Skip to main content
Third Party Risk in Operational Risk Management

Third Party Risk in Operational Risk Management

$349.00
How you learn:
Self-paced • Lifetime updates
Who trusts this:
Trusted by professionals in 160+ countries
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
When you get access:
Course access is prepared after purchase and delivered via email
Your guarantee:
30-day money-back guarantee — no questions asked
Adding to cart… The item has been added

This curriculum spans the full lifecycle of third-party risk management—from initial classification and due diligence to ongoing monitoring, incident response, and exit planning—with a scope and level of operational detail comparable to a multi-workshop advisory program embedded within a financial institution’s operational risk function.

Module 1: Defining Third-Party Risk within the Operational Risk Framework

  • Determine whether a vendor providing cloud-based HR software should be classified as critical, major, or minor based on data sensitivity and business impact.
  • Map third-party relationships to operational risk categories (e.g., technology, compliance, business continuity) to align with existing risk taxonomies.
  • Establish criteria for including joint ventures and outsourcing partners under third-party risk oversight versus strategic risk.
  • Decide whether internally developed systems using open-source components with external support fall under third-party risk policies.
  • Integrate third-party risk definitions into the firm’s Operational Risk Register with clear ownership and reporting lines.
  • Resolve conflicts between procurement’s vendor categorization and risk management’s risk-based classification.
  • Define thresholds for regulatory reporting of third-party incidents under operational risk event reporting standards.
  • Assess whether subsidiaries in foreign jurisdictions using local vendors require centralized or decentralized risk oversight.

Module 2: Regulatory and Compliance Landscape for Third Parties

  • Implement controls to meet FFIEC requirements for managing cloud service providers in financial institutions.
  • Adapt vendor due diligence processes to satisfy GDPR obligations for data processors outside the EEA.
  • Document supervisory expectations from central banks regarding outsourcing of core banking functions.
  • Align third-party risk assessments with SEC Regulation S-P for safeguarding customer records.
  • Respond to audit findings from regulators on inadequate oversight of payment processors.
  • Design evidence trails to demonstrate compliance with MAS TRM guidelines for financial firms in Singapore.
  • Coordinate with legal to update vendor contracts to include right-to-audit clauses required by OCC guidelines.
  • Classify vendors subject to heightened scrutiny under SR 13-19 based on activity, complexity, and concentration.

Module 3: Third-Party Risk Assessment Methodologies

  • Select and calibrate a risk scoring model that weights factors such as data access, financial stability, and geographic location.
  • Conduct on-site assessments for a payment gateway provider with access to cardholder data, including review of PCI DSS compliance.
  • Use threat intelligence feeds to adjust risk ratings for vendors exposed to active cyber campaigns.
  • Perform inherent vs. residual risk assessments for a cloud infrastructure provider after control remediation.
  • Standardize risk assessment templates across business units to ensure consistent scoring and avoid duplication.
  • Integrate findings from external audits (e.g., SOC 2 reports) into the risk rating process.
  • Adjust risk scores dynamically based on vendor M&A activity that changes ownership or infrastructure location.
  • Validate self-reported vendor controls with independent verification for high-risk relationships.

Module 4: Due Diligence and Onboarding Controls

  • Require penetration test results from a fintech partner integrating with core banking systems before go-live.
  • Verify financial health of a critical logistics vendor through credit reports and public filings.
  • Assess the cybersecurity maturity of a software development vendor using the CISA Cyber Resilience Review (CRR).
  • Conduct background checks on key personnel at a third party managing customer service operations.
  • Review incident response plans of a data center provider to ensure alignment with organizational RTO/RPO.
  • Validate business continuity testing results for a cloud email provider supporting mission-critical communication.
  • Negotiate inclusion of cybersecurity requirements in SLAs, including breach notification timelines and remediation obligations.
  • Document exceptions for onboarding a vendor with unresolved control gaps under a risk acceptance process.

