Third party risk management: Summary of LeadersConnect discussions

In recent years there has been a greater reliance on an ecosystem of partners and deeper more complex interconnectivity of processes. Third party is a top-rated risk by our members and a key contributing factor to other top risks – e.g. cyber. The use of Gen AI by third parties and recent geopolitical tensions has elevated this risk even further.

In March 2025, we brought together 43 risk leaders and third party risk professionals in small groups to share views on the progress made to date regarding third party risk management (TPRM) practices, key challenges and where we may go next. These discussions will help set the agenda for our work in this space in 2025, including what our vision is for the future of third party/ecosystem risk management. This blog summarises those discussions. 

Where are we now?

Establishment of TPRM functions, definitions and frameworks

Our members have made progress in recent years developing their TPRM capability, mostly through work to uplift frameworks, policies, and standards and efforts to set clear definitions of what is considered in scope for their TPRM. Establishing a clear definition is seen as an important step to clarify what is in scope of TPRM. Considerations include whether to include intra-group sourcing and 4th and Nth parties. Additionally, a number of firms have been refining their definitions and considering whether the same standards should apply to different types of third parties. There has been a trend of firms building out what were formerly procurement or supplier management responsibilities in the 1LOD focussed primarily on contracts and cost, into dedicated TPRM functions in the 2 LOD with a clear risk focus. Some firms have additionally established centralised teams, such as an executive TPRM committee or council to bring together key stakeholders and SMEs from across the company.