Third Party Risk Management Practices

Reports - April 2026

Third party risk (also known as ecosytem risk) remains a challenge and priority for financial firms around the globe.

It's prominence is due to factors such as:

• A growing industry reliance on an ecosystem of third parties to deliver digital transformation at scale and speed
• An increased regulatory focus on third party risk management (TPRM) and operational resilience
• A turbulent geopolitical landscape adding uncertainty, e.g. around supply chain disruption and cyberattacks
• The dominant position of large third-party technology companies creating systemic concentration risk

To explore this important topic, we launched a project in 2025 to get a better understanding of how financial institutions are managing their third parties. This study involved 70 of our member firms, who took part in roundtables, discussions and benchmarking on TPRM to help us build a picture of current practice and how institutions could make improvements. From this project, we produced three main resources:

1. A practice report exploring concentration risk and the monitoring and management of third and fourth parties
2. A second practice report focused on managing systemic risk and maturing and optimising third party risk management
3. An industry overview report sharing the results of our TPRM benchmarking exercise looking at controls coverage, as well as roles and responsibilities across the TPRM process

These reports are available to all ORX members.

What is a 'third party'?

The need for clear definitions and standardisation applies to TPRM as it does to other areas of operational and non-financial risk. We agreed the following definition of ‘third party’ as part of the project.