Third-Party Risk Management: Insights and Strategies
In today’s interconnected business landscape, managing third-party risks has become crucial for organizations of all sizes — particularly for mid-size companies balancing growth with resource constraints. We spoke with Tatyana Kalita, Senior Risk Management Consultant at Coreio, to discuss the intricacies of Third-Party Risk Management (TPRM) and share practical insights for safeguarding your organization.
With over two decades of experience across Europe and North America, Tatyana specializes in designing and delivering efficient, practical risk management solutions across various industries.
Q1: What is Third-Party Risk Management, and why does it matter?
In today’s highly interconnected business environment, organizations rely on a myriad of third parties to deliver services, manage operations, and support innovation. While these relationships drive efficiency and growth, they also introduce significant risks that can impact operational continuity, financial stability, and reputation.
Third-Party Risk Management — TPRM — is the systematic process of identifying, assessing, and mitigating risks that arise from external vendors, contractors, and partners. In plain terms: an organization should know what third parties they have, what services those parties provide, how important those services are, and how the organization would be impacted if something went wrong.
A 2023 study by Boston Consulting Group and MIT Sloan Management Review found that third-party AI tools are responsible for over 55% of AI-related failures in organizations. That statistic highlights why this matters — especially for mid-size companies that may not have the same risk absorption capacity as larger enterprises.
Q2: What are the common challenges organizations face when implementing TPRM?The primary hurdle is often a lack of visibility into all third-party relationships, especially as organizations grow and their vendor networks expand. This makes it difficult to maintain a comprehensive view of the risks associated with each partner.
Other common challenges: resource constraints make comprehensive risk assessments and ongoing monitoring time-intensive. Regulatory complexity means organizations must continuously adapt as guidelines evolve. And integration issues arise when incorporating TPRM into existing risk management and IT systems.
What’s particularly challenging is when organizations face multiple obstacles at once — causing them to feel overwhelmed and unsure where to start. This leads to delays that compound over time.
Q3: How do you overcome those challenges and avoid implementation delays?
When facing multiple challenges, the key is starting with a clear understanding of what the organization actually wants to achieve. Does the company want to meet the bare minimum regulatory expectations? Develop a well-documented process for understanding and mitigating risk exposures? Or become a leader in the TPRM discipline?
In most cases, mid-size organizations want two practical things: compliance with minimum regulatory requirements and a clear understanding of their most significant risk exposures. That’s a reasonable starting point.
Once the goal is set, break it into manageable milestones with realistic timelines. Here’s the actionable approach:
Adopt a phased, risk-based approach. Break TPRM implementation into manageable steps. Focus on high-priority areas first. Take a pragmatic short-term view — for example, develop supplier tiers and assess all high-priority technology-related suppliers before expanding scope.
Decide on implementation resources upfront. Determine whether the framework, process, and tools will be built using existing staff, external consultants, or a combination. Get that decision made early.
Develop a clear roadmap with short, medium, and long-term goals. This maintains focus and helps demonstrate progress to leadership.
Leverage technology. Use automation and risk management tools to reduce manual workload and free up time for more strategic activities.
Build cross-functional teams. Share responsibilities across departments. If using consultants, integrate them into the team to accelerate adoption rather than keeping them at arm’s length.
Maintain regular communication. Keep stakeholders updated on progress and challenges. Transparency prevents surprises.
Start small and scale. Begin with pilot projects or a focus on critical vendors. Use lessons learned to refine the process before full-scale rollout.
One thing I always emphasize: this approach should be guided by a “fit-for-purpose” mindset. The TPRM process should be proportional to the size of the organization — not a blind copy of what a Fortune 500 company does.
Q4: Can you share a customer story where this approach worked?
In April 2023, OSFI in Canada released revised Guideline B-10: Third-Party Risk Management, significantly raising regulatory expectations for financial institutions managing supplier arrangements.
One of our financial industry clients faced real pressure to meet those new requirements. We used a four-step approach.
Data gathering and current state assessment. We collected all relevant data on their third-party relationships — contracts, performance reviews, compliance status — and identified gaps in their existing practices.
Framework, process, and tools development. Based on what we found, we built a third-party risk management process with clear steps for monitoring, assessing, and mitigating risks. We developed an implementation plan that prioritized the highest-risk areas first.
Pilot and lessons learned. We selected one critical business unit and completed third-party risk assessments for all their key suppliers. Enhancements from the pilot were embedded back into the original process and tools before broader rollout.
Knowledge transfer. Once the process and tools were finalized, we trained the client’s staff so they could own and maintain it going forward — no ongoing dependency on outside support.
The result: the client met compliance deadlines, strengthened overall risk management capabilities, gained clearer visibility into vendor risks, and established a framework for continuous monitoring and improvement.
Conclusion: A Comprehensive TPRM Framework
An effective third-party risk management framework covers the full vendor relationship lifecycle. At a high level, that means four stages.
Planning and risk tiering. Analyze business needs, define the engagement profile, and determine the inherent risk and criticality of potential third parties before any contract is signed.
Due diligence and selection. Conduct risk assessments, perform due diligence, complete risk evaluations, and establish controls.
Contracting. Negotiate contractual controls, determine residual risks, identify concentration risk exposure, and complete onboarding.
Ongoing monitoring and management. Manage third-party performance, monitor controls, leverage market intelligence, and offboard third parties when the relationship ends.
By adopting this structured but flexible approach, mid-size organizations can manage third-party risks, maintain compliance, and build operational resilience — without overwhelming their teams. Start with critical vendors, learn from the process, and expand the program as the organization grows.
