Jun 10, 2025
When I first began working in compliance, third-party risk management was primarily a procurement issue: contracts, service levels, costs. It was often reactive, sometimes secondary, and rarely seen as a strategic lever. But over the past decade – and especially in the last few years – that mindset has shifted dramatically.
Today, third-party relationships sit at the heart of operational resilience. They’re not just suppliers – they’re extensions of your own infrastructure. And as regulatory expectations rise, it’s no longer enough to assess vendors on price or performance. We need to understand their risk posture, governance, continuity plans, and how they’ll respond under pressure.
This shift – from vendor to partner – is more than semantics. It’s a strategic evolution. And at the Global RegTech Summit, I had the opportunity to share what that evolution looks like in practice.
Why This Matters: The Regulatory Context
Let’s begin with the FCA’s CP24/28 consultation, released in December 2024.
It proposes clear rules for third-party arrangements, incident reporting, and resilience obligations – and signals a step change in how the regulator expects firms to think about external partners.
Rather than focusing solely on onboarding and documentation, the FCA is now asking:
This isn’t about box-ticking. It’s about shared accountability – and resilience by design.
From Vendor to Partner: A Mindset Shift
To navigate this new reality, we must rethink our third-party model. The old vendor mindset was transactional. The new partner mindset is collaborative, proactive, and aligned with your risk and resilience goals.
Here’s how I define the shift:
Vendor model: Can you deliver what we ask?
Partner model: Can we collectively manage risk, ensure compliance, and stay operational – even in crisis?
A partner-based approach isn’t just more robust. It’s more realistic. In today’s environment – with cross-border dependencies, tech-driven supply chains, and increasingly complex risk landscapes – we need collaboration, not control.
Five Pillars of a Partner-Based TPRM Approach
To move from vendor to partner, firms should build a TPRM (Third-Party Risk Management) framework rooted in five practical pillars:
1. Comprehensive Due Diligence
Look beyond standard service terms. Assess your vendor’s financial strength, governance culture, compliance history, and incident response protocols. Ask: do they understand your obligations — and can they support them?
Look beyond standard service terms. Assess your vendor’s financial strength, governance culture, compliance history, and incident response protocols. Ask: do they understand your obligations — and can they support them?
2. Clear Contractual Obligations
Look beyond standard service terms. Assess your vendor’s financial strength, governance culture, compliance history, and incident response protocols. Ask: do they understand your obligations — and can they support them?
3. Clear Contractual Obligations
Define roles, responsibilities, and regulatory expectations explicitly. Build contracts that evolve with your business and revisit them regularly. If it’s critical to your compliance, it should be in writing.
4. Proactive Vendor Management
Don’t wait for things to go wrong. Set up regular meetings, performance reviews, and scenario testing. Include subcontractors and fourth-party dependencies in your oversight — because your risk exposure rarely ends with a single provider.
5. Ongoing Monitoring & Auditing
Resilience isn’t static. Build processes for continuous monitoring, audit trails, and response planning. As CP24/28 suggests, visibility must be real-time — and responsibility shared.
The Role of TPRM in Operational Resilience
These pillars aren’t optional anymore. They’re foundational to resilience.
Under the UK’s operational resilience regime, firms must deliver “important business services” during disruption. That doesn’t just apply to internal systems — it extends to critical third parties.
The FCA’s new reporting thresholds – consumer harm, market integrity, and firm soundness – require proactive thinking. Firms must report incidents not just when harm occurs, but when it’s likely to occur.
In short: you’re not just responsible for how you respond to a disruption. You’re responsible for anticipating it.
Mapping Dependencies
One area where many firms fall short is mapping.
The FCA is clear: third-party visibility means more than a spreadsheet of vendors. It includes subcontractors, intra-group service providers, cloud vendors, and specialist suppliers.
If a vendor’s outage could disrupt your operations, delay customer payments, or prevent regulatory reporting – it’s material. And it must be mapped.
Five Pillars of Operational Resilience
All of this fits within a broader framework. At Clearing, we consider the following five pillars critical for embedding operational resilience across the business:
A strong third-party programme isn’t isolated. It intersects with each of these pillars. That’s what transforms compliance from a cost centre to a competitive advantage.
Why This Matters for Compliance Professionals
Ultimately, this is about maturity.
The most resilient organisations treat their vendors not just as providers, but as partners. They invest in alignment – from onboarding to offboarding — and ensure everyone understands the shared responsibility of compliance.
Yes, this takes work. But it pays off in trust, agility, and long-term credibility.
As compliance professionals, we’re not just gatekeepers. We’re enablers of business continuity, customer confidence, and long-term growth.
That’s what vendor-to-partner means. That’s what resilience requires.
–
Viviane Giglio is the Head of Regulatory Compliance at Clearing. She recently delivered this talk at the Global RegTech Summit 2025 in London.