What counts as a third party? How are firms structuring their TPRM functions? Our Third Party Ecosystem Risk Initiative is helping to define and benchmark the evolving ecosystem of risk.
The ongoing transformation of financial services is leading to a greater reliance on an ecosystem of partners, as highlighted in last year's strategic vision paper. At the same time, third party and supply chain-related concerns rank among the most significant risks in recent ORX risk landscape studies (Top Risk Review H1 2025 and Operational Risk Horizon 2025).
In response to the growing importance of third-party risk management (TPRM), and requests from our members to look at this topic in more detail, we launched the Third Party Ecosystem Risk Initiative in Q1 2025. The initiative explores how financial services organisations manage third-party risk and will establish a structure to support future TPRM benchmarking activities.
This article provides a short update on current progress and some initial findings from the initiative. We'll publish a leading practices paper containing actionable insights on the topics in this article in Q3 2025.
Headlines
Third-party risk management: an evolving practice
A clear definition of third party is essential
Informed by our members' definitions, we have developed an inclusive definition for the purposes of this initiative:
Vertical and horizontal treatment of third party risk
Most institutions treat third-party risk as a risk category, although the level at which it's included in taxonomies varies (from level 1 to level 3). However, acknowledging the close interconnection and frequent intersections with other risk types, many are now also treating third party as a transversal risk driver or theme.
The emergence of dedicated third party risk management functions
Driven by the increased importance and priority of TPRM, we're seeing an emergence over recent years of dedicated TPRM functions in the second line of defence.
Third party risk management functions are growing in size, but not always fast enough to meet increased demand
Approximately two-thirds of institutions surveyed have seen their TPRM functions grow over the last two to three years. Nevertheless, a significant number (approximately 40%) continue to believe that the size of the TPRM function is not currently sufficient to meet growing demands.
Key challenges
Through the activities conducted as part of the initiative so far, a number of challenges related to TPRM have been identified. These include:
Identifying, assessing and managing concentration risk
Key types of concentration risk include:
- Single supplier concentration
- Geographical concentration, e.g. a high number of suppliers located in areas of geopolitical risk exposure
- Systemic concentration, e.g. payments provider
- Concentration by important business service/critical business process
- Reverse concentration, i.e. where a third party is financially dependent on the institution itself
Understanding and responding to fourth and nth party risk exposure
- Most firms are monitoring fourth-party risk arrangements, something almost exclusively being done via third parties
- Approximately 35% are also monitoring nth parties (again, via their third parties)
- Firms are not just reliant on their third parties to carry out effective monitoring but also to clearly communicate their findings and any associated issue management
Third party risk monitoring and control
- Typically, a risk-based approach to monitoring third parties is taken, meaning third parties that pose a material risk or resilience threat to the business are monitored more closely
- Some firms’ TPRM functions are working towards becoming providers of insight to business units, e.g. through providing real-time reporting dashboards that empower/enable them to manage third-party risk more effectively and dynamically.
Next steps
As this research has progressed, these themes have been explored in greater depth through our full study of third-party ecosystem risk.
Many organisations are now focusing on strengthening visibility, improving data and monitoring capabilities and clarifying ownership across their third-party risk frameworks. Read our latest update on this research for more insights.
