Banker’s Guide to Third Party Risk Management: Strategic, Complex, and Liable

by Joan McGowan, December 6, 2016
Industry Trends
Global, North America


Celent has released a new report titled Banker’s Guide to Third-Party Risk Management: Strategic, Complex, and Liable written by Joan McGowan, a Senior Analyst with Celent’s Banking practice. 

Key Research Questions


Where does your bank fall on the TPRM maturity curve?


Why is rigorous vendor risk management so important?


What is the crux of rigorous third-party risk management?

Regulators continue to question the quality of third party risk management (TPRM) practices and are calling for more in-depth risk assessment, monitoring, and oversight of third parties. This is a big and expensive task. Banks should take advantage of their established risk management practices such as the Three Lines of Defense governance model and adapt operational risk management processes, controls, alerts, and escalation models to police critical and high-risk third party engagements.

Typically, banks manage third party risk on an ad hoc basis through individual business owners, responding to risks as they arise. This approach leaves banks vulnerable to cyberattacks, data breaches, and the ensuing liability. The foundation of a robust TPRM program is a centralized third party management system that enables the bank to identify and manage critical and high-risk active engagements. Such risks need to be identified, assessed, prioritized, monitored, and treated in the same way a bank treats its internal risks.

There are hundreds of relationships on a bank’s book that are inactive or low risk that do not merit risk-based due diligence. An analysis carried out by Oliver Wyman calculates the annual cost to US-based banks and their third parties for risk-based due diligence and assessments on new engagements is approximately $750 million.

“TPRM will remain a priority investment for the banking industry. Better risk management of the growing external ecosystem will raise the soundness and resiliency of a bank and lead to overall improved performance and competiveness within the industry. Operating without a strategic TPRM practice will leave your bank in the hands of fate and the regulators,” McGowan said.

“Overall, banks are still early on in their TPRM maturity levels, and there is a long way to go before they achieve best-in-class practices. By stage four, full maturity, a bank’s TPRM program should resemble the practices of operational risk management and support the enterprisewide risk management strategy,” she added.

Celent is a research and advisory firm dedicated to helping financial institutions formulate comprehensive business and technology strategies. Celent publishes reports identifying trends and best practices in financial services technology and conducts consulting engagements for financial institutions looking to use technology to enhance existing business processes or launch new business strategies. With a team of internationally based analysts, Celent is uniquely positioned to offer strategic advice and market insights on a global basis. Celent is a member of the Oliver Wyman Group, which is a wholly-owned operating unit of Marsh & McLennan Companies [NYSE: MMC].

Media Contacts

North America
Michele Pace
Tel: +1 212 345 1366

Europe (London)
Chris Williams
Tel: +44 (0)782 448 3336

Asia (Tokyo)
Yumi Nagaoka
Tel.: +81 3 3500 3023

Table of Contents

Executive Summary


Key Research Questions




Complexities, Immaturities, Liabilities, and Consequences of Third Party Risks


Bank Relationships are Varied and Complex


Banks’ TPRM Practices Are Immature


Liabilities Can Break the Bank


Consequences of Poor TPRM Practice


TPRM Requires Strong Governance


TPRM Operating Models Observed in the Industry


Components of a Best Practice TPRM Program


Identification and Selection


Due Diligence and Onboarding


Negotiations and Contracts


Ongoing Monitoring




TPRM Technology Enablers


Path Forward


Leveraging Celent’s Expertise


Support for Financial Institutions


Support for Vendors


Related Celent Research


Sign in to download reports and access personalized information