Embedding Third-party Risk Management into strategic resilience
20 June 2025Geopolitical tensions, potential compliance failures, environmental impact, economic volatility, and disruption continue to reshape the global landscape with increased complexity and interconnected risks.
Financial institutions (like banks and insurers) are, more than ever, using technology and relying on third-party service providers. While this helps them work faster and more efficiently, it also brings new risks, like systems going down, cyberattacks, or suppliers failing to deliver.
At the same time, expectations are rising. Customers, regulators, supervisors and business partners all expect these companies to be able to handle disruptions smoothly.
That’s why being operationally resilient: able to keep running and recover quickly when something goes wrong, is not just something they should do. It’s something that can actually make them stronger and more competitive. That’s why it should be a top priority for company leaders and boards.
Supervisory expectations
Financial institutions demonstrated strong resilience during the pandemic, with limited operational losses, as noted by the European Central Bank. However, geopolitical tensions have introduced new challenges.
Supervisory concerns now focus on reliance on third parties for critical IT services and deficiencies in IT outsourcing, particularly when outsourcing to countries affected by sanctions regimes or facing higher geopolitical risks. These concerns were a key driver for the Digital Operational Resilience Act (DORA).
The Joint Committee Annual Report 2024* highlights the importance of addressing these vulnerabilities. It emphasizes cross-sectoral collaboration on operational risk and digital resilience, among others.
A survey conducted by the FSMA to Financial Institutions confirms the latter. While overall DORA- maturity levels have improved compared to the first survey, management of Third-Party ICT risk remains a significant challenge despite being fully responsible for compliance with regulation.
Supervisory Authorities will rely on these findings to shape future supervisory actions. Target reviews and oversight inspections will focus on entities with lower maturity levels and deficiencies in third-party risk management.
Maturity levels can be assessed by comparing the current governance and supervision over external partners to the best practices described in the practical guide issued by the FSMA.
* Joint Committee Annual Report 2024: A report by the Joint Committee of the ESAs (EBA, ESMA, and EIOPA) that highlights cross-sectoral financial risks and operational resilience themes. Available at ESA Publications.
Submission of DORA- registers of ICT third-party service providers
DORA officially took effect on 17 January 2025. Under DORA, financial entities must maintain comprehensive and standardized registers of their contractual arrangements with ICT third-party service providers. The objective is to ensure effective monitoring and incident reporting based on robust governance frameworks and clear Risk Management policies.
These registers will help Supervisory Authorities to designate critical ICT third-party service providers based on third-party connections and dependencies. The latter will be subject to EU-level oversight to timely respond to disruptions, prevent reputational risk, and mitigate systematic risk.
Establishing registers that fully comply with regulatory expectations has been an outstanding achievement, not granted to all Financial Institutions. The same applies to keeping them always updated.
In an increasingly complex landscape marked by vendor data breaches and supply chain disruptions, effective oversight and transparent communication regarding third-party ecosystems have become critical.
To ensure long-term resilience, organizations must adopt a strategic approach that extends beyond mere regulatory compliance. Effective Third-Party Risk Management (TPRM) should be embedded throughout all stages of the lifecycle:
- Pre-contract Screening: Conduct in-depth evaluations to confirm suppliers meet the organization’s risk appetite and regulatory requirements.
- Regular Re-assessment following risk-based assessment practices.
- Due Diligence: Evaluate effectiveness of suppliers’ internal control framework.
- Performance Monitoring through Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) and assess mitigation of inherent risks to residual risks.
- Exit Strategies: Develop and test comprehensive contingency plans for managing transitions in critical services and minimizing potential disruptions.
We believe that leveraging external third-party assessors and pooled audits offers an additional layer of efficiency, particularly for specialized risk domains or smaller entities.
As highlighted in the 2024 Joint Committee Annual Report, these practices can address resource constraints while maintaining robust oversight.
Where Artificial Intelligence might help
AI is transforming recurrent risk management activities by automating assessments and generating real-time, data-driven insights. This allows organizations to focus on strategic planning, such as scenario analysis, while responding quickly to dynamic risks.
The NIST AI Risk Management Framework highlights the need for trustworthy AI systems aligned with organizational goals. AI enhances decision-making and transparency by identifying vulnerabilities, predicting disruptions while improving communication across stakeholders.
Sound and robust AI- governance is of utmost importance to address challenges like bias, transparency, and accountability and to offer a sustainable competitive edge built on trust, with all stakeholders.
TriFinance can assist you in this journey. Read more about our services offering in Risk Management & Compliance in financial institutions.