Alba Partners

Menu
February 2, 2025 by

The CxO Guide to Solving Third to Nth-Party Risk Management  for Operational Resilience

Cascading Compliance Concerns

As financial institutions have strived to boost efficiency and reduce costs in recent times there has been an upsurge in reliance on third-party service providers. Gains in cost efficiency, scalability, customer experience, expertise and innovation have been undeniable. However, this reliance on third parties is now exposing these same financial institutions to heightened operational risks that will be the focus of regulatory scrutiny across the globe, in 2025 and beyond. 

Regulations and frameworks including the European Union’s Digital Operational Resilience Act (DORA), the Basel Committee’s Principles for Operational Resilience, UK PRA Operational Resilience, Australia’s CPS 230, and NIST2 have operational resilience at their core. They demand robust systems and processes to ensure operational continuity, safeguard data, and mitigate risks arising from third-party relationships. They also require both regulated financial institutions and their ICT service providers to evidence operational resilience to regulators in a complete and defensible form.

This white paper examines some of the third-party risk management (TPRM) challenges facing financial institutions. It highlights the questions accountable senior managers should be asking their Risk and Resilience teams and proposes actionable strategies to guide C-level executives in their quest to address them. It also explores the often-overlooked complexities of managing fourth to nth-party risks, offering insights into identifying and mitigating risks in these extended ecosystems.

Why Extend TPRM Across the Entire Supply Chain?

And Why Now?

The use of third-party service providers is nothing new. As society evolved over centuries, and specialisms developed, the use of dedicated third-party outsourcers escalated. Look no further than the local flour or sawmill, shipping companies and merchants, and now financial services providers – as industries, societies and consumer expectations have become more complex, so too have the frameworks for outsourcing and third-party management. 

The incidence of fourth to nth level suppliers is also not new and not limited to the financial services sector. You may recall the total collapse of supply chains when a single container ship became lodged in the Suez Canal in 2021, blocking the waterway that enables the flow of 12% of global trade for six days. News reports estimated damage costs of around US$1 billion and delays in almost US$60 billion worth of trade. But how many third parties had outsourced their transportation to the other 422 ships impacted by the resultant “traffic jam”? What was the concentration risk and how much visibility did organisations have with respect to this risk? Probably little to none.

 Financial Institutions have travelled the same journey of needing to manage increasingly complex outsourcing and third-party relationships. In their pursuit of reduced costs and enhanced efficiency, alongside an increasingly digital and interconnected operating environment, reliance on external third parties including cloud service operators, IT support vendors, and payment processors has become the norm. In many cases the advantages of bringing these significant operational efficiencies are countered by the introduction of new vulnerabilities. Cybersecurity threats, data breaches, service interruptions, and compliance failures in third-party ecosystems can have cascading impacts on financial institutions and their customers.

To address these risks, regulatory bodies worldwide are introducing frameworks like DORA, UK PRA Operational Resilience guidelines, APRA CPS 230 and NIST2, which place stringent requirements on financial institutions to manage third-party dependencies. These include:

  • Enhanced due diligence
  • Continuous monitoring of third-party performance
  • Incident reporting and testing of resilience capabilities

For the regulators, and most financial institutions, the focus is firmly on addressing the implications surrounding Important Business Services (IBS) and the critical third parties (CTPs) that support them. TPRM frameworks already exist and, when asked, most institutions are likely to consider themselves “largely” compliant with the incoming regulations.

However, the regulatory focus is now expanding to encompass fourth to nth-party risks, complicating compliance even further. Managing these layers effectively is critical for maintaining operational resilience. On the face of it, risk management of a fourth (or fifth or nth) provider is conceptually the same as that of a third party. However, the risk management challenges of the third party are inevitably inherited by those further down the supply chain – and new challenges emerge at each subsequent level. How to address these and other complications introduced by fourth to nth-party risk management is discussed in Section 4 of this paper. 

