Blogpost

First-Ever Third-Party Risk Management UK Summit 2024: Signed, Sealed, Delivered

Shared Assessments’ first-ever Third-Party Risk Management UK Summit brought together professionals from different industries to explore the evolving landscape of third-party risk management in the heart of London. The Summit featured a keynote address, interactive panels, breakout sessions, and abundant networking opportunities. This blogpost delivers a brief overview of key takeaways from the event – we hope to see you there again next year!

DORA’s Focus on Resilience Keynote

In her keynote address, Sophia Corsetti (Manager, Process Unity) highlighted how DORA addresses systemic risk by improving third-party resilience, emphasizing that disruptions in critical suppliers can impact entire organizations and sectors. In summary:

A Solid TPRM Foundation Is Crucial: A solid TPRM foundation is essential for successful DORA compliance, noting that many organizations are struggling to align their TPRM programs with DORA’s requirements.

Key Components of DORA: Supply chain management, incident tracking and reporting, pre-contract due diligence, and subcontractor risk are all central to building a resilient third-party ecosystem.

Inherent Risk and Prioritization: Prioritizing suppliers based on inherent risk levels to streamline assessments and reduce vendor fatigue is necessary, as is leveraging AI for risk calculations to improve accuracy and efficiency.

Best Practices for DORA Compliance: Best practices like using data-driven approaches, automating risk management processes, and communicating expectations clearly with third parties to ensure alignment with DORA’s requirements.

AI’s Role in TPRM Panel

This panel emphasized that AI can enhance third-party risk management (TPRM) by automating data analysis, reducing cycle times, and identifying patterns or red flags from continuous monitoring, thus allowing teams to focus on strategic risk areas. Other takeaways included:

Human Expertise Still Essential: While AI offers significant potential, it cannot replace human judgment. AI should be viewed as a tool that complements professional expertise rather than a substitute for human oversight.

Risks and Limitations of AI: There are inherent risks associated with AI, especially in handling large, complex data sets. Panelists warned of “black box” scenarios where AI processes are not fully transparent, stressing the importance of maintaining control and oversight in AI implementations.

Building a Business Case for AI: The benefits of AI in TPRM include scalability, precision, and improved efficiency, allowing organizations to cover more third parties with fewer resources. However, organizations must clearly define pain points and ensure AI solutions align with those needs before implementation.

Contracting and Oversight: When contracting with AI solution providers, organizations must ensure transparency regarding AI usage, subcontractors, and data handling. Contracts should future-proof against potential AI risks, including the vendor’s use of client data for model training and potential regulatory requirements.

Panelists: Chris Johnson (Senior Advisor, Shared Assessments), Andy Sparry (Lead for Security Third Party Risk Management, Meta), Benjamin Ross (Managing Partner UK, Bortstein Legal Group), Daniela De Almeida Lourenço (CISO, Financial Services), Tomer Roizman (CTO & Co-Founder, Lema)

Complex Regulatory Landscape Panel

This session emphasized how the current regulatory environment is more complex than ever, with multiple frameworks such as DORA, NIS2, and the EU AI Act, creating challenges for organizations in third-party risk management (TPRM) to keep pace with these changes. The panelists also discussed:

Concentration Risk: Regulators are increasingly pushing organizations to assess and manage their dependencies on critical third parties. This includes mapping subcontractors and understanding their role in the supply chain.

Data is Key for Compliance: Gathering and maintaining accurate, comprehensive data on third-party vendors is crucial for complying with DORA and other regulations. (Several panelists stressed the importance of centralizing data and ensuring it is regularly updated to avoid bottlenecks in regulatory compliance.)

Proportionality and Prioritization: The principle of proportionality is embedded in regulations, meaning organizations should focus on their most critical vendors first rather than applying the same standards to all vendors. This pragmatic approach helps prevent overwhelming resources and ensures that the most significant risks are addressed.

Standardization and Global Alignment: There is a need for standardization in regulatory frameworks, particularly across different regions. While challenges remain, there is increasing alignment among regulatory bodies worldwide, making it possible for organizations to adopt common standards and frameworks to streamline compliance efforts.

