Third-party governance

Third-party governance blueprint for regulated and critical services

The OCC, Federal Reserve, and FDIC 2023 interagency guidance, PRA SS2/21, EBA outsourcing guidelines, EU DORA, MAS Technology Risk Management, and OSFI Guideline B-10 require demonstrable oversight of third parties and critical service providers. This 3,250-word blueprint equips boards and executives with lifecycle controls, resilience evidence, and cross-jurisdiction governance routines.

Updated with DORA register guidance, NIS2 contractual obligations, and Australian Prudential Regulation Authority CPS 230 alignment.

Integrate with board oversight, ESG accountability, and public-sector governance to manage vendor risk across the enterprise.

Executive summary

The 2023 U.S. interagency guidance on third-party risk management consolidates OCC Bulletin 2013-29, Federal Reserve SR 13-19, and FDIC FIL-44-2008, emphasising board accountability for approving risk management frameworks, overseeing risk appetite, and ensuring independent reviews.Federal Reserve SR 23-11 / OCC Bulletin 2023-17 / FDIC FIL-29-2023 Boards must evaluate third-party strategies, ensure contracts meet regulatory requirements, and monitor performance throughout the lifecycle.

In the UK, PRA Supervisory Statement SS2/21 requires boards of banks and insurers to set impact tolerances for important business services that rely on third parties, maintain an exit strategy for critical arrangements, and comply with outsourcing register requirements.PRA SS2/21 (March 2021) The EBA Guidelines on outsourcing arrangements extend similar obligations to EU credit institutions and investment firms, mandating due diligence, contractual requirements, and oversight of sub-outsourcing.

EU Digital Operational Resilience Act (DORA) imposes ICT risk management obligations, mandatory registers of ICT third-party providers, and oversight by lead overseers for critical providers.DORA Regulation (EU) 2022/2554 MAS Technology Risk Management Guidelines and OSFI Guideline B-10 further emphasise board oversight, comprehensive risk assessments, and resilience testing for outsourced services. APRA CPS 230, effective July 2025, harmonises Australian requirements on operational risk, third-party arrangements, and business continuity.

This blueprint provides a governance-aligned operating model covering source packs, lifecycle controls, resilience, data management, assurance, and reporting. It ensures third-party governance aligns with overall board oversight and sustainability accountability obligations.

Regulatory source packs

Maintain dedicated source packs for each jurisdiction to ensure board members and executives reference authoritative requirements when approving third-party strategies.

Jurisdiction Core sources Key obligations Board evidence
United States
  • OCC Bulletin 2023-17 / Federal Reserve SR 23-11 / FDIC FIL-29-2023.
  • 12 CFR Part 30 Appendix D (heightened standards) and 12 CFR 30 Appendix E (recovery planning).
 Board-approved third-party risk management framework, risk appetite, oversight of critical activities, independent reviews. Framework approval minutes, risk appetite statement, due diligence summaries, contract review logs, performance dashboards.
United Kingdom
  • PRA SS2/21 and Policy Statement PS7/21.
  • FCA Policy Statement PS21/3 on operational resilience.
 Outsourcing register, impact tolerances, concentration risk assessments, exit strategy plans, testing. Outsourcing register extracts, tolerance dashboards, concentration risk heatmaps, exit plan playbooks, scenario test reports.
European Union
  • EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02).
  • DORA Regulation (EU) 2022/2554.
  • NIS2 Directive provisions on supplier obligations.
 Critical function identification, contract clauses (audit, access, data), sub-outsourcing control, ICT risk management, incident reporting. Criticality assessments, contractual clause inventory, sub-outsourcing approvals, DORA compliance attestation, incident logs.
Canada
  • OSFI Guideline B-10 Third-Party Risk Management (April 2023).
  • OSFI Guideline E-21 Operational Risk Management.
 Lifecycle oversight, technology risk assessments, concentration risk monitoring, reporting to senior management and board. Board briefings, lifecycle dashboards, OSFI self-assessment results, remediation plans.
Asia-Pacific
  • MAS Technology Risk Management Guidelines (2021) and Outsourcing Guidelines.
  • APRA CPS 230 Operational Risk Management (2023).
 Board oversight of technology risk, incident reporting timelines, outsourcing register, resilience testing, exit planning. Technology risk reports, register snapshots, incident response metrics, joint testing evidence, board certifications.

Update packs with regulatory bulletins, supervisory speeches, enforcement actions, and consultation papers. Include change logs describing updates, affected controls, and action plans. Provide quarterly pack briefings to risk and audit committees, ensuring oversight of remediation and emerging risks.