Examples of Operational Resilience Breaches in the Supply Chain

Numerous real-world incidents demonstrate why a robust TPRM framework is so important in maintaining operational resilience. Regulators have been right to call this out as a systematic risk. Some of the operational resilience breaches involving ICT suppliers to financial institutions, which highlight the risks posed by vulnerabilities in third-party services, include:

  1. Accellion: Their legacy File Transfer Appliance (FTA) faced zero-day vulnerabilities, allowing hackers to access sensitive data from multiple organisations, including financial institutions. The breach caused severe reputational damage due to delayed alerts and insufficient patching efforts.
  2. Blackbaud: A ransomware attack exposed customer data stored on Blackbaud’s cloud platform, affecting financial entities and other organisations globally. The breach highlighted risks associated with cloud-based ICT providers.
  3. SolarWinds: Hackers infiltrated the SolarWinds Orion platform in a high-profile supply chain attack, impacting government and private sector clients, including financial firms. The breach demonstrated how supplier vulnerabilities can have cascading effects.
  4. Okta: The identity management provider suffered a breach after attackers gained access through a third-party contractor. This raised concerns about vendor management, as compromised authentication services can directly affect operational resilience for financial institutions reliant on Okta’s services.
  5. CrowdStrike: In July 2024, CrowdStrike experienced a significant global IT outage caused by an update to its Falcon sensor configuration file. This update triggered a logic error that caused widespread disruption across systems using the software, particularly Windows devices. The issue caused operational failures in critical sectors, including airports, public safety systems, and financial institutions, with an estimated 8.5 million devices impacted globally. 

These incidents underscore the need for rigorous risk management across the entire supply chain, including regular audits, real-time monitoring, and robust incident response strategies. They highlight the interconnected nature of modern financial operations and the critical importance of operational resilience frameworks.

New Challenges in Third-Party Risk Management

Although most financial institutions already have TPRM frameworks in place, new threats continually emerge which, combined with a step change in operational resilience related regulations for 2025, are making day-to-day monitoring and management of critical third parties more challenging. 

  1. Expanding vendor ecosystem

Financial institutions are increasingly outsourcing critical functions, including IBS, leading to an extensive network of third-party providers. Managing risks across this growing ecosystem while maintaining visibility and control is a significant challenge.

  1. Regulatory compliance

Incoming frameworks emphasise stringent oversight of third-party relationships, including governance, risk management, and operational resilience testing. Institutions looking to unify their compliance efforts often face challenges aligning their TPRM frameworks with overlapping regulatory requirements, within and across jurisdictions.

  1. Cybersecurity threats

Third-party ICT service providers often become targets for cyberattacks due to their integration with financial institutions’ systems. Compromises in a vendor’s environment can cascade into the institution’s operations, exposing sensitive data and disrupting services.

  1. Dynamic risk landscape

The risk profiles of vendors can change rapidly due to factors like financial instability, mergers, or geopolitical influences. Keeping pace with these changes requires dynamic monitoring capabilities and access to live third-party data.

  1. Limited resources

Smaller financial institutions often lack the resources to invest in advanced tools and expert teams to manage the complexities of TPRM. They are less likely to have deployed TPRM systems in the past so the 2025 regulatory onslaught relating to third to nth-party risk management requires new investments in both technology and time to refine or create new TPRM frameworks. 

 

Key Strategies for Effective Third-Party Risk Management

In line with the shared challenges, we see financial institutions adopting similar strategies in addressing and mitigating these challenges. The key focus has largely been aimed at ensuring the framework is “robust”. The emphasis on the word “robust” is deliberate as it has different meanings as we navigate through the various organisational levels of an institution. 

For the C-Suite, the governance and information framework is key. Do they (for example) have access to the right information to make informed decisions? Can they have confidence in the controls surrounding critical third parties? Have they set an appropriate risk appetite for recovery time objectives (RTO) and Business Impact Assessment (BIA)?

As we travel down the organisation “robust” becomes more operational. Does the framework support due diligence? Does it allow for continuous monitoring? Does it generate appropriate management information for consumption by the C-suite?

In determining whether your TPRM framework is adequate from a regulatory and due diligence perspective accountable senior managers should be asking the following questions, and those responsible for operational resilience and TPRM should have answers:

  1. Have we established robust governance?
    • Board oversight: The board of directors or a dedicated risk committee should oversee third-party risk management.
    • Policy development: Comprehensive TPRM policies aligned with DORA and other regulatory frameworks must be established.
    • Risk ownership: Roles and responsibilities for managing third-party risks should be clearly defined.
  1. Is our due diligence comprehensive?
    • Register of information: Regulators expect financial institutions to maintain a comprehensive ‘Register of Information’ (ROI) containing detailed records of their third parties. This register is crucial for ensuring transparency, facilitating effective oversight, and enabling quick access to critical information to support compliance and risk management efforts.
    • Third party intelligence: Complete information on financial stability, security measures, data protection capabilities, and compliance with regulatory requirements should be recorded.
    • Thorough onboarding checks: Standardised questionnaires and audits should be incorporated into the onboarding process.
    • Ongoing due diligence: Leveraging tools to assess vendors’ risk profiles dynamically ensures early identification of compliance status compromises.

