Top Location:
London
+44 20 7426 1500
77-79 Great Eastern Street, London EC2A 3HU, UK
Third-party risk management (TPRM) has become a strategic priority for firms amid escalating regulatory expectations and operational dependencies. We explore the current state of due diligence and risk assessments within TPRM, the challenges firms face in a fast-evolving threat landscape, and how AI-driven approaches can transform traditional models into scalable, intelligent solutions.
Landmark frameworks such as the EU’s Digital Operational Resilience Act (DORA) and the UK’s SS2/21 and forthcoming Critical Third Parties policy, as well as interagency guidance in the US, have redefined the regulatory landscape.
In the UK, finalized policies on third-party and incident reporting are expected in 2025. The UK guidance is expected to align closely with DORA and the EBA’s outsourcing guidelines. This trend is reflected with the European Banking Authority’s Draft Guidelines on the sound management of third-party risk (EBA/CP/2025/12), published for consultation in July 2025. Similarly, the European Central Bank has elevated TPRM, including cloud outsourcing, to a supervisory priority, with designations of Critical Third Parties expected across both the UK and EU.
This sustained regulatory momentum has reinforced TPRM as a vital capability, requiring firms to invest in robust due diligence and risk assessment practices. The risks of inaction are no longer hypothetical: reputational damage, regulatory penalties, and operational disruptions are all real consequences.
"Third party risk management, including cloud outsourcing, is high on our list of supervisory priorities for ‘24-’26, and we expect banks to establish robust outsourcing-risk arrangements to prevent disruptions to critical services." Elizabeth McCaul, Member of ECB board1
There have been several high-profile incidents involving third parties, most recently CrowdStrike, where an update rolled out affected millions of devices across the globe. Firms across many sectors were impacted and led to flights being cancelled, investment trading halted, and disruption to healthcare systems.
The rise of cloud services has also raised regulatory concerns of systemic concentration risks coming from a large proportion of cloud services being provided by a small number of firms such as Amazon or Microsoft. The continued growth of cloud services and the heavy reliance of firms on third parties, brings these risks into sharp focus for firms to investing time and resources to enhance their TPRM capabilities and operating models.
Download the full white paper to access:
1. Why focus on due diligence and risk assessments?
2. Today's key challenges
3. How to respond: role of AI and implementation strategies
4. Selecting the right GenAI strategies
5. Unlocking real value from AI
6. How Capco can help
Download any article today and we’ll send you the entire three-part series straight to your inbox. Gain expert insights on how AI is reshaping compliance and controls, understand the regulatory landscape across the EU and UK, and explore how GenAI is transforming third-party risk management.
How AI is reshaping risk, compliance and control in regulated industries
Paper one
Table of contents:
1. The compliance opportunity: where AI actually delivers
2. Use case in action: turning potential into proven impact
3. These success stories share four key enablers
4. Risk and mitigation strategies
5. The rise of Agentic AI: a new chapter for compliance and control
6. Making it real: AI-powered compliance with Capco's Compliance Assist
7. Build smarter compliance today
8. Compliance as a catalyst
Paper two
Table to contents:
1. Why focus on due diligence and risk assessments?
2. Today's key challenges
3. How to respond: role of AI and implementation
4. Selecting the right GenAI strategies
5. Unlocking real value from AI
6. How Capco can help
