The Most Overlooked Risks in Third-Party Relationships — Third Party Risk Reality Check

In this episode of The Third Party Risk Institute Podcast, we sit down with Kenia Sposito, Head of Operational Risk at BNP Paribas Canada, for a deep dive into how one of the world’s largest and most complex banks approaches third-party and fourth-party risk. With more than 12 years at BNP Paribas and experience spanning JP Morgan, Crédit Agricole, and global markets operations, Kenia offers a grounded, inside view of what it truly takes to oversee operational risk across multiple jurisdictions, regulatory regimes, and shared-services operating models.


Kenia shares how BNP Paribas Canada serves as a major service hub for the Americas, why third-party risk is fundamentally a “team sport,” and how global institutions harmonize risk expectations from Canada’s OSFI B-10 to Europe’s DORA to U.S. supervisory requirements. She also breaks down the realities of managing affiliate risk, understanding data flows, responding to incidents, and keeping the business aligned with operational risk expectations without slowing down delivery.


What we cover in this episode:
• Why operational risk, third-party risk, privacy, cybersecurity, compliance, and legal must work as a unified ecosystem
• How BNP Paribas evaluates affiliate-delivered services and why internal shared services still count as third parties under regulation
• The difference between spend, risk, and operational dependency why most organizations mix them up
• Why data flow risk is one of the most misunderstood areas in vendor oversight
• How global banks reconcile prescriptive frameworks like EU DORA with principles-based guidance such as OSFI B-10
• What meaningful fourth-party oversight actually looks like in practice
• Why culture, transparency, and responsiveness matter just as much as controls in a third-party relationship
• How operational risk leaders balance independence, efficiency, and business partnership


You’ll walk away with practical guidance on:
• Segmenting third parties using operational dependency instead of generic “criticality” labels
• Assessing affiliate risk and building a consistent view of controls across internal and external service providers
• Applying smarter due diligence by focusing on the pillars that actually matter: data use, access, security, and resilience
• Creating repeatable governance for tracking fourth parties and identifying when they pose material risk
• Designing escalation paths and decision frameworks that help business leaders make truly risk-informed decisions
• Strengthening resilience by learning from incidents and adapting processes rather than “checking boxes”
• Using negative news monitoring, financial health checks, and cyber posture metrics for high-risk fourth parties


This episode is perfect for:
• CROs, Operational Risk Leaders, and Senior Risk Managers in global financial services
• Third-Party Risk, Vendor Management, and Procurement professionals
• Compliance, Data Privacy, Cybersecurity, and Governance teams
• Anyone responsible for building resilient, multi-jurisdictional risk frameworks
• Practitioners navigating DORA, OSFI B-10, U.S. Interagency Guidance, or other regulatory expectations


🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com (https://thirdpartyriskinstitute.com)


📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd. (  / third-party-risk-institute-ltd  )


📬 Have a question or topic you'd like us to cover?
Email us at: [email protected]