Operational resilience continues to be a top priority for regulators and firms globally. Multiple, overlapping operational resilience regulations (e.g. EU DORA, UK Operational Resilience, UK Third-Party Risk Management and Outsourcing, EBA Outsourcing Guidelines, CFTC etc) require firms to align their responses whilst ensuring compliance with local rules and implement cost-effective and robust measures to prevent, detect, respond to and recover from operational incidents and disruptions.
The challenge
A tier one global investment and corporate bank sought Capco’s support to perform a review of its third-party risk management framework against EU DORA requirements and deploy DORA as a “trojan horse” to transform its third-party risk management and procurement capabilities through use of automation and data solutions to drive efficiencies and lower cost base.
The bank was grappling with ongoing remediation of regulatory findings related to its outsourcing register and legacy third-party risk management issues. This was further exacerbated by highly manual, inefficient processes and multiple siloed systems in use which meant that the firm lacked a holistic view of its third-party arrangements and associated risk with a proliferation of tactical fixes.
Capco’s support was requested to:
- Undertake a DORA gap analysis to identify gaps in the third-party risk management framework.
- Define a strategic roadmap of prioritized remediation milestones for a multi-year transformation journey.
- Propose a target operating model across the three lines of defense to establish clear accountability for implementation.
- Define data specification, automation approach and completion of the Register of Information.
- Support the bank with contract remediation and outreach activities.
- Identify opportunities for simplification and use of GenAI to drive process, controls and system architecture efficiencies across the third-party management lifecycle.
Our approach
Capco brought a multidisciplinary team of regulatory, industry and transformation specialists coupled with strong analytics and data expertise to provide comprehensive support at each stage of the transformation journey. This included:
- Gap analysis and regulatory compliance roadmap: Conducting a comprehensive DORA gap analysis with prioritized recommendations to achieve regulatory compliance and align with industry good practice in a pragmatic, phased manner. Each recommendation was translated into tracked action plans with clear ownership and accountability of stakeholders across the organization. A regulatory narrative was developed to demonstrate how the bank meets DORA requirements and further enhancements planned to achieve the target state.
- Register of Information: Defining data specifications for the DORA Register of Information, aligning with the EBA outsourcing register and detailing the required data fields, structure, format, golden sources, automation strategy and reporting standards. Leveraging data analytics, Capco team supported the client with data extraction, transformation, aggregation, validation and quality assurance of the Registers of Information for a prioritized set of suppliers.
- Contract remediation: Development of an efficient process to identify ICT third-party contracts in scope for remediation, engaging with third parties to facilitate negotiation and execution of DORA contract addendums.
- Operational efficiency via automation: Review of core third-party and procurement processes and controls to identify opportunities for automation and efficiency gains, for example, using GenAI to significantly reduce SME time required to complete supplier’s due-diligence pre-onboarding and ongoing monitoring reviews and control assessments.
Value delivered
Capco helped client achieve benefits beyond DORA regulatory compliance and transform its third-party risk management into data-driven, insight-led capability:
- Automation of Register of Information, improving quality, speed and completeness of supplier information.
- Increased efficiency through alignment of due diligence and ongoing monitoring processes.
- Re-engineering of contracting processes, improving efficiency and clarity of roles and responsibilities.
- Improved control and transparency across the third-party risk management lifecycle.