Third-party risk management (TPRM) has moved beyond compliance into a critical pillar of operational resilience, regulatory readiness, and business continuity. That was the resounding message from the Vendor & Third Party Risk Summit Europe, where leaders across financial services, insurance, and banking shared hard-won lessons from implementing DORA, navigating the AI frontier, and preparing for inevitable vendor disruption.
Here are the standout themes shaping the next chapter of vendor risk in Europe:
1. AI in third party risk management: reality, hype, and the governance gap
While just 15% of active TPRM programs are currently using AI, the potential is vast, and so are the risks. AI is already showing promise in areas like risk identification, resilience simulation, and onboarding acceleration. But governance and trust are lagging.
As one panelist put it:
“AI is becoming more visible in resilience scenario building and enhanced due diligence, but hallucinations and poor data quality could undermine trust before it scales.”
Key concerns included:
- AI-generated vendor responses during due diligence
- Lack of mature AI clauses in supplier contracts
- Regulatory blind spots around third-party use of generative AI
The call to action? Build dedicated AI governance into TPRM processes now, before adoption outpaces oversight.
2. Exit planning: a resilience imperative
Exit planning is no longer a back-office exercise, it’s a regulatory requirement, a reputational safeguard, and, in many cases, a client expectation.
Ayesha James former Group Third Party Risk Steward and Head of Operational & Resilience Risk, HSBC, highlighted that exit planning needs to move beyond documentation into tested, operational capabilities. “It’s not just about the process, it’s about the outcome,” she said. “If your exit playbook hasn’t been tested, it’s not worth much.”
Insights from the panel:
- Stressed exits (e.g. denial-of-service or vendor collapse) require a playbook and scenario rehearsal.
- Non-stressed exits should be planned early, ideally at onboarding, where vendors are most engaged.
- Clear ownership across exit planning in TPRM, operational resilience, and IT remains a key blocker for many.
3. Scenario testing: turning theory into readiness
Across sessions, scenario testing emerged as a vital, but underutilized tool for resilience, from cyberattacks to nth-party collapse.
HSBC’s Ayesha James, encouraged firms to treat scenario testing like a fire drill something to be repeated, automated where possible, and contextualized to real-world risks:
“You’ll only discover your weak points when you run it through, not when you write it down.”
Key takeaways:
- Use simulations to expose interdependencies between vendors and internal systems.
- Test both geopolitical and operational disruption scenarios.
- Integrate scenario results into board-level reporting to drive awareness and investment.
4. Automation & tech: from tooling to transformation for Third Party Risk Management
Manual-heavy third party risk management processes is no longer sustainable. Several speakers stressed the need for connected, automated platforms that bridge third-party oversight with operational resilience and procurement.
Mihaela Breg, Head of Operational Resilience & Business Transformation at Europe Arab Bank, shared how her team orchestrates resilience and third-party data using one integrated tool:
“We used to do it in Excel. Now we’re using real-time dashboards that free up our staff to focus on higher-value resilience activities.”
Takeaways for transformation:
- Automate segmentation and nth-party monitoring.
- Use tooling to map supplier contributions to critical business processes.
- Shift from reactive to predictive risk management using AI and analytics.
Conclusion
The evolution of third-party risk is clear: from compliance to critical capability. With DORA setting the pace, AI expanding the playing field, and exit events becoming more likely, the strongest firms will be those that invest now in:
- Governance for emerging tech
- Proactive resilience testing
- Tech-enabled, cross-functional risk orchestration
As one attendee noted: “You don’t rise to the level of your plan, you fall to the level of your testing.” Third Party Risk Management leaders would be wise to prepare accordingly.
FAQ
The summit highlighted how third-party risk management (TPRM) has evolved from a compliance function into a cornerstone of operational resilience, regulatory readiness, and business continuity. Speakers across financial services, insurance, and banking emphasized the need for stronger governance, smarter technology, and proactive resilience testing.
AI is beginning to play a major role in risk identification, resilience simulations, and onboarding efficiency. However, the summit warned that governance hasn’t kept pace. Only around 15% of TPRM programs currently use AI, and gaps remain around:
AI-generated vendor responses and data quality,
The absence of AI clauses in supplier contracts, and
Limited regulatory oversight on third-party AI use.
Experts urged organizations to build AI governance frameworks into TPRM now—before adoption accelerates beyond control.
Exit planning has moved from a documentation exercise to a regulatory and reputational imperative. As HSBC’s Ayesha James noted, “If your exit playbook hasn’t been tested, it’s not worth much.”
Summit takeaways included:
Test “stressed exits” like vendor failure or cyberattacks.
Plan “non-stressed exits” early, ideally at onboarding.
Clarify ownership across TPRM, IT, and operational resilience teams.
