How DORA is reshaping third-party risk management in FS

Our Third-Party Risk Management (TPRM) and Digital Operational Resilience Act (DORA) Compliance Seminar took place on 18 February 2025, bringing together industry leaders and regulatory experts to discuss the evolving landscape of TPRM and DORA for the financial services sector. The event provided valuable insights into regulatory compliance, best practices, and risk mitigation strategies.

TPRM is a program to identify, assess and manage the various risks associated with the use of the organizations’ third parties.

A third-party relationship can be defined as any business arrangement between one organization and another, by contract or otherwise. This includes the use of material fourth parties or subcontractors.

TPRM involves assessing third parties’ ability to manage risk throughout the lifecycle of the relationship, from initiation to termination, including reporting to management and regulators.

Risk-based program requirements are focused on managing third parties that pose the greatest risks to the organization.

TPRM includes clear roles and responsibilities across a three lines of defense model that help each component of the organization understand their role in managing third parties so nothing slips through the cracks.

Regulatory Compliance: Compliance with governmental and industrial regulations is one of the main driving forces behind TPRM. Third-party vendors are often subject to strict requirements and organizations must ensure that their suppliers are in compliance.

Risk Management: Companies use TPRM to help manage risks (operational, financial, reputational etc.) associated with engaging third parties. It helps identify, assess, mitigate, and monitor the risks posed by third-party relationships.

Cost Efficiency: By successfully managing third-party relationships, companies can potentially save resources and achieve cost efficiencies.

Operational Performance: The performance of third-party vendors directly impacts the operational performance of the company. Hence, effective third-party management becomes key to improving operational performance.

Competitive Advantage: Companies with robust TPRM have the potential to gain a competitive advantage. This advantage can come in the form of better quality services, cost efficiencies, and risk reduction.

Enhanced Service Quality: By ensuring the performance of third parties is on par with set expectations, companies can also enhance the quality of services provided.

Data Security: With more companies than ever sharing sensitive data with third parties, strong TPRM systems are important for ensuring information security and preventing data breaches.

Poor risk management: Decisions are not risk-based; there’s no single view; monitoring is not effective or not done; and there’s a risk of fines and sanctions.

Cross-organization complex processes: Poor end-user and supplier experience; risk assessments take too long; existing processes are not unified; there’s no continuous monitoring; and there’s limited resource availability.

Complex operation model: There’s unclear risk ownership, a decentralized model, an evolving range of risk domains, a one-size-fits-all approach, and volumes too high to manage.

Technology and data: There’s a lack of automation, limited tooling, a lack of data-driven insight and a lack of alignment and integration.

Increased regulatory requirements: Regulatory requirements are more onerous and integration is a challenge in an ever-growing landscape.

Firmwide across all risk domains: A firmwide TPRM framework will cut across different departments (cyber, compliance, data privacy, procurement, ESG, etc.) to establish a single view of risk over the different vendors, covering all relevant risk domains. However, activities too often remain in ‘silos’.

Resources and roles & responsibilities: Roles and Responsibilities must be crystal clear throughout your organization. For example: Who is the accountable executive within your organization for TPRM risk? Who will design risk assessments and due diligence activities? Many organizations struggle with building sufficient TPRM capabilities amidst increasing expectations. Organizations are exploring managed service models, nearshoring and offshoring.

Single risk segmentation: Apply a single risk segmentation/classification through all different risk areas and start from a fit-for-purpose materiality and inherent risk assessment process.

VRM Tooling: Consider implementing TPRM tools to automate and enforce the ordering and execution of TPRM processes and activities. TPRM tools additionally allow you to maintain a comprehensive and consolidated inventory of third parties.

Regulatory scrutiny is increasing, requiring financial institutions to establish structured and automated risk assessment frameworks.

The three-lines-of-defense model remains a crucial approach to ensuring accountability and risk oversight.

Organizations must shift from a reactive to a proactive risk management approach to stay compliant with evolving regulations.

Financial entities must classify and monitor third-party information and communication technologies (ICT) providers, ensuring compliance with DORA’s stringent requirements.

Organizations need to implement a comprehensive outsourcing register to document all third-party relationships.

Enhanced due diligence and contractual obligations are necessary to mitigate risks associated with external service providers.

Financial institutions must revise existing contracts to align with DORA’s provisions on security, monitoring, and regulatory oversight.

Clear service level agreements (SLAs) and exit strategies must be defined to enhance contractual resilience.

AI-powered contract analysis tools can streamline the review and remediation process.

Many organizations face resource constraints in executing third-party risk assessments, making managed services a viable solution.

Automation and AI-driven tools significantly improve vendor risk evaluation and continuous monitoring.

The case study demonstrated how an effective partnership with KPMG improved their TPRM framework and compliance with DORA.

How can we ensure third-party resilience? The experts emphasized the importance of real-time monitoring and proactive vendor engagement.

What are the biggest challenges in DORA implementation? Organizations cited the volume of contracts, regulatory expectations, and cross-functional alignment as key hurdles.

How can we leverage technology for compliance? The panelists recommended adopting AI-driven contract lifecycle management tools and automated risk assessment frameworks.

Jens Moerman

Director Advisor, Risk & Regulatory | Advisory

KPMG in Belgium

Profile | | Phone

How KPMG can help

The key takeaway from the seminar was that organizations should take proactive steps to integrate automation, revise contracts, and establish robust oversight frameworks to ensure compliance with DORA. KPMG can help organizations:

Assess

Maturity assessment: Rapid current state review of TPRM capabilities; provide observations and recommendations.
Regulatory review: Gap analysis against relevant regulatory requirements; provide observations and recommendations.
Business case and roadmap: Prioritize enhancements and size the level of effort required to roll out the program.
Internal Audit: Three lines of defense co-source

Transform

Framework design: Establish or enhance TPRM program and process components; develop program documentation, lifecycle templates and technology business requirements.
Technology enablement: Configure and implement workflow technology, risk intelligence software and third-party utilities.
Tuning and optimization: Enhance elements of the TPRM program and process, such as metrics and reporting, data analytics or TPRM risk appetite.

Run

Scenario testing of third-party business continuity and exit plans.
Managed services: Operate end-to-end processes for pre-and post-contract screening and monitoring of third parties. Incorporate leading technologies and data sources with best practice processes delivered by risk domain experts.
Third Party Assessments: Execute portfolio of risk and controls assessments pre- and post-contract.