Practice paper

Third Party Ecosystem Risk Management

A practical guide to strengthening third party risk management and building resilience across your organisation

Service

ORX Membership

Community

Risk & Resilience Community

Risk programme

Management, practice & framework

Sections

Practice paper - September 2025

Third party ecosystem risk has been flagged as an increasing material risk and of growing strategic importance.

Over the last five years, we've seen:

A growing industry reliance on an ecosystem of third parties to deliver digital transformation at scale and speed (see our strategic vision paper)
An increased regulatory focus on third party risk management (TPRM) and operational resilience in most jurisdictions
A turbulent and uncertain geopolitical landscape is adding uncertainty, e.g. around supply chain cyberattacks

As a result, we are consistently seeing third party risk rank as a top concern in our Top Risk Reviews of material risks.

This study summarises key findings from the initial phase of the ORX Third Party Ecosystem Risk Initiative. Launched at the start of 2025, this initiative enables our members to share practices, highlight challenges, understand potential best practice solutions, and explore future benchmarking opportunities.

What's included in the report?

An overview of headline findings, including TPRM leading practices
Insight into three key areas of challenge, including what evolving practice looks like for each:
1. Concentration risk
2. Monitoring and control of third party risk
3. Fourth and nth party risk monitoring and management

The full report also includes accompanying appendices with supporting information for each of these sections.

How you can use the results

Benchmark against your TPRM practices, helping you see how mature your practices are and identifying areas for improvement
Understand the industry direction of travel

The ORX Third Party Ecosystem Risk Initiative will continue throughout H2 2025 and will be steered by the TPRM member focus group. Individuals registered for the initiative will be invited to join roundtable discussions to discuss further challenges and possible solutions. The following activities are planned:

TPRM processes and activities

We are in the process of developing level 2 TPRM process steps and level 3 activities to build on the process steps that have been defined so far. This work will be underpinned by input from the TPRM focus group
This work will provide a useful frame of reference for discussing TPRM practices when undertaking level 3 activities
Opportunities for benchmarking information such as TPRM roles and responsibilities and/or TPRM key controls will be explored as part of this process

Further roundtable discussions

We plan to hold additional Roundtable discussions in H2 2025 on further key areas of TPRM challenges and practices
We will continue to invite institutions to share their approaches to help support and facilitate discussion

A second TPRM practices paper

Roundtable and focus group discussions will inform a second TPRM practices paper which is currently scheduled for late 2025/early 2026

Disclaimer: ORX has prepared this resource with care and attention. ORX does not accept responsibility for any errors or omissions. ORX does not warrant the accuracy of the advice, statement or recommendations in this resource. ORX shall not be liable for any loss, expense, damage or claim arising from this resource. The content of this resource does not itself constitute a contractual agreement, and ORX accepts no obligation associated with this resource except as expressly agreed in writing. ©ORX 2025