Third Party Ecosystem Risk Initiative: Key TPRM challenges revealed

What counts as a third party? How are firms structuring their TPRM functions? Our Third Party Ecosystem Risk Initiative is helping to define and benchmark the evolving ecosystem of risk.

The ongoing transformation of financial services is leading to a greater reliance on an ecosystem of partners, as highlighted in last year's strategic vision paper. At the same time, third party and supply chain-related concerns rank among the most significant risks in recent ORX risk landscape studies (Top Risk Review H1 2025 and Operational Risk Horizon 2025).

In response to the growing importance of third-party risk management (TPRM), and requests from our members to look at this topic in more detail, we launched the Third Party Ecosystem Risk Initiative in Q1 2025. The initiative explores how financial services organisations manage third-party risk and will establish a structure to support future TPRM benchmarking activities.

This article provides a short update on current progress and some initial findings from the initiative. We'll publish a leading practices paper containing actionable insights on the topics in this article in Q3 2025.

Where are we now?

• Over 100 risk practitioners from 69 of our member firms have registered for the initiative
• 50 firms have submitted survey responses
• Three meetings with a focus group of second-line Heads of TPRM
• Six roundtable discussions held, featuring eight presentations from our members
• Practices paper on track for publication in Q3 2025
• Work is underway to set out level 2/3 TPRM process steps

Headlines

Third-party risk management: an evolving practice

A clear definition of third party is essential

Informed by our members' definitions, we have developed an inclusive definition for the purposes of this initiative:

Vertical and horizontal treatment of third party risk

Most institutions treat third-party risk as a risk category, although the level at which it's included in taxonomies varies (from level 1 to level 3). However, acknowledging the close interconnection and frequent intersections with other risk types, many are now also treating third party as a transversal risk driver or theme.

The emergence of dedicated third party risk management functions

Driven by the increased importance and priority of TPRM, we're seeing an emergence over recent years of dedicated TPRM functions in the second line of defence.

Third party risk management functions are growing in size, but not always fast enough to meet increased demand

Approximately two-thirds of institutions surveyed have seen their TPRM functions grow over the last two to three years. Nevertheless, a significant number (approximately 40%) continue to believe that the size of the TPRM function is not currently sufficient to meet growing demands.

Key challenges

Through the activities conducted as part of the initiative so far, a number of challenges related to TPRM have been identified. These include:

Identifying, assessing and managing concentration risk

Key types of concentration risk include:

• Single supplier concentration
• Geographical concentration, e.g. a high number of suppliers located in areas of geopolitical risk exposure
• Systemic concentration, e.g. payments provider 
• Concentration by important business service/critical business process
• Reverse concentration, i.e. where a third party is financially dependent on the institution itself

Understanding and responding to fourth and nth party risk exposure

• Most firms are monitoring fourth-party risk arrangements, something almost exclusively being done via third parties
• Approximately 35% are also monitoring nth parties (again, via their third parties)
• Firms are not just reliant on their third parties to carry out effective monitoring but also to clearly communicate their findings and any associated issue management

Third party risk monitoring and control

• Typically, a risk-based approach to monitoring third parties is taken, meaning third parties that pose a material risk or resilience threat to the business are monitored more closely
• Some firms’ TPRM functions are working towards becoming providers of insight to business units, e.g. through providing real-time reporting dashboards that empower/enable them to manage third-party risk more effectively and dynamically.

Next steps 

We'll publish the first TPRM practices paper in Q3 2025, providing our members with more in-depth insights from our activities so far (including more details on concentration risk, fourth and nth party risk and monitoring and control). Working with the TPRM focus group, we'll also develop TPRM level 2 processes and level 3 activities, which can be used as the basis for further benchmarking activity in H2 2025 and beyond.

We'll also hold more roundtable discussions on further key areas of TPRM challenges and practices and publish a second practices paper in late 2025/early 2026 (specific topics TBC).

Already an ORX member? It's not too late to join the Third Party Ecosystem Initiative!

The initiative is open to all ORX members and you can sign up on the project webpage if you'd like to be involved. You can also get in touch with us if you want to know more.

Not an ORX member?

If you'd like to know more about this initiative, the please contact us or book a meeting with the team. If you're interested in becoming part of a global community of operational risk experts, then you can also find out more about the benefits of ORX Membership on our website.

Related resources

• Insurance sector review of navigating third party risk management
• Third party risk management: Summary of LeadersConnect discussions
• Data Deep Dive on six significant loss events which demonstrates the serious potential impacts related to third-party relationships (available for firms that subscribe to ORX News)
• Supply Chain Risk Scenario Development Handbook (available for firms that subscribe to ORX Scenarios)
• Podcast: Third-party risks in major cyber events