Home/Platform/Third Party Risk
Module · Built · Procure-to-pay lifecycle

Third party risk. End-to-end. Built in.

Comprehensive third party risk maturity across 20 specialist domains, practitioner-authored - covering the full procure-to-pay lifecycle from strategy and sourcing through due diligence, onboarding, monitoring and exit. Aligned to APRA Prudential Standard CPS 230 (Australia), ISO/IEC 27036 (Information security for supplier relationships), EU Digital Operational Resilience Act (DORA) and NZISM (New Zealand). Built from twenty years of practitioner experience across financial services, telecommunications, ports and government.

Third Party Risk
Third party risk
Built
TP
Third Party Risk
20
Specialist domains
CPS 230 · ISO 27036
DORA · NZISM · OCC
AU · EU · NZ · US
Standards aligned
11
Lifecycle stages
0–4
Maturity scale
🇦🇺🇳🇿🇭🇰🇻🇳🇲🇾🇹🇼🇦🇪🇸🇦🇶🇦🇵🇰
01What it covers

Twenty domains. Eleven lifecycle stages.

The 20 domains are organised across the full procure-to-pay lifecycle - from strategy and policy at the front, through due diligence and contracting, into operational monitoring, ending at exit and transition. Each domain is practitioner-authored, mapped to APRA CPS 230, and weighted into the cross-domain cascade.
01.1
Strategy & Governance
Board-approved TPRM strategy, executive accountability, three-lines model, board reporting cadence.
01.2
Policy & Framework
TPRM policy framework, taxonomy, tiering methodology, framework review and refresh.
01.3
Planning & Needs Assessment
Demand planning, build-vs-buy analysis, criticality assessment, risk-based scope.
01.4
Sourcing & Selection
RFx process, vendor shortlisting, selection criteria, conflicts of interest discipline.
01.5
Due Diligence & Risk Assessment
Initial DD methodology, tiered risk assessment, remediation tracking, evidence quality.
01.6
Contracting & Legal
Contract templates, security/privacy clauses, audit rights, liability and termination.
01.7
Onboarding & Integration
Onboarding workflow, system access provisioning, communication of obligations.
01.8
Information Security & Cyber Risk
Vendor cyber posture assessment, MFA/encryption requirements, breach notification.
01.9
Data Privacy Risk
Personal data handling, cross-border transfers, sub-processor controls, data minimisation.
01.10
Technology Risk
Vendor technology risk, integration risk, change management, end-of-life planning.
01.11
Operational Risk
Service performance, SLA monitoring, escalation, day-to-day operational health.
01.12
Business Continuity & Resilience
Vendor BCP/DR, recovery objectives alignment, joint exercise discipline.
01.13
Financial & Commercial Risk
Vendor financial health monitoring, concentration risk, commercial leverage.
01.14
Regulatory Compliance Risk
Vendor regulatory obligations, sanctions screening, jurisdictional licensing.
01.15
Financial Crime & Fraud
AML/CTF screening, fraud risk assessment, sanctions, politically exposed persons.
01.16
Anti-Bribery & Corruption
ABC due diligence, gifts and hospitality, third-party intermediaries, training discipline.
01.17
ESG & Reputational Risk
Modern slavery, environmental impact, social licence, reputational exposure.
01.18
Concentration & Fourth-Party
Concentration limits, fourth-party visibility, sub-contractor controls, single-points-of-failure.
01.19
Geopolitical & Physical
Geopolitical risk, physical security, HR risk, country-specific exposures.
01.20
Ongoing Monitoring, Exit & Transition
Continuous monitoring cadence, exit triggers, transition planning, knowledge transfer.
02How it scores

Five levels. One unified scale.

Every TPRM domain is scored on the 0–4 maturity scale - the same scale every other MaturityOne module uses. So third party maturity reconciles with Cyber, Privacy, Resilience and Compliance without translation; the cross-cascade is automatic.
0
Not Established
No capability
1
Ad Hoc
Reactive · undocumented
2
Defined
Documented · inconsistent
3
Managed
Measured · consistent
4
Optimised
Continuous improvement
How a score is calculated. Each question carries a 1–5 input scale that maps deterministically to the 0–4 output. Domain scores aggregate the practitioner-weighted question scores; module score aggregates domain scores. Reviewer adjustment is captured at every level - the cascade engine uses the reviewer-signed score, never the assessor draft.
03Regulatory add-ons

Score once. Map to many.

