Key themes of resiliency, outsourcing and third-party risk management regimes

Abstract

Throughout 2024, European Union (EU)-based financial entities have been analysing their thirdparty and intra-group technology contracts against compliance with the EU Digital Operational Resilience Act (DORA), and renegotiating with vendors where necessary, in order to comply from 17th January, 2025. McKinsey estimates that EU institutions typically earmarked €5−15m for DORA programme strategy, planning and design, although full implementation costs may be five to ten times that range.1 The DORA analysis is also highlighting that certain companies are not compliant with existing regulatory expectations. Financial regulators and global standard-setting bodies have published high-level principles and also detailed expectations to ensure that companies have in place prudent third-party risk management controls, both at an enterprise level and for managing individual third-party arrangements. As securities markets participants become increasingly reliant on third-party service providers for tasks that they had not previously undertaken, leveraging technology and artificial intelligence (AI), supervisory focus is extending to operational resilience across third-party services relationships, not just outsourcing. In this paper, we explore key themes of existing outsourcing and third-party risk management regimes that apply to financial entities and their service providers. We note key differences between regulatory expectations on resiliency and outsourcing, highlight key best practices and challenges to implementing these expectations and, finally, consider the impact of AI solutions on such regulatory expectations.