Written by: Jeremy Baumruk, Director of Professional Services
If you talk to any bank right now, you hear the same theme in different words: risk is getting harder to manage, and the tolerance for “good enough” is shrinking fast.
In my role at Xamin, we build security and compliance programs that actually hold up under real-world pressure. Over the last few years, one area has stood out as the most urgent and consistently underestimated: Third-party risk management (TPRM).
TPRM is not a checkbox exercise anymore. The level of scrutiny and regulatory expectations surrounding vendors has changed dramatically. Banks aren’t just being asked whether they have a vendor risk management process. They’re being asked to prove that process works, continuously, and that they can respond effectively when something goes wrong.
Here’s what I’m seeing in the market, why TPRM is now a priority and where many institutions are struggling to keep up, and how using a purpose-built platform like 6clicks helps us deliver TPRM at scale across banking clients.
Vendor risk is under more scrutiny than ever
We’re seeing increased regulatory focus on third-party risk across the board, especially around:
- documented due diligence
- consistent risk scoring
- evidence collection
- issue follow-up
- proving that oversight is happening, not just being talked about
Some of the trends shaping this shift include:
1) AI raising the stakes
A lot of institutions are moving quickly on Copilot and GenAI tooling. That comes with two immediate realities:
- Data classification and security matter a lot more, because AI can amplify whatever it can access.
- “Is this vendor safe?” is no longer a one-time question. It becomes a continuous question as tools, permissions, and data flows change.
I’m doing Copilot readiness assessments, and vendor exposure shows up in nearly every conversation. Even when a bank is making good progress, vendor dependencies are often the hidden risk.
2) The evolving compliance landscape
When the FFIEC retired the Cybersecurity Assessment Tool (CAT) in August 2025, many banks started moving toward NIST CSF assessments. That shift forced a fresh look at frameworks, mapping, and reporting, and exposed gaps in how third-party controls and dependencies are tracked. PCI DSS v4.0 also introduced new requirements, pushing risk and compliance teams to tighten oversight across vendors that touch cardholder data or influence security controls.
3) Incident response becoming a real program, not an annual event
One of the biggest changes I’ve seen is incident response discipline. Banks are moving from one annual tabletop exercise to 4–6 per year and more importantly, they are actually implementing findings.
That creates a demand for:
- tracking issues cleanly
- assigning ownership
- proving closure
- keeping evidence organized for audit
Managing incidents and issues within a unified workflow should be the norm, but the tools banks are currently using haven’t been able to keep pace with these expectations.
The reality: most banks are still managing vendor risk manually
One of the biggest misconceptions is that banks already have mature GRC platforms in place. In reality, most don’t.
Even now, many institutions are trying to run TPRM and incident follow-up using a patchwork of:
- spreadsheets for vendor lists and risk scores
- ticketing systems for issues
- shared drives for evidence
- email threads for approvals and updates
That approach breaks down under scrutiny because it is hard to demonstrate consistency, traceability, and accountability.
When examiners ask for documentation, evidence, or proof of remediation, teams are forced to manually pull information from multiple sources. If a vendor has an open issue, that issue should be visible alongside the vendor’s risk profile, related assessments, and associated controls. Without a centralized system, those relationships are difficult to maintain. That’s where having a dedicated GRC platform becomes critical.
Using 6clicks for centralized risk and compliance management
Xamin has been a 6clicks partner for more than three years. What I appreciate about the platform is that it lets me run the program the way banks need it to run today: structured, repeatable, and auditable.
Vendor management that stands up to exams
This is a big one.
The most important capability for us and our clients has been vendor management integrated directly into the broader risk and compliance ecosystem. When vendor oversight is not handled in a silo, it becomes easier to:
- document due diligence
- keep evidence attached to the right vendor record
- show status and follow-up
- demonstrate that risk is being managed continuously
I recently had a banking client go through an OCC exam, and they were specifically pleased with how vendor management was handled using 6clicks, particularly its ability to offload manual processes into a structured, centralized platform.
Incident and issue workflow that actually closes the loop
The second capability I think banks need most right now is an issue and incident register that is operational, not theoretical.
Many of our banking clients use the 6clicks issue and incident register as a centralized portal to track audit findings, open issues, and remediation activities, ensuring a consistent process from intake to documentation and reporting.
Scalable assessments across clients
For assessments, 6clicks’ Question-Based Assessment (QBA) capability enables us to run structured risk assessments across banking clients.
Using turnkey templates, automated workflows, and endlessly customizable fields, the platform enables us to standardize how we assess risk and establish repeatable, scalable processes that reduce admin burden.
Moving from fragmented tools to a unified system
One of the biggest advantages of 6clicks is the ability to link everything together.
For example, if a vendor has an open issue, we can connect that issue directly to:
- The vendor record
- The associated risk assessment
- Relevant controls
- Applicable regulatory requirements
This level of integration simply isn’t possible when vendor risk management is handled across spreadsheets and disconnected systems.
Multi-entity deployment that fits MSP reality
As an MSP, we have to deliver outcomes across multiple clients efficiently without sacrificing quality.
When we were exploring solutions, what stood out about 6clicks wasn’t just the feature set, but how well it supported our service delivery model and the needs of regulated banking environments.
6clicks’ Hub & Spoke model is a game changer for that. From the Hub, we can manage independent client environments or “Spokes” and push templates and standards across multiple clients while still tailoring execution where needed. This means:
- faster deployments
- more consistent service delivery
- less reinvention per client
- operational autonomy across entities
- consolidated reports and insights
This makes it easier to maintain oversight and scale risk and compliance programs across multiple clients.
What I want banks to take away from this
If I could leave risk and security leaders in the banking sector with one message, it would be this:
Vendor ecosystems are only becoming more complex. Banks rely on an increasing number of third-party providers, and regulators are paying closer attention to how those relationships are managed.
Manual processes and disconnected tools simply aren’t sustainable in this environment.
What we’ve seen with 6clicks is that when vendor risk management, incident tracking, and compliance workflows are integrated into a single platform, everything becomes more manageable. Teams gain visibility. Audit readiness improves. And organizations can respond more effectively to evolving regulatory expectations.
Most importantly, it allows banks to move beyond reactive compliance and toward proactive risk management.
That’s where the industry is heading, and it’s a transition we’re proud to help our clients make every day.