Offboarding plan: A comprehensive offboarding plan should be developed during the onboarding process of a third party, including identified risks and corresponding mitigation strategies. The specifics of the offboarding plan will vary depending on the type of service provided.

  3. Are we capable of continuous monitoring?

    • Real-time intelligence: Monitoring platforms that offer real-time insights into vendor performance, cybersecurity risks, and compliance status should be implemented.
    • Key risk indicators: KRIs should be established to ensure early detection and response to emerging risks.
    • Concentration risk: Financial institutions can assess and monitor concentration risks associated with common fourth parties by leveraging information provided by their third parties about their respective providers.
    • Sentiment analysis: By utilising sentiment analysis technology, financial institutions can scan online content to detect positive or negative news about a third party, enabling them to take proactive measures as needed.
  1. Are we taking steps to enhance cybersecurity resilience?
    • Third-party cybersecurity: Vendors within the supply chain should be required to adopt – and be able to evidence – robust cybersecurity measures such as encryption, multifactor authentication, and secure access controls.
    • Periodic testing: Periodic penetration tests and vulnerability assessments on third-party systems should be conducted to expose weaknesses.
    • Incident response testing: Vendors should be included in incident response drills to improve coordination and ensure regulatory deadlines can be met.
  1. Does the technology we have today enable effective and defensible TPRM?
    • TPRM technology adoption: TPRM software should be utilised for gap analysis, incident management and centralised management of vendor risks, contracts, and compliance metrics.
    • Artificial intelligence: AI and machine learning are uniquely suited to identifying potential risks and predicting failures. TPRM is also an ideal use case for Generative AI, which can be utilised to analyse large numbers of lengthy contracts for compliance in a fraction of the time possible by humans.
    • TPRM managed services: TPRM-as-a-Service can be a viable option that reduces cost and time-to-value for firms with limited resources or expertise to develop and maintain an in-house system.

The answers to these questions will go a long way towards helping to assess how robust your TPRM framework is, how well it would stand up to scrutiny by auditors and regulators, and what changes are required.

 

New Challenges of Fourth to Nth-Party Risk Management

Never before have financial institutions had explicit regulatory obligations to monitor or report on fourth to nth-party risk management. Most firms have managed to get their head above water on risk management around third parties, but the prospect of needing to monitor risks at all levels in the supply chain is proving daunting for many.

The first consideration is that the risk management of fourth to nth parties needs to “fit in” to the framework designed for third parties because, as discussed previously, they inherit the same challenges. Worrying for many, however, are the added challenges associated with managing and monitoring fourth to nth party relationships, which also need to be addressed. 

These include:

  1. Limited visibility on who these nth-party suppliers are: Financial institutions often lack direct access to information about their vendors’ subcontractors.
  2. Limited visibility on the relationship between third and nth-party suppliers: Even if financial institutions know who the nth suppliers are, they cannot know what contractual arrangements exists between them.
  3. Increased vulnerabilities: Each additional layer of vendors increases the attack surface, making the ecosystem more susceptible to breaches.
  4. Regulatory expectations: Regulatory frameworks require institutions to ensure that their third parties manage subcontractors effectively, including conducting checks on data localisation and cross border transfers, which adds to the complexity.
  5. Complex incident management: Coordinating incident responses across multiple layers of vendors can delay recovery efforts and exacerbate disruptions.
  6. Concentration: Identifying and managing deep set concentrations among nth-party suppliers increases external events and drivers.

Key Strategies for Effective Nth-Party Risk Management in the context of TPRM

Financial institutions are increasingly turning their attention to fourth to nth-party risk management. However, with the requirement to scrutinise and monitor nth parties so rigorously being relatively new, the strategies formulated to manage nth-party risk are embryonic and largely unproven. 

To be effective these strategies must enable financial institutions to:

  1. Identify fourth to nth parties: To mitigate risks effectively, institutions must first identify their extended vendor ecosystems.
  2. Map relationships: Use tools to map the entire supply chain, including subcontractors and downstream providers. Develop visual dependency maps to understand interconnections.
  3. Get vendor disclosures: Require third parties to disclose their subcontractors and any changes in their supply chain as part of contractual obligations.
  4. Categorise risks: Classify fourth to nth parties based on their criticality to operations, the sensitivity of data they handle, and the potential impact of a disruption.

