As supply chain disruptions and cyberattacks increase, it's important to be able to respond effectively. Achieving operational resilience doesn’t just mean preparing internal processes – your third-party vendors must be equally resilient.
Financial services regulators are paying closer attention to third-party operational resilience. In 2025 FINRA added a section on the Third-Party Landscape to its annual Regulatory Oversight report for the first time, and the European Union’s Digital Operational Resilience Act (DORA) came into effect. Meanwhile the Office of the Comptroller of the Currency (OCC) noted elevated operational risk, and United Kingdom financial regulators have implemented new requirements for operational resilience.
Proactive third-party risk management (TPRM) activities like due diligence and risk assessments enhance operational resilience. Let’s look at how third-party risk management protects your organization from disruptions and creates an operationally resilient business.
Third-Party Operational Resilience Risks
Your financial services organization likely depends on third parties for many different products, services, and innovations. These relationships can cause operational disruptions.
If a third party’s product or service is critical to your organization, you’ll face an even higher level of third-party operational risks.
Here’s 6 areas where third parties present operational resilience risks:
- Financial instability: A third party with poor financial standing may struggle to deliver expected products or services, disrupting availability, delaying projects, and impeding customer service.
Example: A core provider with declining financials may suddenly lay off staff, leading to longer response times and poor software management. In severe cases, such as a fintech unexpectedly declaring bankruptcy, your organization may scramble for alternatives.
- Cybersecurity incidents: It only takes one third-party cyberattack to disrupt operations. You may temporarily lose access to a product or service, or customer data may be lost. Business can stop as your organization and the vendor recovers.
Example: A payroll vendor hit by ransomware could freeze payroll processing for days, leaving employees unpaid and shaking client confidence. Even minor breaches, like unauthorized access to a vendor’s support portal, demand investigation and response, pulling your team off strategic initiatives.
- Service outages: A temporary or prolonged third-party service outage can completely stop your organization’s operations. These disruptions may be due to failed updates, natural disasters, or technical difficulties.
This leaves customers frustrated as they’re unable to access your products or services. Your organization may be helpless to respond until the third-party service is restored.
Example: A cloud-hosted digital banking platform may experience downtime during a software update gone wrong, cutting off customer access to online banking. When customer complaints roll in, your hands may be tied until the vendor restores service.
- Natural disasters: If a third party is in an area prone to natural disasters, your organization faces an increased risk of operational disruptions. It may lead to service outages and data loss.
Example: If your third-party call center is located in a hurricane-prone region, a storm could wipe out operations for days. Without a backup location or contingency plan, your customer service operations could grind to a halt.
- Geopolitical risks: The third party operates in a region that’s vulnerable to geopolitical situations that can harm your organization or customers. These situations may include corruption, political unrest, human rights violations, or lax privacy laws.
Example: A data analytics vendor in a politically unstable country faces an internet blackout. This impacts your organization’s data access. Economic sanctions could also block access to vendor systems or support.
- Third-party dependencies: Many within financial services use the same third parties to provide a product or service. Even your third parties may use the same vendors. These dependencies can cause mass chaos if the single vendor is disrupted.
Example: Imagine a core processor, digital banking vendor, and bill pay service all rely on the same cloud infrastructure provider. A failure at that single point, like a major AWS outage, could cascade across your entire digital ecosystem.
How Third-Party Risk Management Contributes to Operational Resilience
To create an operationally resilient organization, third-party risk management is a critical activity. Although third-party operational disruptions aren’t completely preventable, ensuring your third-party vendors are prepared mitigates the likelihood and impact.
To remain operationally resilient, perform these third-party risk management activities:
- Identify third-party criticality and risk level: Critical and high-risk third parties present higher operational risks. You likely have a critical third party if:
- Your organization would face significant risk if the vendor failed to meet expectations
- The vendor would have a significant impact on customers
- The vendor would have a significant impact on your financial condition or operations
Consider also if the third party has high geopolitical, cybersecurity, or concentration risks — these create high operational risks.
- Perform due diligence: Assess the third party’s financial stability, regulatory history, cybersecurity practices, and business continuity. This includes reviewing documents like financial statements, business continuity and disaster recovery plans, and SOC 2 reports. Consider the third party’s ability to manage operational disruptions and if they have processes in place to prevent disruptions or recover quickly.
- Create a well-crafted contract: Include provisions around business continuity, cybersecurity, service level agreements, and incident response protocols. This sets expectations with the third party for operational resilience. Include an exit strategy so your organization can safely leave the relationship if there are operational issues.
- Monitor continuously: Operational disruptions can occur at any time. Track the third party’s performance, financial health, and risk management practices continuously. This identifies issues before they become bigger problems. Reassess documentation once it expires, like SOC reports and business continuity testing results.
By ensuring third-party vendors are operationally resilience, your organization is protected from disruptive incidents. Use third-party risk management activities like due diligence and ongoing monitoring to remain prepared.
What should you do if your third party’s business continuity and disaster recovery plans contain red flags?
Learn what to do in this infographic.