As insurers grow more reliant on third parties for technology, outsourcing, and service delivery, their risk landscape becomes more complex. Third-party failures can disrupt operations, damage reputations, and erode customer trust. Melanie Lavallin (pictured), who works with global insurers through the operational risk association ORX, says the industry is responding by embedding third-party risk oversight into core resilience strategies.
For many insurers, third-party risk functions now sit in the second line of defence, under operational or non-financial risk. “That central team sets the framework and methodology, allowing consistency across multiple entities and jurisdictions,” said Lavallin, head of insurance services at ORX. Close alignment with business continuity and resilience teams ensures that risks are not managed in isolation.
Critical suppliers often trigger enhanced monitoring, which can include reputational surveillance across media and digital channels. Reporting lines typically lead up to the CRO or COO, keeping third-party risks visible at the executive and board level.
Oversight of third-party risk has matured significantly in recent years. What was once managed in a fragmented way by various business teams is increasingly coordinated through centralised functions. “These centralised teams have grown in size and strategic importance. Boards are taking greater interest,” Lavallin said.
This move toward consistency enables faster decision-making when issues emerge – and reinforces the insurer’s ability to demonstrate robust governance under regulatory scrutiny.
A strong third-party risk framework starts long before a contract is signed. Insurers are increasingly integrating risk teams into procurement and onboarding processes, particularly when suppliers fall outside standard agreements. “If a supplier fails, resilience depends on how well the risks were considered at the outset,” Lavallin said.
Second-line teams provide monitoring and oversight during major incidents, offering insights that support real-time decision-making. While they may not lead the response, their data and perspective can strengthen continuity efforts.
Reputational damage linked to third parties is an escalating concern. The speed of misinformation - accelerated by social media and AI - means that a misstep by a supplier can quickly undermine customer confidence. Some insurers are using AI tools to scan contracts or flag supplier-related risks, but the underlying challenge is strategic: protecting brand trust in volatile conditions. “Insurers can’t afford long-term customer erosion if reputational damage isn’t addressed immediately,” Lavallin said.
Because reputational damage cannot be insured, monitoring and rapid response have become essential pillars of third-party risk defence.
Insurers today manage a wide range of third-party relationships, spanning everything from mainstream claims processing to niche or geopolitical risks. This diversity of exposure demands more sophisticated oversight. “The scale and diversity of what insurers manage is quite incredible,” Lavallin said.
As insurance operations become more interdependent, third-party risk management is no longer a compliance checkbox. It’s a strategic function central to resilience, trust, and long-term sustainability.