Framework Changes Required to Facilitate Fourth to Nth-Party Risk Management

Rather than beginning from nothing, the TPRM framework used to monitor third parties should be your start point. This framework will address the risk management challenges inherent in all layers of the supply chain, leaving more time and resources to focus on framework updates required to overcome the added challenges of fourth to nth-party risk management. 

TPRM framework changes may include: 

 

   1. Flow-down contractual obligations

    • Require third-party contracts to include provisions mandating that their subcontractors comply with the institution’s security, operational, and regulatory requirements.
    • Include penalties for non-compliance and require timely notification of subcontractor changes. 
   2. Extended due diligence 
    • Conduct due diligence on third parties’ subcontractor management processes.
    • Assess the robustness of their supply chain risk management practices and request evidence of compliance audits.

  3. Continuous monitoring

    • Leverage monitoring platforms that provide indirect visibility into the performance and risks associated with fourth to nth parties.
    • Implement automated alerts for changes in subcontractors’ risk profiles.

  4. Collaborative testing

    • Include fourth to nth parties in business continuity planning and testing exercises.
    • Engage critical subcontractors in cybersecurity and operational resilience drills.

  5. Collaborative training

    • Provide shared training programmes for all parties on regulatory updates and compliance practices.

  6. RegTech solutions

    • Use the kind of regulatory technology and artificial intelligence outlined in Section 3 to monitor compliance across extended ecosystems, ensuring alignment with regulatory frameworks.

While pre-existing TPRM frameworks will go some way towards helping firms to navigate fourth to nth-party risk management, new practices and specific measures will be required to account for nuances arising at various levels of the supply chain.

Metrics for Measuring TPRM Effectiveness

All TPRM Frameworks, including those that incorporate nth-party risk management, have the same goals and hence the same requirements to make them effective. 

It is important for financial institutions to put measures and reporting in place. In doing so they will be able to evidence to both accountable senior managers and regulatory authorities that their frameworks are delivering adequate protection and resilience to safeguard key stakeholders. These measures are also necessary to monitor progress over time. 

Metrics may include:

  1. Risk reduction
    Measure the percentage reduction in identified third to nth-party risks.
  2. Compliance rate
    Track the percentage of third parties and their subcontractors meeting contractual and regulatory requirements.
  3. Incident response time:
    Assess the average time to detect, respond to, communicate and resolve incidents involving third to nth parties, and ensure these satisfy regulators’ expectations.
  4. Vendor stability
    Monitor the financial health and performance consistency of vendors and their subcontractors.
  5. Resilience testing results
    Evaluate improvements in recovery times and coordination during simulated disruptions.

Ongoing monitoring and analysis against a set of well-defined metrics will ensure your TPRM framework achieves its objectives, is improved over time, and meets the expectations of key stakeholders. 

 

The Vital Role of Technology in Mitigating Supply Chain Risk

Reliance on decades-old technology and spreadsheets is ineffective in managing the complexities of TPRM and operational resilience, which require holistic oversight and dynamic (not linear) process management. Modern technologies play a key role in providing regulatory intelligence and helping financial institutions address TPRM by enabling efficient risk identification, monitoring, and mitigation strategies. Key contributions include:

  1. Automation and streamlined assessments
  • Risk assessment tools: Automation of due diligence and risk assessments. Technology platforms can standardise questionnaires and integrate live data sources to assess vendor risks comprehensively.
  • Artificial Intelligence (AI) and Machine Learning (ML): These technologies analyse large datasets to identify patterns or potential vulnerabilities in third-party relationships, such as historical breach data or financial instability. They can also be used to read supplier contracts at high speed and identify potential risk and compliance anomalies.
  1. Continuous monitoring
  • Real-time alerts: Continuous monitoring of vendor cybersecurity postures. They alert financial institutions to real-time threats such as compromised credentials or new vulnerabilities.
  • Performance metrics dashboards: Dashboards are used to monitor third-party KPIs (Key Performance Indicators) and SLAs (Service Level Agreements), ensuring vendors meet performance and security standards consistently.
  1. Enhanced regulatory compliance
  • Compliance automation: Technology ensures compliance with regulatory frameworks by tracking regulatory changes and aligning third-party practices.
  • Document management: Automated solutions manage contracts, certifications, and audit trails, reducing the risk of non-compliance.
  1. Incident response and resilience
  • Simulation and testing tools: Platforms simulate third-party failure scenarios to assess potential impacts and refine contingency plans.
  • Resilience monitoring: Technology measures operational resilience by testing third-party systems against disruptions, ensuring critical services remain uninterrupted.
  1. Integrated risk platforms
  • Third-party risk portals: Integrated platforms offer a centralised view of all third-party relationships, risk scores, and associated documentation, enabling better decision-making. Role-based dashboards provide individuals at all levels of the organisation with a view of actions that must to taken to preserve resilience and ensure compliance.
  • Cloud-based solutions: Cloud platforms offer scalable risk management tools that can adapt to changing vendor and regulatory landscapes, quickly and cost-effectively.
  1. Cybersecurity tools
  • Vulnerability scanning: Advanced tools find weak spots in third-party IT systems, reducing the likelihood of breaches impacting individual financial institution.
  • Access control systems: Technologies like identity and access management (IAM) limit vendor access to sensitive internal systems, reducing exposure.

