Third-Party Risk Management (TPRM): Complete Guide

Third-party risk management (TPRM) is the structured process organisations use to identify, assess, monitor, and mitigate risks arising from their relationships with external vendors, suppliers, and service providers. 35.5% of data breaches originate from the supply chain, and regulators on both sides of the border are tightening requirements. In Canada, OSFI has published Guideline B-10 on Third-Party Risk Management for federally regulated financial institutions, and FINTRAC's compliance examination framework increasingly scrutinises outsourced compliance functions. Organisations that treat TPRM as a point-in-time compliance exercise will not survive a 2026 supervisory review.

This guide sets out what an effective TPRM programme looks like, how Canadian regulatory frameworks define your obligations, and the practical steps to build a programme that satisfies both your board and your regulator.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

What is third-party risk management in practice?

TPRM covers the full lifecycle of every external relationship: pre-engagement due diligence, contractual protections, ongoing monitoring, and structured offboarding. It addresses risks far broader than cybersecurity alone.

OSFI's Guideline B-10 on Third-Party Risk Management makes clear that federally regulated financial institutions cannot delegate their accountability for managing third-party risks, regardless of the contractual arrangement. The guideline came into full effect on 1 May 2024.

TPRM risk categories span the full vendor lifecycle:

Regulatory framework: OSFI and Canadian requirements

OSFI Guideline B-10 (2024)

OSFI published its Third-Party Risk Management Guideline (B-10), which replaced the previous outsourcing guideline and significantly expanded the scope of third-party risk management expectations for federally regulated financial institutions (FRFIs).

Key requirements under B-10:

• Comprehensive scope: B-10 applies to all third-party arrangements, not just outsourcing — including technology providers, professional services firms, and sub-contractors
• Board accountability: the board of directors must approve the TPRM framework and receive regular reporting on material third-party risks
• Risk assessment: FRFIs must assess inherent risks before entering any material third-party arrangement, including concentration risk, technology risk, and compliance risk
• Contractual protections: mandatory contractual provisions including audit rights, performance standards, incident notification, data protection, and exit/transition requirements
• Continuous monitoring: static annual assessments no longer satisfy OSFI expectations. Real-time visibility into vendor risk posture is the standard
• Sub-contracting controls: FRFIs must understand and manage risks from their third parties' own sub-contractors (fourth-party risk)

OSFI Guideline B-13: Technology and Cyber Risk

OSFI's Guideline B-13 establishes expectations for technology and cyber risk management, including risks arising from third-party technology providers. B-13 requires FRFIs to maintain a technology asset inventory that includes third-party-hosted assets and to include third-party technology arrangements in their incident management and business continuity plans.

FINTRAC compliance expectations

For reporting entities under the PCMLTFA, FINTRAC's compliance examination framework assesses whether outsourced compliance functions — such as transaction monitoring, client identification, or regulatory reporting — meet the same standards as if performed in-house (FINTRAC Compliance Guidance).

Provincial requirements

Provincial securities commissions (OSC, AMF, BCSC) impose additional vendor management expectations on registrants. Provincial privacy legislation — notably Quebec's Loi 25 — requires privacy impact assessments for personal information handling by service providers and imposes notification obligations for privacy incidents involving third parties.

Building a TPRM programme: the five core stages

Stage 1: Inventory and tiering

No TPRM programme can function without an accurate, up-to-date inventory of all third parties. Industry data shows organisations manage an average of 286 vendors, yet only a fraction receive meaningful risk scrutiny.

Tiering categorises every vendor by potential impact:

• Critical: vendors supporting essential business functions, with access to sensitive data or high operational dependency
• High: significant impact if disrupted; limited data access
• Standard: peripheral services; low operational impact

Stage 2: Pre-engagement due diligence

Pre-contract due diligence for critical vendors must cover:

• Financial stability (audited accounts, credit ratings, insurance coverage)
• Security posture (ISO 27001, SOC 2 Type II, penetration testing results)
• Regulatory compliance status (PIPEDA, PCMLTFA, provincial requirements)
• Business continuity and disaster recovery capability
• Data residency and cross-border transfer practices

CheckFile automates the collection and verification of vendor-supplied documents — certifications, audited accounts, insurance certificates — flagging missing or expired items automatically.

Stage 3: Contractual protections

Critical vendor contracts must include the provisions specified in OSFI Guideline B-10:

• Precise service scope and performance standards
• Audit and inspection rights for the institution and OSFI
• Incident notification requirements (aligned with B-13 expectations)
• Data protection and privacy provisions (PIPEDA and provincial equivalents)
• Portability provisions — the institution's data must be retrievable
• Exit plan with documented timelines and transition support
• Sub-contracting controls — the vendor cannot sub-contract material functions without prior approval

Stage 4: Continuous monitoring

70% of functional stakeholders lack visibility into third-party risks (Gartner, 2025). Continuous monitoring — not annual questionnaires — separates mature TPRM programmes from box-ticking exercises.

