Governance Briefing — August 28, 2025

Executive briefing: Canada’s Office of the Superintendent of Financial Institutions (OSFI) updated Guideline B-10 on Third-Party Risk Management with effect from 1 May 2025. Federally regulated financial institutions (FRFIs) must demonstrate board-approved frameworks covering critical third parties, subcontractor chains, resilience testing, and exit plans.

Key governance checkpoints

• Criticality assessments. Classify service providers based on business impact, substitution difficulty, and concentration exposures, ensuring board oversight of critical relationships.
• Risk appetite alignment. Map residual risk ratings and mitigation plans to enterprise risk appetite statements and risk limits approved by the board.
• Exit and contingency planning. Maintain current exit strategies, transition playbooks, and testing evidence for critical third parties per B-10 §4.3.

Operational priorities

• Lifecycle controls. Embed risk assessments, contract clauses, performance monitoring, and issue management across onboarding, ongoing monitoring, and termination stages.
• Concentration analytics. Aggregate exposures by geography, provider, and fourth-party reliance to highlight systemic risks requiring management attention.
• Incident reporting. Ensure contractual obligations compel third parties to notify FRFIs promptly of incidents affecting confidentiality, availability, or regulatory compliance.

Enablement moves

• Deploy dashboards that align third-party risk metrics with internal control testing results and scenario analysis outcomes.
• Run tabletop exercises simulating vendor failure to validate continuity plans and data repatriation steps.

Sources

• OSFI Guideline B-10 — Third-Party Risk Management
• OSFI B-10 Questions and Answers

Zeph Tech strengthens B-10 programs with criticality analytics, contract intelligence, and resilience testing orchestration.