Skip to content
Case studiesPricingSecurityCompareBlog

Europe

Americas

Oceania

Compliance10 min read

Third-Party Risk Management (TPRM): Complete Guide 2026

Master third-party risk management (TPRM): DORA compliance, FCA expectations, vendor assessment, continuous monitoring and supplier due diligence guide for 2026.

James Whitfield, Head of Compliance
James Whitfield, Head of Complianceยท
Illustration for Third-Party Risk Management (TPRM): Complete Guide 2026 โ€” Compliance

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

Third-party risk management (TPRM) is the structured process organisations use to identify, assess, monitor, and mitigate risks arising from their relationships with external vendors, suppliers, and service providers. 35.5% of data breaches originate from the supply chain, and regulators on both sides of the Atlantic are tightening requirements. In the UK, the FCA and PRA have published new Critical Third Party (CTP) rules under Policy Statement PS24/16; across the EU, DORA has been in force since 17 January 2025. Organisations that treat TPRM as a point-in-time compliance exercise will not survive a 2026 supervisory review.

This guide sets out what an effective TPRM programme looks like, how UK and EU regulatory frameworks define your obligations, and the practical steps to build a programme that satisfies both your board and your regulator.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

What is third-party risk management in practice?

Third-party risk management (TPRM) covers the full lifecycle of every external relationship: pre-engagement due diligence, contractual protections, ongoing monitoring, and structured offboarding. It addresses risks far broader than cybersecurity alone.

The FCA's outsourcing guidance (FCA SYSC 8) makes clear that firms cannot delegate or contractually transfer their responsibility for managing third-party risks. The same principle is embedded in DORA Article 28 for EU financial entities.

TPRM risk categories span the full vendor lifecycle:

Risk Category Examples
Operational risk Service disruption, vendor insolvency, capacity failure
Cyber and ICT risk Supply chain attack, data breach via vendor access
Concentration risk Over-reliance on a single cloud hyperscaler or software provider
Compliance risk GDPR violations, sanctions breaches, AML gaps at the vendor
Reputational risk Vendor misconduct affecting the organisation's brand
Geopolitical risk Vendors operating in sanctioned or high-risk jurisdictions

Regulatory framework: UK FCA and EU DORA requirements

FCA expectations in 2026

The FCA published its Critical Third Parties regime in Policy Statement PS24/16 (November 2024), which gives the FCA, PRA, and Bank of England powers to directly oversee systemic third-party providers. Under these rules, designated Critical Third Parties (CTPs) are subject to regulatory scrutiny, not merely through the firms they serve.

For financial firms, the FCA's key expectations are:

  • Mapping: Firms must maintain a full map of all Important Business Services (IBS), including every third-party dependency.
  • Non-delegability: Boards and senior managers retain accountability. They cannot outsource responsibility under the Senior Managers and Certification Regime (SM&CR).
  • Material TPA notifications: New proposals from December 2024 require banks, insurers, and complex FCA solo-regulated firms to notify regulators of material Third-Party Arrangements โ€” whether or not they constitute outsourcing.
  • Continuous monitoring: Static annual assessments no longer satisfy FCA expectations. Real-time visibility into vendor risk posture is now the standard.

As of 2026, the FCA's operational resilience framework requires firms to prove they are staying within their impact tolerances today โ€” not just that they have documented them (FCA Operational Resilience guidance, January 2026).

EU DORA obligations for cross-border firms

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) has applied to all EU financial entities since 17 January 2025. UK-based firms with EU subsidiaries, or firms providing services to EU financial entities, must understand its TPRM requirements:

  • ICT Register of Information: Maintain a comprehensive register of all contractual ICT arrangements (Article 28 DORA).
  • Pre-contract risk assessment: Mandatory due diligence before signing any contract covering critical or important functions.
  • Contractual minimum clauses: Article 30(2) DORA mandates specific provisions โ€” audit rights, SLAs, incident notification within 4 hours for major incidents, exit strategies.
  • Concentration risk management: Assess exposure to single providers, particularly non-EU hyperscalers.

