From individual tools to an integrated operating model: how to make third-party risk management work in practice

The demands placed on effective third-party risk management (TPRM) continue to grow. Organisations are not only required to identify and assess risks, but should also monitor, document and manage them throughout the entire TPRM lifecycle. At the same time, the number of third parties continues to rise, whilst internal resources often remain limited.

Our global TPRM study confirms this trend. More than 80 per cent of the organisations surveyed state that they already use managed services, outsourcing or co-sourcing to carry out key TPRM activities – from due diligence and onboarding to monitoring and remediation. Nevertheless, only around 5 per cent currently use a genuine end-to-end managed service model.

The results thus highlight a tension: whilst the need for scalability and efficiency is high, many organisations remain reluctant to outsource operational responsibility for TPRM. 

A distinction must be made between various service models, each of which has its own specific focus and is integrated into the organisation in a different way. Outsourcing describes the complete transfer of clearly defined tasks or process steps to an external service provider. Co-sourcing refers to a model based on the division of labour, in which internal teams and external specialists jointly assume responsibility for individual activities. Managed services go a step further: this model combines standardised processes, integrated technologies and clearly defined control mechanisms into an ongoing operational model, in which operational activities are permanently carried out by an external provider, whilst governance and decision-making rights remain with the company.

In practice, managed services are frequently used for high-volume, quantitative process steps. The study shows that external support is utilised primarily in areas such as onboarding, due diligence checks, ongoing monitoring and contract management. This allows large third-party portfolios to be managed efficiently and relieves the burden on internal teams. 

This model is particularly relevant for highly regulated and rapidly scaling industries. Financial services providers, banks and insurance companies are increasingly using managed services to efficiently manage large third-party portfolios, complex regulatory requirements and onerous documentation obligations. However, companies in the technology, energy and life sciences sectors also benefit from external operating models when third parties are deeply integrated into critical processes and require continuous monitoring.

Managed services are increasingly moving away from hourly-based support models towards results-oriented service approaches. Technology-enabled service models enable measurable efficiency gains, transparent processing statuses and a better focus on third parties that pose a risk.

As outlined in our article "From Stand-Alone Solutions to Integrated Platforms: How Technology is Transforming Third-Party Risk Management", a wide variety of technologies – and artificial intelligence in particular – deliver their full value in TPRM, especially when they are not used in isolation but operate as part of end-to-end processes. At present, however, companies often still have highly fragmented tool landscapes.

This is precisely where managed services come in: they combine integrated platforms, standardised workflows, and AI-supported screening and monitoring components within a seamless operating model. This allows tasks such as third-party classification, risk assessment, ongoing monitoring, issue management and reporting to be handled consistently and scalably – without adding complexity to the internal organisation.

Despite all the efficiency benefits, effective governance remains a key factor for success. The study shows that concerns about loss of control and data security remain among the most significant barriers to the widespread adoption of managed services.

Successful managed service models are therefore also characterised by the following criteria:

• Clearly defined governance structures
• Contractually agreed service level agreements (SLAs) and KPIs
• Transparent reporting mechanisms
• Close integration with internal risk and compliance functions

This allows companies to retain strategic control and decision-making responsibility, whilst operational activities are efficiently supported by external providers.

The right managed service approach must be closely tailored to the specific needs of the organisation in question. Depending on the level of maturity, organisational structure and regulatory environment, different models are used – ranging from selective co-sourcing of individual activities to comprehensive end-to-end managed service setups built on existing TPRM or GRC platforms. 

The following diagram illustrates different service models for the use of managed services in TPRM, which vary depending on organisational maturity and system landscape:

Figure 1: Service models in TPRM according to maturity level

Before selecting a managed service partner, organisations should clarify key issues, such as:

• Which tasks should be kept in-house, and which should be outsourced?
• Does the managed service model meet our regulatory and supervisory requirements?
• How transparent, auditable and scalable are the service provider’s methodologies and processes?
• How is data and information security ensured?
• Does the managed service model support our strategic objectives in TPRM?

Managed services are increasingly becoming a key driver for establishing TPRM in an efficient, scalable and future-proof manner. They enable companies to

• manage growing third-party networks,
• make targeted use of external expertise to focus resources on risk-relevant issues,
• put technological innovations to productive use more quickly
• whilst maintaining governance and control.

Particularly against the backdrop of growing regulatory requirements and increasing risk dynamics, managed services offer a practical approach to embedding TPRM sustainably within the organisation and ensuring day-to-day operational continuity.