For a long time, third‑party risk sat comfortably with procurement.
Contracts were signed, vendors onboarded, and risks were largely considered “managed” once the paperwork was done.

That world no longer exists.

With increasing regulatory scrutiny, complex supply chains and the introduction of standards like APRA's CPS 230, third‑party risk has moved firmly into the spotlight as a legal, governance and operational resilience issue – not just a commercial one.

And organisations that are still treating it as a procurement tick‑box are starting to feel the pressure.

---

The Shift: From Outsourcing to Accountability

Modern organisations rely heavily on third parties to deliver critical services. Technology providers, cloud platforms, call centres, consultants, property managers, payroll providers – the list goes on.

What has changed is the expectation of accountability.

Regulators are no longer interested in who you outsourced a function to. They are interested in:

• whether the service is critical to your operations
• what happens if that provider fails
• whether your contracts and governance arrangements genuinely protect customers and the business

Under CPS 230, this expectation is explicit. Responsibility for operational resilience cannot be outsourced, even if the service itself is.

That has major implications for how third‑party relationships are structured, documented and monitored.

---

Why Legal Teams Are Now on the Front Line

Third‑party risk sits at the intersection of:

• contracts
• governance
• operational risk
• business continuity
• regulatory compliance

Which means legal teams are now firmly in the frame.

In practice, we're seeing common issues emerge:

• Contracts that pre‑date CPS 230 and CPS 234 and don't reflect current regulatory expectations
• Inconsistent terms across suppliers providing similar critical services
• Weak audit, assurance or information‑sharing rights
• Limited ability to enforce resilience, testing or notification obligations
• Heavy reliance on standard vendor terms that shift risk back to the customer

These aren't just technical gaps. They create real regulatory and operational exposure, particularly where a service provider supports a critical operation.

---

The Fourth‑Party Blind Spot

One of the biggest challenges organisations are grappling with is fourth‑party risk – the suppliers that sit behind your supplier.

Many material service providers rely on common platforms or subcontractors. That creates concentration risk, even where you believe you've diversified.

From a legal and governance perspective, the questions are becoming sharper:

• Do you know who your provider relies on to deliver the service?
• Do your contracts allow visibility into those arrangements?
• Can you require notification or approval for material subcontracting changes?
• Are resilience obligations flowing down the supply chain, or stopping at the first layer?

If the answer to those questions is unclear, you're not alone – but it's exactly where regulators are heading.

---

Why “Set and Forget” Contracts No Longer Work

Historically, contracts were often treated as static documents. They were negotiated, signed, and filed away until renewal.

That approach is no longer fit for purpose.

Under CPS 230 and broader governance expectations, contracts are now:

• a primary control mechanism for managing operational risk
• evidence of how an organisation oversees material service providers
• a key input into board and regulator discussions

This means contracts need to:

• clearly allocate responsibilities
• support resilience, testing and incident response
• align with internal risk frameworks and tolerances
• remain current as regulatory expectations evolve

Ongoing contract management has become just as important as the initial negotiation.

---

The Practical Challenge for Teams

For many teams, this shift creates a real tension.

They are being asked to:

• uplift legacy contracts
• support risk and compliance initiatives
• respond to evolving regulatory expectations
• keep the business moving

All while managing BAU legal work.

This is where third‑party risk often stalls – not because teams don't understand the importance, but because they don't have the capacity to tackle it systematically.

---

A More Integrated Approach

The organisations that are handling this well are taking a more integrated approach, where:

• legal, risk and procurement functions work from a shared understanding of critical services
• contract reviews are prioritised based on risk, not volume
• third‑party obligations are aligned with internal policies and frameworks
• contract management is treated as an ongoing governance activity

This doesn't require perfection. It does require clarity, prioritisation and consistency.

---

How MM Legal+ Supports Third‑Party Risk Management

At MM Legal+, we work alongside in‑house teams to help bridge the gap between regulatory expectations and day‑to‑day reality.

That includes:

• reviewing and uplifting contracts with material service providers
• aligning contractual obligations with CPS 230, CPS 234 and broader governance frameworks
• supporting ongoing contract management and supplier due diligence
• providing overflow legal support so in‑house teams can focus on value‑driven work

We act as an extension of your legal team – practical, embedded and focused on what actually works.

---

Final Thought

Third‑party risk is no longer someone else's problem.

It's a legal issue.
It's a governance issue.
And increasingly, it's a board‑level issue.

Organisations that recognise this early – and take a structured, pragmatic approach – will be far better placed to respond to regulatory scrutiny and operational disruption.

Those that don't may find that their weakest link isn't internal at all.