The EBA's proposed expansion of TPRM requirements โ€” published in 2025 โ€” is expected to extend comparable frameworks to previously unregulated financial activities, signalling that TPRM oversight will only deepen in the years ahead (Travers Smith analysis, EBA TPRM expansion).

Building a TPRM programme: the five core stages

Stage 1: Inventory and tiering

No TPRM programme can function without an accurate, up-to-date inventory of all third parties. Industry data shows organisations manage an average of 286 vendors (Whistic, 2025), yet only a fraction receive meaningful risk scrutiny.

Tiering categorises every vendor by potential impact:

  • Critical: Vendors supporting essential or important functions, with access to sensitive data or high operational dependency.
  • High: Significant impact if disrupted; limited data access.
  • Standard: Peripheral services; low operational impact.

Tier determines the depth of due diligence, assessment frequency, and contractual protections required.

Stage 2: Pre-engagement due diligence

Pre-contract due diligence for critical vendors must cover:

  • Financial stability (audited accounts, credit ratings, insurance coverage).
  • Security posture (ISO 27001, SOC 2 Type II, penetration testing results).
  • Regulatory compliance status (GDPR, sector-specific regulations).
  • Business continuity and disaster recovery capability.
  • References from regulated financial institutions.

CheckFile automates the collection and verification of vendor-supplied documents during this stage โ€” certifications, audited accounts, insurance certificates โ€” flagging missing or expired items automatically and reducing the manual burden on compliance teams.

Stage 3: Contractual protections

Critical vendor contracts must include the clauses specified in DORA Article 30(2) for EU-operating entities, and equivalent provisions expected under FCA SYSC 8 for UK entities. Minimum requirements include:

  • Precise service scope and performance standards.
  • Audit and inspection rights for the firm and its regulators.
  • Major incident notification within 4 hours (DORA) or as agreed with the FCA.
  • Portability provisions โ€” the firm's data must be retrievable.
  • Exit plan with documented timelines and transition support obligations.
  • Sub-outsourcing controls โ€” the vendor cannot sub-contract critical functions without prior approval.

Stage 4: Continuous monitoring

70% of functional stakeholders lack visibility into third-party risks (Gartner, 2025). Continuous monitoring โ€” not annual questionnaires โ€” is what separates mature TPRM programmes from box-ticking exercises.

Effective ongoing monitoring includes:

  • Periodic re-assessments scaled to vendor criticality (quarterly for critical, annually for standard).
  • Real-time external security ratings (attack surface monitoring).
  • Financial health monitoring for critical vendors.
  • Tracking regulatory and geopolitical changes affecting vendors.
  • Automated alerting for contract expiry, certification lapse, and SLA breaches.

Using CheckFile's document monitoring features ensures your compliance team receives immediate alerts when a vendor's certificate of insurance, ISO certification, or regulatory licence approaches expiry.

Stage 5: Incident response and exit strategies

The FCA and DORA both require documented, tested exit strategies for critical vendors. This is not a theoretical exercise: FCA supervisors and DORA auditors will ask to see evidence that exit plans have been rehearsed.

An exit strategy should include:

  • Identified alternative providers or internalisation options.
  • Documented data migration and system transition steps.
  • Notice period provisions calibrated to transition complexity.
  • A full register of system dependencies and data flows.

Refer to our DORA compliance guide for the financial sector for detailed requirements on incident reporting timelines and testing obligations.

Common TPRM pain points โ€” and how practitioners address them

Forums in the compliance and risk management community โ€” including r/compliance on Reddit โ€” consistently surface the same operational challenges:

Challenge 1: Getting the right documentation from vendors. 48% of TPRM teams cite this as their top obstacle (ISACA, 2020, Vol. 3). Many vendors, particularly smaller ones, lack structured compliance programmes and struggle to produce the documentation required. Automated document collection platforms eliminate the back-and-forth email chains that consume compliance team capacity.

