Third-party risk management literature was largely written for financial services. Regulated utilities live in an adjacent but distinct regulatory environment — and a TPRM programme designed against financial-services patterns will not satisfy regulated-utility supervisors or protect against the operational failure modes that utilities actually face.
Why utilities TPRM is harder
Three structural realities make regulated-utility TPRM substantively harder than its financial-services counterpart. First, the supplier dependencies are operationally consequential in a way most financial-services third-party arrangements are not — a critical equipment vendor failing affects grid availability or fuel supply, not just service quality. Second, the regulatory framework spans multiple regulators (public-utility commissions, environmental regulators, safety regulators, cybersecurity authorities) each with their own expectations of third-party oversight. Third, utility supply chains are often long, multi-tier, and capital-intensive, with switching costs that effectively lock in suppliers across investment cycles measured in decades.
The Caribbean Utilities Company engagement — TSX-listed regulated utility, Fortis Inc. subsidiary — brought TPRM into focus as one of the five concurrent advisory workstreams precisely because the utility context surfaces requirements that generic TPRM frameworks do not. The maturity ladder described below is derived from that work and from broader practice across regulated infrastructure.
Level 1: Contractual attestation
At Level 1, the TPRM programme consists of contractual provisions requiring suppliers to attest to compliance with named standards (security, safety, business continuity, environmental). The utility relies on supplier self-attestation, typically captured in a one-time questionnaire at onboarding and refreshed at contract renewal. There is no operational verification beyond the attestation; there is no continuous monitoring; the entire framework rests on the assumption that suppliers will honestly self-report and that material problems will surface through contractual remedies after the fact.
Most regulated-utility TPRM programmes start here. Level 1 is functional for low-criticality suppliers — office services, professional services, generic IT vendors. It is dangerously inadequate for critical infrastructure suppliers, control-system vendors, fuel suppliers, or any third party whose disruption produces immediate operational consequence. Regulators increasingly view sustained reliance on Level 1 for critical suppliers as a deficiency.
Level 2: Tiered assessment
At Level 2, the programme tiers suppliers by criticality and applies differentiated assessment depth by tier. Critical suppliers receive substantive assessment — questionnaire-based, but with assessor follow-up on key responses, document review where claimed, and assessment-of-assessment by a qualified TPRM analyst. Non-critical suppliers receive lightweight assessment.
The tiering framework itself becomes the substantive question at Level 2. Tier definitions need to reflect actual operational impact, not just contractual size. A small specialist supplier whose services are uniquely critical may sit in a higher tier than a large supplier whose contract value is meaningful but whose contribution to operational continuity is fungible. Tiering done by contract value alone tends to produce wrong-priority assessment programmes. Tiering done by operational criticality requires substantive engagement with the operational and engineering functions to calibrate.
Most utilities operating an active TPRM programme reach Level 2 within the first two years. Many stay there. The next step is materially harder.
Level 3: Operational verification
At Level 3, supplier attestations are operationally verified rather than accepted on faith. For critical-tier suppliers, the TPRM programme conducts site visits, control walkthroughs, document inspection, or third-party assessor reports. Verification is risk-rated — not every claim is verified, but claims material to operational continuity, safety, or security are subjected to substantive testing.
The cost of Level 3 is meaningful. Site visits, document reviews, and assessor reports require skilled TPRM resources and supplier time. The return is also meaningful: discrepancies between attestation and operational reality consistently surface when verification is substantive. Suppliers who would have attested to controls that do not exist tend to either revise the attestation or improve the operational reality once verification begins. The pattern repeats: what gets measured gets improved.
Level 3 is also where regulatory expectations are increasingly anchored. Modern utility regulators ask not only whether the utility has a TPRM programme but whether the programme operationally verifies critical-supplier attestations. The answer to that question is materially different at Level 3 from Level 2.
Level 4: Continuous monitoring
At Level 4, critical suppliers are monitored on an ongoing basis rather than point-in-time assessed. Monitoring spans security posture (continuous external assessments, threat intelligence inputs), financial health indicators (where bankruptcy or distress is a continuity risk), operational indicators (where service-level data is available), and regulatory or enforcement actions affecting the supplier.
Continuous monitoring is technologically enabled for some indicators (cybersecurity posture monitoring is now a mature service category) and remains operationally laborious for others (financial-health monitoring, operational-indicator monitoring). The discipline is to define which indicators warrant continuous monitoring for each tier of critical supplier, build the operational cadence to consume that monitoring, and integrate it with the broader risk management framework so that signals translate into action.
Few regulated utilities operate at Level 4 across their full critical-supplier base. The economics and operational cost are real. Most utilities at this level are operating Level 4 monitoring for their highest-criticality suppliers and Level 2 or 3 for the broader tier.
Level 5: Integrated assurance
At Level 5, TPRM is integrated into the utility's overall assurance framework rather than operating as a parallel programme. Supplier risk informs enterprise risk; supplier control effectiveness feeds into the utility's own control attestations (ICFR, cybersecurity attestations to regulators); supplier incidents feed into the utility's incident response and business continuity programmes; supplier-tier changes drive contract reviews and operational planning.
Integration is the difference between TPRM as a compliance function and TPRM as an operating capability. At Level 5, the utility's board and audit committee receive consolidated reporting that integrates supplier risk into the broader risk picture rather than receiving a separate TPRM dashboard. Supplier risk decisions are made by the people whose operational responsibilities the suppliers affect, supported by TPRM rather than displaced by it.
Almost no utilities operate at Level 5 across their full programme. The capability is observable in individual high-criticality supplier relationships at well-run utilities, and increasingly in the cybersecurity domain where regulatory pressure has accelerated capability development.
How to move up the ladder
The transition from one level to the next is not primarily a tooling decision. It is an operating capability decision — building the analyst capacity, the technical capacity, and the operational cadence that the next level requires. Utilities that try to leapfrog levels by tool purchase tend to end up with sophisticated technology generating signal that no operational capability is positioned to consume.
The pattern that works: assess current state honestly against the ladder, identify the specific critical suppliers that warrant a higher level, build the operating capability for those suppliers first, then extend the capability to the next tier. The path is gradual and tier-by-tier, not programme-wide. The CUC engagement structured TPRM evolution this way — focusing initial substantive verification work on the highest-criticality suppliers, then extending as the operating capability matured.