Governance operating model

Establish a third-party governance council chaired by the Chief Risk Officer with participation from procurement, legal, cybersecurity, resilience, finance, and business unit leads. The council coordinates policy updates, monitors regulatory developments, and oversees portfolio risk.

Create a roles and responsibilities matrix linking regulatory obligations to accountable teams. For example, procurement leads due diligence execution, cybersecurity manages technical assessments, legal negotiates contract clauses, resilience teams oversee testing, and compliance ensures regulatory reporting. Boards should receive the matrix and challenge resource adequacy.

Integrate third-party governance into enterprise risk management. Include third-party risks in risk registers with impact, likelihood, control effectiveness, and mitigation plans. Align with risk appetite statements and escalate breaches to board committees.

Ensure policies cover outsourcing, third-party risk management, cloud governance, data residency, and resilience. Policies should reference regulatory requirements and define thresholds for heightened oversight (e.g., critical activities, material outsourcing, ICT criticality). Update policies annually, capturing approvals in board minutes.

Implement training programmes covering regulatory expectations, due diligence procedures, contract standards, and monitoring. Track completion rates and effectiveness through assessments, aligning with board oversight training programmes.

Lifecycle controls

Third-party governance requires controls across planning, due diligence, contracting, onboarding, monitoring, change management, and exit. Document standard operating procedures and control owners for each stage.

Planning and risk classification

During planning, identify business objectives, regulatory obligations, and risk appetite alignment. Classify proposed third-party engagements by criticality, data sensitivity, and operational impact. Use scoring models incorporating concentration risk, geographic exposure, compliance risk, and resilience dependency. Document decisions and approvals in governance systems.

Due diligence

Perform comprehensive due diligence covering financial stability, legal and regulatory compliance, cybersecurity posture, operational resilience, ESG performance, and subcontracting. Reference industry frameworks such as NIST SP 800-53, ISO/IEC 27001, and SOC 2. Collect evidence such as financial statements, security certifications, policies, penetration test results, and incident history. Document findings, risk ratings, and remediation plans.

For ICT providers under DORA, ensure due diligence assesses ICT security, data protection, incident response, and service continuity. For cloud services, include Shared Responsibility Model matrices and exit strategy feasibility evaluations.

Contracting

Contract clauses must meet regulatory requirements: audit and access rights, data residency, confidentiality, subcontractor approvals, termination rights, incident notification timelines, and cooperation with regulators. For PRA SS2/21 and EBA guidelines, contracts should include cooperation obligations, location of data and processing, and exit support. DORA requires contracts to cover service level descriptions, locations, data protection, testing, incident notification, and oversight rights.

Maintain a contract clause library referencing regulatory obligations. Use contract lifecycle management tools to standardise clauses, track deviations, and manage approvals. Provide board committees with summaries of critical contract terms and deviations.

Onboarding

Onboarding includes risk acceptance, control implementation, and integration into monitoring systems. Ensure data sharing agreements, access controls, and incident response protocols are established. Conduct readiness assessments verifying that the third party meets security and resilience requirements before go-live.

Ongoing monitoring

Implement continuous monitoring of performance, risk indicators, and compliance. Collect service level metrics, incident reports, audit findings, and risk assessments. Use dashboards to track key metrics: uptime, incident severity, control testing results, and remediation status. For critical services, conduct regular onsite reviews or independent audits.

Align monitoring with regulatory expectations: the interagency guidance requires periodic risk re-assessments; PRA SS2/21 mandates ongoing testing and data accuracy; DORA emphasises monitoring of ICT third parties and incident reporting to competent authorities within 24 hours of classification as major.

Change management and exit

Document processes for material changes (scope, subcontracting, ownership). Require approvals from risk, legal, and business owners. Update risk assessments and contract terms as needed. Maintain exit strategies covering transition planning, data retrieval, knowledge transfer, and fallback arrangements. Test exit plans for critical third parties to ensure feasibility.

Record exit plan tests, results, and remediation. Provide board committees with annual summaries of exit readiness and concentration risk mitigation.

Resilience and incident management

Operational resilience regulations demand that organisations understand dependencies on third parties and maintain the ability to deliver important services. Map critical business services to supporting third parties, data centres, and technologies. Identify single points of failure and concentration risks (e.g., reliance on a single cloud provider).

Set impact tolerances and service level expectations aligned with PRA, FCA, and DORA requirements. Document tolerances in resilience registers and include them in contracts. Monitor performance and escalate breaches.

