As the supply chains of financial institutions become increasingly interconnected, digital vulnerabilities are multiplying and threatening to disrupt important systems – putting customer data and essential financial services at risk. With the introduction of the pan-European Digital Operational Resilience Act (DORA) and Network and Information Systems Directive 2 (NIS2), financial services organizations must now implement clear and robust third-party governance frameworks to manage supply chains and safeguard their customers and businesses.
Financial services institutions (FSIs) must demonstrate their ability to rely on third parties, while ensuring that any potential vulnerabilities are thoroughly managed – a requirement reinforced by both DORA and NIS2.
FSIs must establish clear criteria for defining a ‘critical’ third party and then integrate this classification into enterprise-wide risk assessment processes.
A well-articulated multi-vendor strategy is also strongly recommended, although implementing such strategies remains challenging, particularly with regard to hyperscalers such as AWS, GCP, Azure, Watson and Alibaba.
Additionally, a well-defined and unambiguous exit strategy is expected to form part of the risk mitigation efforts. It should also be feasible for FSIs to conduct onsite audits of third parties, with the associated costs borne by the financial institution.
The various requirements must be formalized in contracts – and this is where complications typically begin. Given the significant burden involved, many institutions are struggling to renegotiate and update existing contracts in line with stringent regulatory expectations.
Moreover, the complexity is compounded when contractual terms need to be periodically reviewed, depending on the criticality of the supplier in question.
Best Practices – Ex-Ante
The good news is that there are effective strategies to streamline the process:
- Avoid unnecessary creativity in legal drafting. Stick closely to regulatory requirements. Overly elaborate legal language only invites protracted discussions over details and distracts from compliance.
- Ensure that processes are simple and efficient. Keep questionnaires concise and user-friendly to avoid overwhelming third parties. Consider breaking them down into manageable sections and provide support for any queries. Standardized clauses should be used wherever possible – adopting a ‘one-size-fits-all’ approach can greatly simplify operations. The responsibility for developing questionnaires should not rest solely with the procurement team. Instead, involve Compliance, Legal and IT departments to ensure the questionnaire is aligned across the organization. Offer clear, unambiguous guidance for completing the questionnaire, including deadlines, contact points and supporting resources.
- Implement a digital platform/automated tool to facilitate questionnaire completion. This ensures consistency in data collection and forces teams to clarify and document their specific needs more thoroughly. In our experience, institutions that invest early in automated TPRM platforms can often achieve compliance in as little as half the time it takes those that stick with traditional processes. They also find that they can significantly reduce vendor friction during the assessment process.
Another highly effective strategy is collaboration. Financial institutions have two main options in this regard:
- Inform providers that the questionnaire is a standard industry practice, required by many organizations for regulatory compliance and risk mitigation. This reassures suppliers that they are not alone and that future requests will likely be easier to manage after the initial effort.
- Go a step further by collaborating with peer institutions facing similar challenges. Jointly develop standardized questionnaires and coordinate third-party assessments. This collective approach significantly reduces the duplication of effort and encourages alignment across the industry.
Best Practices – Ex-Post
The next step is to industrialize the contract review process using one of the various platforms available. The primary advantage of platforms lies in their ability to help identify vulnerabilities, manage contractual reviews efficiently, leverage workflows and ultimately save both time and costs.
They enable institutions to pinpoint potential third-party risks that might otherwise go unnoticed. And they can be integrated to suppliers’ platforms in ways that support a comprehensive functional coverage of the TPRM lifecycle. Many platforms offer an open architecture with APIs that allow the integration of external tools.
A major drawback of current TPRM processes is their time-consuming and error-prone nature. Completing questionnaires can place a heavy burden on third parties and result in inconsistent or incomplete assessments. In some cases, third parties that should be classified as critical are not identified as such.
Additionally, quarterly performance and risk reviews of critical ICT providers are often labor-intensive when managed manually. The quality of data received is typically poor, too open to interpretation and insufficient for making informed decisions.
It's also crucial to monitor subcontractor risks. FSIs must be equipped to assess and anticipate risks not just from their direct vendors, but also from fourth- and fifth-party providers further down the supply chain.
It is therefore important to rely on platforms that embed those relationships into their processes and workflows, with a special focus on subcontractors that support critical and important functions. A key driver of the risk incurred by those relationships will be concentration risk and its potential impact on operational resilience.
Finally, adopting a platform encourages the formation of dedicated teams tasked with analyzing and assessing incoming questionnaires. This shift can deliver substantial cost savings through mutualization: rather than multiple teams with no specialization reviewing numerous questionnaires inconsistently, a centralized, expert TPRM team – potentially organized as a shared service center – can lead the process.
One practical challenge here is language. Rather than risk building a ‘Tower of Babel’, it is often best to use English as the default working language. If this proves impossible in some cases, treat non-English questionnaires as exceptions.
A Special Case – CTPPs
An important evolution expected in the near future will be the formal designation by regulators of some entities as Critical Third-Party Providers (CTTPs).
As the European Commission has made clear, the DORA regulation enshrines the principle of ‘same activity, same risk, same rules’. This principle applies fully to hyperscalers and other providers delivering key services to FSIs.
As a result, CTTPPs will be required to meet the same standards as FSIs themselves, which will, in turn, offer FSIs an additional layer of protection.
Reality Check – Making it Work in Practice
Let's be honest: implementing all of this is easier said than done. The reality is that many financial institutions are drowning in vendor questionnaires, struggling with uncooperative suppliers, and facing budget constraints that make comprehensive TPRM programs feel like a luxury rather than a necessity.
But here's the thing: financial institutions don't have to solve everything at once. They can start with the most critical suppliers, focus on standardization over perfection, and remember that competitors are facing the same challenges.
The institutions that get ahead are not necessarily those with the most sophisticated frameworks; they are the ones that move quickly, collaborate effectively and keep things simple.
The CTPP designation may eventually take some pressure off. Until then, the key is to build processes that are robust enough to satisfy regulators but practical enough that suppliers do not feel the need to revolt. At the end of the day, if suppliers cannot or will not comply, even the most beautiful TPRM framework will not offer protection.
Ready to optimize your third-party risk management? Capco can help financial institutions build robust, scalable TPRM frameworks that turn regulatory compliance into competitive advantage. Contact Alexandre Vandeput or Alexis Villepelet to discuss your specific challenges.