contract negotiation, are consistent and rationalised where possible
- Use automation and AI to support operational efficiencies
3. Develop robust TPRM data and a single system of record
Ensure TPRM data can be linked to operational and non-financial risk and control information (e.g. supplier performance data). You should also develop the ability to pivot between different vertical and horizontal views (e.g. from business line to end-to-end process).
4. Apply a risk-based approach across the TPRM process
Develop a risk-based approach to focus on what is material.
5. Build control, testing and reporting requirements into contracts with material suppliers
Consider direct and/or indirect testing requirements. You should also consider stipulating third parties’ responsibilities around monitoring and reporting on fourth-party risk exposure/events.
6. Measure and manage exposure to fourth and nth party risk
For a more complete picture, build greater visibility of material downstream supplier risk exposure (typically via third parties). Develop risk indicators to measure concentration risk and to set and monitor concentration risk appetite
7. Deploy sufficient resource in the business
Review resource requirements to meet the growing regulatory and other stakeholder demands to move TPRM practice up the maturity curve
Find out more
Read the practice paper
ORX members can access the paper to read more about the seven steps to improve TPRM and for more insights and information about TPRM practice. If you have any questions, please get in touch with us.
Join the initiative
Our Third Party Ecosystem Risk Initiative is continuing throughout 2025, and ORX members can still sign up to take part. We launched the project in response to a growing focus in the industry on operational resilience and third party risk management. Over 65 of our member firms have signed up so far. Through the initiative, our members can share knowledge and approaches and benchmark practice to support their risk management programmes. Visit the project webpage for the latest updates and to join the initiative.
Not an ORX member? Find out more about ORX Membership or get in touch to find out more.