Establish joint testing programmes with critical third parties. Conduct scenario testing covering cyberattacks, infrastructure failures, geopolitical disruptions, and supply chain issues. Document test scenarios, results, lessons learned, and remediation actions. Reference DORA testing requirements and MAS TRM incident response expectations.

Implement incident management protocols with clear roles, notification timelines, and communication plans. Ensure contracts specify incident reporting obligations, including immediate notification for severe incidents. Maintain playbooks for regulator notification, customer communication, and internal escalation.

Track resilience metrics such as recovery time actuals, incident frequency, tolerance breaches, and remediation closure. Report metrics to board committees and integrate with board oversight dashboards.

Data protection and cybersecurity alignment

Third-party governance must align with data protection laws such as GDPR, California Consumer Privacy Act, and sector-specific regulations (e.g., HIPAA, GLBA). Ensure third parties implement appropriate safeguards, encryption, access controls, and data minimisation. Conduct privacy impact assessments for data processing activities.

For cybersecurity, align assessments with frameworks like NIST Cybersecurity Framework, ISO/IEC 27001, and CIS Controls. Require independent certifications or audit reports, but verify evidence through testing and continuous monitoring. Integrate third parties into security operations, threat intelligence sharing, and incident response exercises.

Maintain data inventories showing where data is stored, processed, and transmitted by third parties. Document data residency, cross-border transfers, and compliance with regulations such as GDPR Chapter V and UK International Data Transfer Agreements. Include contractual obligations for breach notification and cooperation with supervisory authorities.

Implement access governance controls for third-party users. Use privileged access management, multi-factor authentication, and session monitoring. Review access rights regularly and revoke promptly when no longer needed.

Technology enablement

Deploy integrated technology platforms to manage third-party governance at scale. Combine procurement systems, vendor risk management platforms, contract lifecycle management, and GRC tools to provide a single source of truth. Ensure platforms support data ingestion, workflow automation, evidence storage, and analytics.

Automate due diligence using questionnaires aligned with the Shared Assessments Standardised Information Gathering (SIG) framework, financial statement ingestion, and external risk feeds (e.g., credit ratings, cyber risk ratings). Use robotic process automation to collect certificates, attestations, and regulatory filings from vendor portals, reducing manual effort.

Integrate continuous monitoring solutions that track cyber risk indicators, news, sanctions, and adverse media. Configure alerts aligned with risk appetite thresholds. When alerts trigger, route cases to risk owners for evaluation and escalation. Document outcomes to demonstrate proactive oversight.

Implement analytics to evaluate concentration risk, scenario impacts, and performance trends. Use graph analytics to map dependencies across suppliers, sub-suppliers, and infrastructure. Provide dashboards to board committees showing systemic risk exposures and resilience posture.

Ensure technology platforms comply with data protection requirements and support regulator access. Document configurations, access controls, and audit logs. Include platforms in business continuity and disaster recovery plans.

ESG and sustainability integration

Integrate ESG considerations into third-party governance. CSRD and due diligence regulations require transparency on supplier impacts, human rights, and environmental performance. Align due diligence with ESG accountability data collection and reporting.

Collect ESG metrics from suppliers, such as greenhouse gas emissions, diversity, labour practices, and ethics. Use questionnaires aligned with OECD due diligence and industry standards (e.g., Responsible Business Alliance). Evaluate supplier commitments to science-based targets, renewable energy, and responsible sourcing.

Implement remediation and improvement plans for high-risk suppliers. Monitor progress and document engagement. Track supplier audit results, corrective actions, and escalation to termination if necessary. Report ESG-related supplier performance to board committees and include in sustainability disclosures.

Public-sector and critical infrastructure considerations

Public-sector organisations and critical infrastructure operators face additional mandates. U.S. federal agencies must align vendor oversight with OMB Circular A-123 internal controls, OMB Circular A-130 information resource management, and the Federal Acquisition Regulation. Agencies using cloud services must ensure providers maintain FedRAMP authorisations and monitor continuous diagnostics and mitigation requirements.

European public entities subject to the EU Procurement Directives and NIS2 must verify supplier security measures, incident reporting capabilities, and contractual clauses covering confidentiality, accessibility, and integrity. Document compliance with national cyber security frameworks (e.g., ANSSI, BSI) and maintain evidence for national auditors.

Critical infrastructure operators (e.g., energy, transport, healthcare) must integrate sector-specific regulations such as NERC CIP, UK Network and Information Systems Regulations, and Australia’s Security of Critical Infrastructure Act. Map supplier obligations to sector requirements, ensuring contracts include compliance clauses and audit rights.