Challenge 2: Understaffing. 62% of risk and security leaders report their TPRM function is not sufficiently resourced, with teams managing an average of 33.6 vendors per risk professional. Automation is not optional at this ratio โ€” it is the only way to maintain programme quality.

Challenge 3: Executive buy-in. Only 40% of companies regularly report on third-party risk to their board. The business case is straightforward: the average cost of a data breach reached USD 4.88 million in 2024 (IBM Cost of a Data Breach Report 2024), and DORA penalties for critical ICT third parties can reach 1% of global daily turnover.

Challenge 4: Fourth-party risk. Your vendor's vendors introduce risks you have no direct visibility into. A mature TPRM programme addresses this by requiring vendors to impose equivalent standards on their own critical sub-contractors.

For a broader view of how TPRM fits into your organisation's governance framework, see our GRC guide.

TPRM programme checklist

A mature TPRM programme includes the following elements:

  • Written TPRM policy approved by the board.
  • Complete, up-to-date inventory of all third parties with criticality tier.
  • Tiered due diligence questionnaires scaled to risk level.
  • ICT Register of Information compliant with DORA Article 28.
  • Contracts for critical vendors including DORA Article 30(2) / FCA-equivalent clauses.
  • Documented continuous monitoring process.
  • Tested exit strategies for critical vendors.
  • Annual TPRM report presented to the board or risk committee.
  • Concentration risk map.
  • Incident response procedure for third-party-triggered events.

CheckFile supports the documentary evidence requirements of your TPRM programme โ€” from initial vendor due diligence through to ongoing monitoring and audit readiness.

For more detail on building your compliance documentation programme, see our document compliance guide.

FAQ

What is third-party risk management (TPRM)?

TPRM is the structured process of identifying, assessing, and managing risks introduced by vendors, suppliers, and service providers. It covers operational, cyber, compliance, reputational, concentration, and geopolitical risks across the entire third-party lifecycle.

What is third-party risk management in banking?

In banking, TPRM is a regulatory requirement enforced by the FCA, PRA, and European supervisors under DORA. Banks must maintain registers of all ICT arrangements, conduct due diligence before engaging critical vendors, include mandatory contractual protections, and demonstrate continuous monitoring. Board-level accountability is non-negotiable under SM&CR.

What is a third-party risk management framework?

A TPRM framework is the governance structure โ€” policy, process, tools, and responsibilities โ€” within which the organisation identifies and manages third-party risks. A mature framework covers all five lifecycle stages: inventory and tiering, pre-engagement due diligence, contractual protections, ongoing monitoring, and exit strategy.

How often should vendor risk assessments be conducted?

Assessment frequency should be proportionate to vendor criticality. Critical vendors supporting important business services typically require quarterly reviews and continuous external monitoring. Standard vendors may be assessed annually. Trigger events โ€” major incidents, financial distress, regulatory changes โ€” should prompt immediate reassessment regardless of tier.

What are the penalties for failing to manage third-party risk under DORA?

For financial entities, DORA non-compliance is enforced by national supervisors (e.g., the FCA for UK-regulated EU entities, or the relevant EU national competent authority). For designated critical ICT third-party providers, the ESAs can impose periodic penalties of up to 1% of average daily global turnover until compliance is restored.

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.

Related articles

Compliance17 min

Compliance Risk Assessment: A Practical Guide for UK Firms

Learn how to identify, evaluate, and mitigate regulatory risks. A step-by-step compliance risk management framework aligned with FCA expectations and Money Laundering Regulations 2017.

Read
Compliance9 min

Governance Risk Management Compliance (GRC): Complete Guide 2026

What is governance risk management compliance (GRC)? Learn the three pillars, UK regulatory requirements under FCA, ARGA, and how to build an effective GRC programme.

Read
Compliance10 min

How to Build a Document Compliance Program from Scratch

Step-by-step guide to building a document compliance program: 5-level maturity model, MLR 2017 requirements, GDPR, KYC and automated verification.

Read