ICT third-party management
TPRM: mastering third-party risk beyond compliance
TPRM as a risk process — not a procurement process: 8-step lifecycle, useful vs cosmetic deliverables, governance and blind spots.

TPRM is a risk-management process, not a procurement process.
Outsourcing transfers execution, not accountability. The entity remains responsible for impacts even when a third party operates the service.

Why TPRM?
Operational, cyber, regulatory, concentration and systemic risks. DORA does not invent them — it requires them to be visible, traceable and governable.
Eight-step lifecycle
- Define the outsourced need (risk perimeter)
- Initial risk qualification (sets the bar for the whole cycle)
- Pre-select providers (concentration risk early)
- Pre-contractual assessment (maturity, cooperation, evidence quality)
- Risk decision (accept / conditional / refuse)
- Contracting (opposable obligations — see Article 30)
- Ongoing monitoring (incidents, changes, M&A)
- Exit / reversibility (see exit plan)
Key messages
TPRM starts before the contract and ends after exit · rank-2 often concentrates more risk than rank-1 · provider maturity does not cancel concentration risk · untracked risk acceptance becomes debt · unprepared reversibility is latent risk.
Useful vs cosmetic deliverables
Useful: reasoned risk assessment · maintainable evidence file · testable clauses · R1/R2 dependency map · tracked remediation.
Cosmetic: questionnaires without analysis · uncontextualised certificates · generic clauses · registers without criticality.
Governance
Escalate residual risk: critical third parties, high residual risks, concentration situations, major provider incidents — not operational noise.
Axenia’s role. Axenia consolidates questionnaires, evidence, clauses, criticality and dependencies into one third-party risk view — from pre-contract to exit.