Every regulatory add-on is a clause-level mapping from the maturity score to a specific third-party risk regulation. Run the assessment once; produce conformity evidence against multiple regulators. APRA Prudential Standard CPS 230 is the live anchor; ISO/IEC 27036, EU DORA and OCC guidance next, with broader Asia-Pacific frameworks on the roadmap - covering Australia, New Zealand, Hong Kong and beyond.
APRA Prudential Standard CPS 230Australian Prudential Regulation Authority · Australia
Live
Full mapping to CPS 230 service-provider obligations. The Australian prudential standard for operational risk. Maps the third party risk module to CPS 230 sections covering material service provider identification, due diligence, contractual requirements, monitoring, and termination/exit planning. Required by Australian Prudential Regulation Authority-regulated entities from July 2025.
Live · In forceMaterial providers · Exit planning
ISO/IEC 27036Information security for supplier relationships · International
Next
The international standard for supplier security relationships. Coming next - covers acquirer and supplier roles across the lifecycle. ISO/IEC 27036-1 (overview), 27036-2 (requirements), 27036-3 (information and communication technology supply chain), 27036-4 (cloud). Particularly relevant for organisations pursuing ISO/IEC 27001 certification with significant outsourced operations.
Coming next4-part standard
EU Digital Operational Resilience ActRegulation (EU) 2022/2554 · DORA · European Union
Next
The European Union Digital Operational Resilience Act ICT third-party requirements. Coming next - covers contractual provisions, register of information, sub-contractor controls, and oversight of critical information and communication technology third-party providers. Required by EU financial entities since January 2025. Maps to articles 28–44.
Coming nextEU financial entities
NZISM Supplier ManagementNew Zealand Information Security Manual · NZ
Roadmap
New Zealand's principal third-party risk framework for government agencies. The NZISM provides specific controls for supplier management, supply chain security, and outsourced service provider oversight. Required for all New Zealand government agencies and increasingly adopted by the private sector for consistent supply chain risk practice.
Roadmap · 2026NZISM · New Zealand
HKMA Outsourcing GuidelineHong Kong Monetary Authority · SA-2 · Hong Kong
Roadmap
Hong Kong's third-party risk framework for authorised institutions. The Hong Kong Monetary Authority's Supervisory Policy Manual SA-2 (Outsourcing) - covers risk assessment of outsourcing arrangements, contractual provisions, ongoing monitoring of service providers, and contingency planning. Required for authorised institutions operating in Hong Kong.
Roadmap · 2026Hong Kong
European Banking Authority Outsourcing GuidelinesEBA/GL/2019/02 · European Union
Roadmap
European Banking Authority Guidelines on outsourcing arrangements (EBA/GL/2019/02). Critical for European banking, applicable to credit institutions, investment firms and payment institutions. Particularly relevant for organisations operating across the European Union banking sector. Mapping in development.
Roadmap · 2026EU banking
SAMA Outsourcing FrameworkSaudi Central Bank · Saudi Arabia
Roadmap
The Saudi Central Bank (formerly Saudi Arabian Monetary Authority) Outsourcing Regulations for financial institutions. Particularly relevant for organisations operating across the Gulf Cooperation Council region. Covers outsourcing classification, due diligence, contractual safeguards, and Saudi-specific data localisation requirements.
Roadmap · 2026GCC · Saudi Arabia
04Cross-domain integration

Third-party risk is everyone's risk.

A vendor incident is rarely a third-party-only problem. It triggers cyber response, may breach resilience tolerances, may have privacy and compliance implications, and almost always changes residual risk. MaturityOne wires Third Party Risk into the specialist modules that share those exposures. When the cyber team needs to know which vendors touch sensitive workloads; when the resilience team needs to know which vendors support critical services; the answer is one click, not a separate spreadsheet.
- Appetite cascades in
From Enterprise Risk to TP requirements
When the board sets "low" appetite for third-party risk, this module's due-diligence requirements tighten automatically - additional security questionnaires, expanded financial due diligence, mandatory site visits for Tier-1 critical vendors. Cyber and AI Governance flag vendors whose workloads need TP re-tier.
- Findings cascade out
From TP findings to residual risk
Vendor findings - concentration risk, financial deterioration, security incidents, contract gaps - flow back into Enterprise Risk as residual risk signals. Critical vendor incidents flow into Resilience for tolerance recalculation. Regulated-vendor findings flow into Compliance.
- Triggers fire sideways
Vendor incidents trigger sideways
A material vendor incident automatically triggers: Cyber assessment refresh (if a tech vendor), Resilience tolerance review (if supporting critical services), Compliance review (if regulated vendor under CPS 230 or similar). The cross-discipline response fires together, not sequentially.
What this looks like in practice. A Tier-1 cloud vendor experiences a sustained outage. Within minutes: Cyber assessment refresh opens (vendor security posture review); Resilience tolerance review opens (recovery time objective recalculation for affected services); Compliance reporting evaluation opens (CPS 230 incident notification clock starts); Enterprise Risk residual update reflects the new third-party concentration risk. One vendor incident. Four modules respond in parallel.
Pulls from
Enterprise RiskAppetite
Cyber SecurityVendor exposure
AI GovernanceVendor model
ProjectsNew vendor onboard
TP
- Third party risk
Feeds
Enterprise RiskResidual risk
ResilienceCritical service
ComplianceRegulated vendor
Cyber SecurityVendor incident
05Sample output

Two views. One source of truth.

The vendor manager sees granular detail across all 20 domains. The executive sees a single score, the cascade impact, and a board-ready narrative. Both views derive from the same signed-off data - there's no "executive summary" that diverges from the underlying numbers.
Vendor manager viewCapture · evidence

Per-domain breakdown with weighted markers.

2.5/ 4Defined → Managed
Strategy & Governance
Due Diligence & Risk Assessment
Contracting & Legal
Information Security & Cyber Risk
Concentration & Fourth-Party
Ongoing Monitoring & Exit

Vendor manager sees per-question scores, evidence references, reviewer comments, and the gap-to-target for every domain. Drillable to source.

Executive viewRead-only · board

Single score with cascade impact.

2.5/ 4Defined → Managed
→ Cyber impact
→ Privacy impact
→ Resilience impact
CPS 230 conformity
Material providers · 12 reviewed

Executive sees a single number, downstream cascade, regulatory conformity, and a plain-English board narrative - generated automatically from the signed-off assessor data.

06See it work

Thirty minutes. A practitioner.

A walkthrough of the Third Party Risk module isn't a product demo. It's a practitioner - built from twenty years of practitioner experience across financial services, telecommunications, ports and government - showing you how the 20 domains score, how APRA Prudential Standard CPS 230 (Australia) and ISO/IEC 27036 map clause-by-clause, how vendor risk cascades into cyber, privacy and resilience, and the honest picture of what it can and can't do. If we're not the right fit, we'll tell you.