By leveraging these technologies, financial institutions enhance their ability to proactively manage risks, comply with regulatory standards, and build resilience against potential disruptions in their supplier ecosystems. 

 

The Light at the End of the TPRM Tunnel

Operational resilience is imperative. Not only because regulatory authorities have put it front and centre of the 2025 regulatory agenda, but because it is the only way to provide maximum protection for customers, minimise risk for your firm, and protect the financial sector as a whole. 

With global regulators set to hold financial institutions truly accountable for operational resilience in 2025, it is essential that firms act fast to evolve their TPRM frameworks to address both direct vendor risks and the complexities of extended ecosystems. 

By asking the questions posed in this paper and having TPRM teams that can provide adequate and defensible responses, accountable senior managers can gain assurance that risk within the supply chain is being managed appropriately. 

By leveraging technology, enhancing supply chain visibility, fostering a culture of risk awareness, and aligning with regulatory expectations, institutions can build robust systems to manage third and fourth to nth-party risks effectively.

Proactively addressing these challenges will not only ensure compliance, earn customer trust, and mitigate reputational risk, but also enhance operational resilience, which safeguards institutions against disruptions in an increasingly interconnected financial landscape.

 

Authors

Jeff Simmons, Risk Management & Compliance Lead, Alba Partners

Jeff is an accomplished leader with over 25 years’ experience in industry driving strategic risk management, regulatory compliance and governance initiatives. He provides expertise in developing and implementing effective financial strategies aligned with corporate goals, coupled with a track record of driving process improvements. 

Nicola Cowburn, RegTech Advisor, Gieom

A FinTech and RegTech marketing leader for more than two decades, Nicola works with technology providers and their financial services clients to build and deliver effective solutions for regulatory compliance and risk management. In addition to providing product development expertise and formulating successful go-to-marketing strategies for RegTech firms, Nicola is an Ambassador for The RegTech Association.



About Alba Partners

Alba Partners is a boutique consultancy specialising in change and transformation. With expertise spanning Financial Services and beyond, our proven track record in delivering high-impact projects for leading institutions sets us apart.

Founded in 2020, Alba Partners blends the agility and personalised service of a boutique team with the expertise and experience of top-tier consultancy. Our Financial Services practice has supported clients in navigation some of the industry’s most complex challenges across the trade lifecycle, including Dodd-Frank, MiFID II, Brexit, IBOR Transition, Operational Resilience, and Basel III. Additionally, we have successfully managed numerous mergers, acquisitions, exits and divestments. 

Headquartered in Edinburgh with key offices in London, Riyadh, Dubai, and Abu Dhabi, Alba Partners serves clients across Europe, the Middle East, and beyond. Our collaborative and flexible approach ensures that we deliver tailored solutions, aligning with each client’s unique requirements and goals.

About Gieom

Gieom is a leading provider of Generative AI-powered RegTech solutions, focused on enhancing operational resilience for financial institutions. We provide software that streamlines the management of policies, simplifies digital identity verification, mitigates risks, and implements operational resilience frameworks. Gieom has built custom templates to ensure compliance with regulations including the UK’s Operational Resilience Guidelines, the European Union’s Digital Operational Resilience Act (DORA), Australia’s CPS 230 and NIST2. 

With operations across Europe, the Middle East, and Asia Pacific, Gieom serves over 100 customers globally and is certified for ISO 27001 and ISO 9001.