Effective ongoing monitoring includes:

• Periodic re-assessments scaled to vendor criticality (quarterly for critical, annually for standard)
• Real-time external security ratings
• Financial health monitoring for critical vendors
• Tracking regulatory and geopolitical changes affecting vendors
• Automated alerting for contract expiry, certification lapse, and SLA breaches

Using CheckFile's document monitoring features ensures your compliance team receives immediate alerts when a vendor's insurance, ISO certification, or regulatory licence approaches expiry.

Stage 5: Incident response and exit strategies

OSFI Guideline B-10 requires documented, tested exit strategies for critical third-party arrangements. OSFI supervisors will ask to see evidence that exit plans have been rehearsed.

An exit strategy should include:

• Identified alternative providers or internalisation options
• Documented data migration and system transition steps
• Notice period provisions calibrated to transition complexity
• A full register of system dependencies and data flows

Common TPRM pain points

Challenge 1: Getting the right documentation from vendors. Many vendors lack structured compliance programmes and struggle to produce the documentation required. Automated document collection platforms eliminate back-and-forth email chains.

Challenge 2: Understaffing. 62% of risk and security leaders report their TPRM function is not sufficiently resourced. Automation is the only way to maintain programme quality at scale.

Challenge 3: Executive buy-in. The business case is straightforward: the average cost of a data breach reached USD $4.88 million in 2024 (IBM Cost of a Data Breach Report 2024).

Challenge 4: Fourth-party risk. Your vendor's vendors introduce risks you have no direct visibility into. A mature TPRM programme addresses this by requiring vendors to impose equivalent standards on their own critical sub-contractors.

For a broader view of how TPRM fits into your organisation's governance framework, see our GRC guide.

TPRM programme checklist

• Written TPRM policy approved by the board
• Complete, up-to-date inventory of all third parties with criticality tier
• Tiered due diligence questionnaires scaled to risk level
• Technology asset register including third-party-hosted assets (B-13)
• Contracts for critical vendors including B-10 required provisions
• Documented continuous monitoring process
• Tested exit strategies for critical vendors
• Annual TPRM report presented to the board or risk committee
• Concentration risk map
• Incident response procedure for third-party-triggered events

CheckFile supports the documentary evidence requirements of your TPRM programme — from initial vendor due diligence through to ongoing monitoring and audit readiness.

For a comprehensive overview, see our document compliance complete guide. Our platform processes over 180,000 compliance documents per month with 98.7% OCR accuracy and a 94.8% fraud detection rate, maintaining 99.97% availability.

Go further

To dive deeper into this topic, explore our complete guide on document verification.

---

FAQ

What is third-party risk management (TPRM)?

TPRM is the structured process of identifying, assessing, and managing risks introduced by vendors, suppliers, and service providers. It covers operational, cyber, compliance, reputational, concentration, and geopolitical risks across the entire third-party lifecycle.

What is third-party risk management in Canadian banking?

In Canadian banking, TPRM is a regulatory requirement enforced by OSFI under Guideline B-10. Federally regulated financial institutions must maintain inventories of all third-party arrangements, conduct risk assessments before engaging material vendors, include mandatory contractual protections, and demonstrate continuous monitoring. Board-level accountability is required.

What is a third-party risk management framework?

A TPRM framework is the governance structure — policy, process, tools, and responsibilities — within which the organisation manages third-party risks. A mature framework covers all five lifecycle stages: inventory and tiering, pre-engagement due diligence, contractual protections, ongoing monitoring, and exit strategy.

How often should vendor risk assessments be conducted?

Assessment frequency should be proportionate to vendor criticality. Critical vendors supporting essential business functions typically require quarterly reviews and continuous external monitoring. Standard vendors may be assessed annually. Trigger events — major incidents, financial distress, regulatory changes — should prompt immediate reassessment regardless of tier.

What are the penalties for failing to manage third-party risk under OSFI guidelines?

OSFI's supervisory framework is principles-based rather than prescriptive in penalties. Non-compliance with B-10 may result in heightened supervisory scrutiny, increased capital requirements, restrictions on activities, or other prudential measures. For FINTRAC reporting entities, failure to maintain adequate compliance when using third-party service providers can result in administrative monetary penalties of up to $500,000 for individuals and $2,000,000 for entities.