Operational Resilience & Critical Third-Party Suppliers

Given the mass adoption of new technology and adapting to new hybrid ways of working, organisations have been outsourcing more of their mission critical business functions and IT infrastructure to entities (often out of the regulated scope), increasing dependency,  concentrating risk and potentially jeopardising market integrity.

As part of the regulatory agenda for this year and aligned with the Operational Resilience Framework published last year, regulators in the UK are now focusing their attention to address some of the key vulnerabilities to ensure long-term market stability; in particular addressing the increased risk and dependency that financial services firms have in the supply chain.

In the latest PRA Discussion Paper 3/22 | FCA Discussion Paper 22/3, market participants have been invited to provide their input and suggested approach for protecting the wider industry from the concentration of risk associated with material services from third-party suppliers.

The proposed framework contains the following components:

  1. Designing and defining a holistic framework.
  2. Establishing a minimum resilience standard, aligned with the existing Operational Resilience guidelines.
  3. Adding a range of tools for testing the resilience of material services, including scenarios, sector-wide exercise and cybersecurity.

Why Is This So Important?


Given the mass adoption of new technology and adapting to new hybrid ways of working, organisations have been outsourcing more of their mission critical business  functions and IT infrastructure to entities (often out of the regulated scope), increasing dependency,  concentrating risk and potentially jeopardising market integrity.


Which Companies Will Be Classified as Critical Third Parties (CTPs)?


According to the discussion paper, the regulators are considering the following as possible criteria  to identify and classify third-parties as Critical:


Once a supplier is considered by the regulator and market participants as a Critical Third-Party, the organisation needs to demonstrate its availability to perform self-assessment related to Operational Resilience and to be able to participate in a sector-wide testing exercise.  Much like the existing Operational Resilience framework for regulated financial institutions, critical third-party suppliers must now follow these 8 steps:


What’s Next?


Given the complexity and relevance of this discussion paper, the regulator encouraged  market participants to submit responses, comments, and feedback by Friday 23 December 2022; we estimate the final publication of the final guidelines will be on 2Q / 3Q 2023.

By understanding existing vulnerabilities, the regulator aims to take on board financial service firms feedback and to implement regulation to improve discipline related to outsourcing practices, and take the necessary remedial action to promote and create stability in the market.

This framework will align regulated and non-regulated organisations within the same standard, making it easy to collect more reliable information (across sectors). This initiative will help to better understand the dependencies on critical third-party service providers and will help mitigate the risk and the potential ripple effect that could adversely affect firms and the wider FS industry from potentially catastrophic disruption, i.e. cloud outage, advanced persistent threats (APTs), denial of service (DoS) attacks or data leaks.

How TORI Can Help


At TORI Global we have developed a global Supplier Model & Third Part Risk Management (TPRM) Framework that will allow your organisation, not just to de-risk operations but also to increase operational efficiency and business resilience.

Our approach considers not only the regulatory requirements, but also best practice for managing your supply chain throughout the entire lifecycle.

Advisory services: having the right operating model and practices to manage your supply chain is essential to reduce potential disruptions. TORI have extensive experience in:

  • Supplier model & Third-Party Risk Management (TPRM) Health Checks
  • Designing and implementing Target Operating Models: connecting Procurement with TPRM
  • Benchmarking against regulatory requirements and industry best practice

Resource Augmentation: providing flexibility and scale without comprising quality and expertise, is the approach we take to support managing your suppliers on these important tasks:

  • Vendor Review: onsite / desktop
  • Managed Service & Outsourcing
  • Service Management & SLAs

Insights