Coordinate with public-sector governance programmes described in public-sector governance alignment to harmonise oversight, reporting, and incident management.

Emerging technologies and AI supply chain oversight

AI-as-a-service and algorithmic models introduce new third-party risks. The EU AI Act classifies certain systems as high-risk, requiring providers and users to implement risk management, data governance, transparency, and human oversight. Organisations integrating third-party AI must ensure contracts allocate responsibilities for conformity assessments, post-market monitoring, and incident reporting.

In the United States, the Office of Management and Budget’s Memorandum M-24-10 requires federal agencies to inventory AI use cases, assess risk, and implement safeguards, including for contractor-operated systems. Private-sector firms should mirror these practices by maintaining AI inventories, validating training data provenance, and ensuring explainability.

Establish AI supplier due diligence covering model documentation, bias mitigation, security, privacy, and compliance with frameworks such as NIST AI Risk Management Framework. Require third parties to provide transparency reports, vulnerability disclosure processes, and audit rights for models.

Monitor emerging regulation—such as the UK’s AI regulation roadmap and Canada’s Artificial Intelligence and Data Act—and update third-party governance policies accordingly. Coordinate with board oversight to ensure directors understand AI dependencies and oversight responsibilities.

Assurance, monitoring, and reporting

Coordinate assurance across the three lines of defence. Internal audit should review third-party governance policies, controls, and execution. Focus on due diligence quality, contract compliance, monitoring effectiveness, and resilience preparedness. Document findings, management responses, and remediation timelines.

Commission independent assurance for critical third parties, such as SOC 2 Type II reports, ISO certifications, or regulator-mandated assessments. Evaluate reports, track exceptions, and require remediation. For cloud providers, review Cloud Security Alliance STAR attestations and DORA oversight findings where applicable.

Report to boards and regulators through structured dashboards. Include metrics such as number of critical third parties, concentration risk scores, due diligence completion rates, monitoring frequency, incident counts, and remediation status. Provide narrative analysis explaining trends, emerging risks, and mitigation plans.

Prepare regulatory submissions as required: PRA outsourcing notifications, DORA incident reports, MAS reporting, OSFI annual self-assessments. Maintain evidence packages for onsite inspections, including policies, registers, contracts, due diligence files, and monitoring reports.

Metrics and dashboards

Define metrics that demonstrate governance effectiveness and regulatory compliance:

  • Critical third-party inventory coverage. Percentage of engagements classified and recorded in registers with complete metadata (location, criticality, data categories).
  • Due diligence timeliness. Average days to complete due diligence and remediation before contract execution.
  • Control effectiveness. Percentage of controls tested and operating effectively, segmented by lifecycle stage.
  • Incident response performance. Time to notify regulators and customers, recovery time actuals versus tolerances, and incident severity trends.
  • Concentration risk. Exposure metrics by provider, geography, and service type, with thresholds for escalation.
  • Exit readiness. Percentage of critical third parties with tested exit plans within the past 12 months.
  • ESG compliance. Supplier adherence to sustainability requirements, audit completion rates, and corrective action closure.

Deliver dashboards through GRC platforms or data visualisation tools. Provide drill-down capabilities to view individual third-party profiles, control status, and documentation. Share dashboards with board committees and management to support decision-making.

Implementation roadmap

  1. Months 0–2

    Assess current third-party governance maturity against interagency guidance, PRA SS2/21, EBA, DORA, MAS, OSFI, and APRA requirements. Inventory third-party engagements and critical services.

  2. Months 3–5

    Update policies, responsibility matrices, and source packs. Implement contract clause library, register templates, and due diligence enhancements.

  3. Months 6–8

    Roll out lifecycle controls, monitoring dashboards, and incident management updates. Conduct pilot resilience tests with critical providers.

  4. Months 9–12

    Complete assurance reviews, refine reporting, and execute board-level readiness assessments. Address gaps and prepare for regulatory interactions.

  5. Months 12+

    Embed continuous improvement, expand coverage to emerging technologies (AI models, fintech APIs), and coordinate with ESG and public-sector obligations.

Evidence pack checklist

Build evidence packs containing: policies, responsibility matrices, outsourcing registers, due diligence files, contract clause inventories, monitoring reports, incident logs, resilience test results, assurance reports, board minutes, and regulatory correspondence. Maintain version control, owners, and review cycles.

Use evidence packs to support supervisory reviews, investor due diligence, and internal audits. Update packs after major regulatory changes or incidents and record approvals in governance logs.