Third-Party Risk Management Policy: Components, Template & Examples (2026)

How to write a TPRM policy: 8 steps from baseline to board approval

Writing a TPRM policy starts with a baseline assessment of your current vendor landscape, then proceeds through 8 structured steps to board approval. A first-version policy typically takes 30-90 days to draft and approve. The policy must reference your risk framework, information security policy, and business continuity plan to avoid governance gaps.

Step 1: Baseline assessment (1-2 weeks)

Map all active vendor relationships. Categorise them by service type, data access level, and regulatory exposure. Review existing due diligence records and contract terms. Compare current practices against OCC 2023-17 or the relevant standard for your sector. The gap assessment tells you where to focus first.

Step 2: Secure board sponsorship

A TPRM policy without visible board endorsement rarely gets implemented. Frame the conversation around regulatory risk: “OCC examiners will request this document” is more effective than “best practice suggests we should have it.”

Step 3: Define risk appetite and classification criteria (1 week)

Involve the CRO, legal, and the CISO. Agree on the four tiers and the specific criteria that place a vendor in each. Document the thresholds. Ambiguity here creates inconsistency in application and audit findings later.

Step 4: Draft the 9 policy sections (2-3 weeks)

Work through the components in order. Each section should be drafted by the function closest to it: legal for contracts, IT for cybersecurity monitoring, risk for classification. Use the Neotas TPRM Policy Template as the starting structure.

Step 5: Cross-functional review (1-2 weeks)

Circulate the draft to legal, compliance, IT security, procurement, and internal audit. Each function signs off on their sections. Document the comments and changes. The review record is part of your governance evidence.

Step 6: Regulatory alignment check (3-5 days)

Map each policy section to the applicable regulatory requirements for your sector. For US banks: OCC 2023-17 and FFIEC. For EU financial entities: DORA Articles 28-30. For UK firms: FCA SYSC 8. For healthcare: HIPAA BAA requirements. Document the mapping as a policy annex.

Step 7: Board approval (1 board cycle)

Present the policy to the Board or Risk Committee. Cover what the policy requires, how it aligns with regulatory obligations, the implementation plan, and resource requirements. Board approval must be recorded in board minutes.

Step 8: Launch, train, and integrate (2-4 weeks)

Roll out to procurement, compliance, IT, and legal in a phased sequence. Train each team on their specific responsibilities. Integrate into procurement workflows, contract management systems, and GRC platforms. Set the first annual review date in the calendar before the launch meeting ends.

TPRM policy template: structure, example clauses, and free download

A template gives you a proven structure to adapt rather than building from scratch. Here is the standard document structure used in regulator-ready programmes.

Standard TPRM policy document structure

1. Cover page: organisation name, policy title, version number, approval date, next review date
2. Version control table: date, version, author, changes made, approver
3. Definitions: third party, fourth party, material vendor, critical vendor, due diligence, EDD
4. Policy statement and objectives
5. Scope: entity types covered, geographic applicability, business units
6. Governance structure: roles, responsibilities, RACI matrix
7. Risk appetite statement and vendor classification criteria
8. Due diligence standards by vendor tier
9. Contractual requirements and mandatory clause list
10. Monitoring schedule and escalation thresholds
11. Exceptions management process and register reference
12. Review schedule and update process
13. Annexes: ESG, cybersecurity, AML, anti-bribery, sector-specific modules

TPRM policy example clauses

These clause types can be adapted for your policy. Legal review is required before adopting any contract language in a live agreement.

Right-to-audit clause:

“The Organisation reserves the right to conduct or commission an audit of the Vendor’s operations, security controls, data-handling practices, and compliance with this Agreement at any time, with 30 calendar days’ written notice. The Vendor must cooperate fully and provide access to relevant systems, personnel, and documentation. Costs of the audit are borne by the Organisation unless material non-compliance is found, in which case the Vendor bears the cost.”

Incident notification clause:

“The Vendor must notify the Organisation within 24 hours of becoming aware of any actual or suspected security incident, data breach, or operational failure that may affect the Organisation’s data, systems, or service continuity. Written confirmation with available details must follow within 72 hours. The Vendor must cooperate with any investigation and implement remediation measures without delay.”

Sub-outsourcing clause:

“The Vendor may not subcontract material services to a third party without prior written consent from the Organisation. The Vendor remains fully responsible for the acts and omissions of any approved subcontractor. The Vendor must ensure all material subcontractors are subject to equivalent obligations, including audit rights, data protection, and incident notification requirements.”