Twenty domains. Eleven lifecycle stages.
The 20 domains are organised across the full procure-to-pay lifecycle - from strategy and policy at the front, through due diligence and contracting, into operational monitoring, ending at exit and transition. Each domain is practitioner-authored, mapped to APRA CPS 230, and weighted into the cross-domain cascade.
01.1
Strategy & Governance
Board-approved TPRM strategy, executive accountability, three-lines model, board reporting cadence.
01.2
Policy & Framework
TPRM policy framework, taxonomy, tiering methodology, framework review and refresh.
01.3
Planning & Needs Assessment
Demand planning, build-vs-buy analysis, criticality assessment, risk-based scope.
01.4
Sourcing & Selection
RFx process, vendor shortlisting, selection criteria, conflicts of interest discipline.
01.5
Due Diligence & Risk Assessment
Initial DD methodology, tiered risk assessment, remediation tracking, evidence quality.
01.6
Contracting & Legal
Contract templates, security/privacy clauses, audit rights, liability and termination.
01.7
Onboarding & Integration
Onboarding workflow, system access provisioning, communication of obligations.
01.8
Information Security & Cyber Risk
Vendor cyber posture assessment, MFA/encryption requirements, breach notification.
01.9
Data Privacy Risk
Personal data handling, cross-border transfers, sub-processor controls, data minimisation.
01.10
Technology Risk
Vendor technology risk, integration risk, change management, end-of-life planning.
01.11
Operational Risk
Service performance, SLA monitoring, escalation, day-to-day operational health.
01.12
Business Continuity & Resilience
Vendor BCP/DR, recovery objectives alignment, joint exercise discipline.
01.13
Financial & Commercial Risk
Vendor financial health monitoring, concentration risk, commercial leverage.
01.14
Regulatory Compliance Risk
Vendor regulatory obligations, sanctions screening, jurisdictional licensing.
01.15
Financial Crime & Fraud
AML/CTF screening, fraud risk assessment, sanctions, politically exposed persons.
01.16
Anti-Bribery & Corruption
ABC due diligence, gifts and hospitality, third-party intermediaries, training discipline.
01.17
ESG & Reputational Risk
Modern slavery, environmental impact, social licence, reputational exposure.
01.18
Concentration & Fourth-Party
Concentration limits, fourth-party visibility, sub-contractor controls, single-points-of-failure.
01.19
Geopolitical & Physical
Geopolitical risk, physical security, HR risk, country-specific exposures.
01.20
Ongoing Monitoring, Exit & Transition
Continuous monitoring cadence, exit triggers, transition planning, knowledge transfer.