Module 5: Contractual Risk Mitigation and SLA Management

  • Negotiate indemnification clauses for intellectual property infringement involving a third-party AI model provider.
  • Define measurable SLAs for uptime, incident response, and data availability with a SaaS tax compliance vendor.
  • Incorporate right-to-audit provisions for a managed security service provider with access to internal networks.
  • Enforce data localization requirements in contracts for a European customer support vendor.
  • Include change control procedures in contracts to prevent unauthorized infrastructure modifications by a hosting provider.
  • Structure termination clauses to ensure data extraction and transition support upon contract end.
  • Limit liability caps in contracts for vendors with access to sensitive personal data to reflect potential breach costs.
  • Require cyber insurance coverage from a payment processor and verify policy limits annually.

Module 6: Ongoing Monitoring and Key Risk Indicators

  • Deploy automated tools to monitor public breach disclosures and dark web mentions related to key vendors.
  • Track KRI trends such as increase in incident tickets from a core software vendor over three consecutive quarters.
  • Validate quarterly attestations from a cloud provider on control effectiveness and configuration changes.
  • Conduct surprise remote access log reviews for third parties with privileged access to internal systems.
  • Monitor financial distress signals (e.g., downgrades, layoff announcements) for a critical hardware supplier.
  • Review patch management reports from a managed service provider to confirm timely vulnerability remediation.
  • Trigger enhanced monitoring after a vendor fails a required compliance audit (e.g., SOC 2).
  • Integrate vendor KPI performance data from procurement into the risk monitoring dashboard.

Module 7: Incident Response and Escalation Protocols

  • Activate incident response plan when a software vendor discloses a supply chain compromise affecting multiple clients.
  • Coordinate communication with legal and PR teams during a data breach involving a third-party processor.
  • Validate containment actions taken by a hosting provider during a DDoS attack on critical customer-facing systems.
  • Document root cause analysis from a vendor post-incident report and assess control gaps.
  • Escalate unresolved vulnerabilities in a third-party API to executive risk committee for risk acceptance.
  • Conduct joint tabletop exercises with a payment processor to test coordinated breach response.
  • Enforce contractual breach notification timelines and assess penalties for late reporting.
  • Update risk register and control framework based on lessons learned from a third-party ransomware event.

Module 8: Exit Strategies and Business Continuity Planning

  • Develop transition plans for terminating a core banking platform vendor with multi-year data migration requirements.
  • Validate data extraction formats and completeness from a departing CRM vendor to ensure business continuity.
  • Conduct readiness assessments for a backup vendor capable of assuming operations during a primary vendor failure.
  • Test failover procedures with a disaster recovery provider using a geographically separate data center.
  • Secure source code escrow for a proprietary trading algorithm hosted by a third-party platform.
  • Assess financial viability of a sole-source hardware vendor and identify alternative suppliers.
  • Document knowledge transfer requirements from a departing IT outsourcing partner to internal teams.
  • Review insurance coverage for business interruption caused by third-party service failure.

Module 9: Governance Structures and Accountability

  • Define RACI matrices for third-party oversight across risk, legal, procurement, and business units.
  • Establish a Third-Party Risk Committee with authority to approve high-risk onboarding and exceptions.
  • Assign risk owners for each critical vendor with accountability for ongoing monitoring and reporting.
  • Integrate third-party risk metrics into executive dashboards for board-level reporting.
  • Resolve conflicts between procurement’s cost-saving initiatives and risk’s control requirements.
  • Implement a centralized vendor inventory with lifecycle tracking from onboarding to offboarding.
  • Conduct quarterly governance meetings to review top vendor risks and remediation progress.
  • Enforce segregation of duties between vendor management and risk assessment functions to maintain independence.

Module 10: Emerging Risks and Technology Dependencies

  • Assess supply chain risks in open-source libraries used by a third-party application development vendor.
  • Evaluate concentration risk in reliance on a single cloud provider across multiple critical systems.
  • Monitor geopolitical risks affecting data centers in regions with unstable regulatory environments.
  • Review AI model transparency and bias testing procedures for a third-party credit scoring vendor.
  • Assess quantum computing readiness of encryption standards used by a long-term data archiving provider.
  • Validate container security practices for a microservices vendor using Kubernetes in production.
  • Track regulatory developments on digital asset custody and apply controls to third-party wallet providers.
  • Implement controls for shadow IT vendors introduced by business units without formal approval.
!