Third-Party and Outsourcing Risk Management for Financial Institutions
Date: 10th & 11th August 2026
Venue: Kuala Lumpur
Classroom Training
WHY THIS COURSE?
Financial institutions today operate within increasingly complex ecosystems of third-party service providers, including cloud providers, fintech partners, and technology vendors. While these arrangements support innovation, scalability, and cost efficiency, they also introduce significant operational, cyber, concentration, and systemic risks.
Recent regulatory developments from Bank Negara Malaysia, Monetary Authority of Singapore, Financial Stability Board, Prudential Regulation Authority, and the Basel Committee on Banking Supervision highlight a clear shift in supervisory expectations. Institutions are no longer expected to simply manage outsourcing arrangements, but to actively understand, monitor, and control their critical dependencies and ensure resilience against third-party disruptions.
- This advanced programme focuses on the most critical and emerging aspects of third-party risk management. Through practical examples, case studies, and interactive exercises, participants will explore:
- The evolution from outsourcing risk to ecosystem and dependency risk.
- Regulatory findings and common weaknesses observed across financial institutions.
- Identification of critical services and end-to-end dependency mapping.
- Management of concentration risk and fourth-party exposure.
- Operational resilience, scenario testing, and vendor failure response.
The programme emphasises practical implementation, equipping participants with the tools and insights required to strengthen governance, improve visibility, and enhance resilience across third-party ecosystems.
Key Learning Outcomes and Takeaways
-
By the end of this course, participants will be able to:
- Understand the evolving landscape of third-party and outsourcing risks in financial institutions.
- Interpret regulatory expectations across BNM, MAS and global supervisory frameworks.
- Identify critical services and map end-to-end dependencies including fourth parties.
- Apply structured approaches to vendor risk assessment, due diligence and monitoring.
- Evaluate concentration risk and develop mitigation strategies.
- Strengthen governance, oversight and accountability frameworks.
- Design and implement scenario testing and incident response for third-party failures.
AGENDA
Day One
Module 1: The Evolving Third-Party Risk Landscape
- Trace the evolution of outsourcing and digital ecosystems
- Examine the key drivers of third-party dependency
- Identify emerging systemic and concentration risks
- Transition from vendor risk to ecosystem risk thinking
Module 2: Understanding Third-Party Risk and Impact
- Explore key risk categories in outsourcing
- Assess concentration and systemic risk exposures
- Uncover fourth-party and hidden dependencies
- Evaluate the business impact of vendor failure
Module 3: Regulatory Landscape, Findings and Expectations
- Map global regulatory convergence (heatmap view)
- Analyse key regulatory findings (top 10 failures)
- Interpret regulatory expectations across the lifecycle
- Understand the shift from outsourcing to operational resilience
Module 4: Critical Services and Dependency Mapping
- Identify critical and important business services
- Map end-to-end dependencies across the ecosystem
- Detect single points of failure
- Strengthen visibility and control over service delivery
Day Two
Module 5: Risk Tiering, Criticality and Concentration Risk
- Apply risk-based vendor classification approaches
- Assess service criticality and business impact
- Manage and monitor concentration risk
- Leverage tools for effective concentration analysis
Module 6: Strengthening the TPRM Lifecycle
- Conduct robust due diligence and onboarding
- Implement effective contractual safeguards
- Establish ongoing monitoring and oversight practices
- Reinforce governance structures and accountability
Module 7: Managing Technology, Cloud and Fourth-Party Risk
- Evaluate risks in cloud outsourcing environments
- Assess cyber and technology risk exposures
- Identify fourth-party and supply chain dependencies
- Apply targeted mitigation strategies
Module 8: Scenario Testing, Incident Management and Roadmap
- Design and execute scenario testing and resilience planning
- Strengthen incident management and response capabilities
- Identify common pitfalls in TPRM frameworks
- Develop a practical roadmap for TPRM enhancement
Learning Methodologies
- Interactive lectures
- Facilitated discussion
- Case Studies
- Group Simulations
- Q&A and knowledge reinforcement
EXPERT COURSE DIRECTOR
Lan Yann Erl is an accomplished Governance, Risk & Compliance (GRC) practitioner with over 26 years of senior leadership experience across leading financial institutions. She brings deep expertise in operational risk management, regulatory compliance, internal audit, and risk-based assurance, with a strong track record of strengthening control environments, embedding compliance culture, and enhancing institutional resilience. Lan is a trusted advisor to senior management and Boards, having worked extensively with Board Committees on governance oversight, regulatory expectations, and risk management effectiveness. Her experience includes designing and enhancing operational risk and compliance frameworks, leading thematic reviews and special investigations, managing regulatory engagements with Bank Negara Malaysia, and overseeing remediation of supervisory findings. She is formally accredited as an HRD Corp Malaysia–Accredited Trainer and is highly regarded for designing and delivering impactful governance, regulatory compliance, and operational risk training programs for Board members, senior management, and business units. Her training approach is practitioner-led and experience-based, focused on translating regulatory and risk requirements into clear, practical, and business-relevant actions. Lan has held senior roles including Head of Group Regulatory Advisory, Head of Compliance Governance, Head of Group Operations Control, and Head of Operational Risk Management. Across these roles, she led enterprise-wide risk framework implementation, control testing programs, breach investigation and reporting, business continuity and resilience initiatives, and first-line risk ownership models aligned to the Three Lines of Defense. Her professional qualifications include Chartered Banker, certifications in compliance, AML/CFT, governance, and digital banking, and formal accreditation as an HRD Corp trainer. She is a Fellow of the International Compliance Association (FICA) and a Professional Member of the Institute of Operational Risk (UK).
WHO WILL BENEFIT FROM THIS COURSE?
- Chief and senior risk officers
- Operational risk managers
- Vendor management and procurement professionals
- Technology risk and cybersecurity specialists
- Compliance and regulatory professionals
- Internal auditors
- Business continuity and operational resilience teams
- Regulators and supervisory professionals
REGISTRATION
FEE
Fee per participant: RM5,900/US$1,450
Please note that the Ringgit price is applicable to Malaysia-domiciled participants only. Discounts are available for group bookings. Please contact us for more details.
Send me Details
IN-HOUSE/GROUP TRAINING
If you are looking for an in-house training program or wish to send a group to an existing public program, kindly please contact Andrew Tebbutt at [email protected] or +603 2162 7802.
Learn More
Contact us