Panelists: Andrew Moyad (CEO, Shared Assessments), James Humphrey-Evans, (Partner, Bortstein Legal Group), Chika Okoli (GRC Consultant, Mitratech), Detlef Houdeau (Senior Director, Business Development, Infineon Technologies AG), Sean O’Brien, (Managing Director, DVV Solutions)

Critical Third Parties Panel

This panel suggested that the definition of Critical Third Parties (CTPs) is evolving. Initially, CTPs were viewed purely from a firm’s internal perspective—what was most critical to that organization. The focus was on whether the third party could directly disrupt the business if it failed. The definition of CTPs has evolved with regulatory changes. Now, CTPs are seen from an external viewpoint—how critical they are to the market, customers, and overall systemic risk. Regulators are increasingly emphasizing the broader impact of CTPs on markets and services. Discussion around CTPs encompassed:

Geopolitical and Jurisdictional Considerations: Organizations need to consider the geographic concentration of their third parties, as political, environmental, or regional issues could disrupt services. The panel emphasized understanding not only the criticality of third parties to the organization but also their broader market impact and how geopolitical factors might affect their operations. Mapping supply chains, including fourth-party risks, is essential to ensure business continuity across global markets.

Partnership vs. Contractual Relationship: The panel stressed the importance of moving beyond contractual obligations toward partnerships with CTPs. This means developing a deeper relationship that allows better oversight and proactive communication, particularly when issues arise. Understanding where the organization falls on a vendor’s priority list is crucial during disruptions.

Metrics for Evaluating CTPs: Key metrics to assess CTPs include their Recovery Time Objective (RTO), the impact of a disruption on critical business functions, and how substitutable that third party is. The group also highlighted the importance of understanding a CTP’s supply chain and their resilience in the event of broader market issues.

AI and IT Automation’s Role: The panel discussed how AI and automation will change the landscape of third-party risk management. As more CTPs use AI, organizations must ensure these third parties understand the implications of using AI. AI can support decision-making by offering insights based on past data, helping organizations assess risk more efficiently.

Integrating People, Process, Technology, and Data: Beyond traditional TPRM processes, there’s a need to integrate technology and data analytics to monitor CTPs effectively. Understanding the competency of people working at CTPs, assessing the underlying technologies they use, and gathering comprehensive data can offer a fuller picture of their risk profile.

Two primary takeaways were emphasized: first, organizations must establish partnerships with their CTPs rather than rely solely on contracts. Second, it’s important to understand the supply chain behind CTPs to fully assess risks, including how CTPs prioritize service recovery during disruptions.

Panelists: Elizabeth Dunsmoor (TPRM Principal, Shared Assessments), Martin Freeman (Cybersecurity and Compliance Managing Director, Calastone), Rosalyn Aryee, (Head of Outsourcing & TPRM and Operational Resilience, Santander), Shriparna Ghosh, (Director, Cyber Security – Consulting – EMEIA Financial Service, EY), Matt Moog (General Manager, Third-Party Risk, OneTrust)

Tech Adoption Roadmap Breakout Session

This session focused on helping participants develop a practical, actionable tech adoption roadmap for their organizations. Deloitte used a highly interactive and fun discussion format, supported by a maturity model and participant polling, to identify key areas of opportunity and challenges. Attendees left with clear, tailored insights and tangible next steps they can apply to their TPRM programs.

Speakers: Dr. Sanjoy Sen (Head of Research & Eminence – Extended Enterprise, Deloitte), Stephen Cordon (Senior Manager, Deloitte)

Vendor Risk Management Hot Seat Breakout Session

 Participants were immersed in a fast-paced, interactive environment where they tackled real-world vendor risk scenarios. Through rapid questioning and problem-solving, participants were challenged to think critically and adapt to evolving risks as they would in their own organizations. For DORA-regulated entities, this session offered essential guidance to achieve compliance before the January 2025 deadline.

Speakers: Constantine Malaxos (Vice President, Strategic Alliances, ProcessUnity), Sophia Corsetti (Manager, ProcessUnity)

With Gratitude For Our Sponsors, Speakers, and Friends

As we celebrate the end of an exciting and excellent first UK TPRM Summit, we would like to acknowledge our sponsors. Their support made this event’s exceptional content and dynamic speakers possible. Thank you to OneTrust, Process Unity, and DVV Solutions (Carbon Offset Sponsor) for their generous underwriting of this event. Thank you to our speakers for their time and focus and to all our risk management friends who traveled from near and far to make this UK Summit a absolute success.