Skip to navigation Skip to main content Skip to footer

25 June 2024

Insights from the 2024 CeFPro Vendor & Third-Party Risk Europe Conference


Escode recently co-sponsored the Center for Financial Professionals (CeFPro) Vendor & Third-Party Risk Europe Conference. This two-day event in London brought together financial professionals and industry leaders to explore the latest trends, challenges, and regulatory updates shaping third-party risk management (TPRM)

The event featured a diverse range of discussions, including presentations and panel discussions on topics such as the DORA regulation, fourth-party risk, AI, intragroup arrangements, concentration risk, and stressed exit planning.

The Digital Operational Resilience Act (DORA)

A significant topic of discussion was the EU DORA (Digital Operational Resilience Act) Regulation. Financial institutions and their critical suppliers operating within the EU are required to ensure compliance by January 17, 2025.

DORA is a crucial legislative framework mandating operational resilience standards for European financial institutions and their primary suppliers. Panel discussions explored practical implementation approaches for the EU DORA regulation and its regional variations. All regulated financial service entities operating within Europe must establish and routinely test exit plans for scenarios such as supplier failure and the insolvency of third-party ICT service providers. These plans must encompass all critical services, including cloud applications, and undergo annual testing to verify their efficacy in ensuring business continuity.

The sessions emphasised the importance of collaboration with suppliers to meet compliance requirements. These regulations are reshaping how financial institutions interact with third parties, particularly fintech companies.

AI in Third-Party Risk Management

AI was also a dominant topic at the event, with discussions focusing on its role in continuous monitoring, contract management, and supplier assessments. The event highlighted that while AI offers new opportunities for enhancing TPRM, it also introduces new risks and governance challenges that need to be addressed.

Supplier Instability and Operational Resilience

The conference addressed the challenges posed by supplier instability and the need for operational resilience. Over the past five years, a series of economic shocks—including the COVID-19 pandemic, inflation, energy price fluctuations, geopolitical risks, and banking collapses—have significantly increased supplier instability. These shocks have led to supply chain disruptions, market volatility, and a heightened susceptibility to operational failures.

During the event, Wayne Scott, Escode's Regulatory Compliance Solution Lead, presented on 'Supplier Financial Instability: Successful Stressed Exit Planning.'

Wayne emphasised the importance of assigning ownership for supplier failure, service deterioration, and concentration risk. He noted that these risks cannot be mitigated by cybersecurity measures alone and require strategic management at the highest organisational levels.

Stressed Exit Planning

Discussions provided insights on exit planning and how to develop plans aligned with regulatory requirements such as the EU’s DORA regulation, which mandates the development of stressed exit plans for all critical suppliers.

An increasing number of global regulators recognise software escrow as a vital component of these stressed exit plans. Software Escrow Agreements form a legal arrangement where a third party holds source code and other intellectual property, ensuring access during a stressed exit. By implementing Escrow Agreements and Verification with third-party software suppliers, institutions reliant on outsourced software gain access to the necessary resources for rebuilding and maintaining critical software. This ensures operational continuity in the event of software vendor insolvency or failure. 

Wayne outlined the critical steps for creating a successful stressed exit plan:

  • Establishing Legal Right: Secure a legal right to access essential information regarding critical third-party software in the event of supplier failure.
  • Knowledge Transfer: Ensure key personnel have access to the necessary information and resources to continue operations during a stressed exit.
  • Scenario Testing: Organisations must subject their stressed exit plan to scenario testing, including scenarios of a supplier's insolvency. This ensures the plans are demonstrably successful and helps identify any weaknesses or areas that need improvement.

This process allows organisations to mitigate against their own failure. Wayne also stressed the importance of shifting from corrective controls to preventive and detective controls. He explained how Software Escrow provides a seamless stressed exit solution that proactively manages third-party risk.

The 2024 CeFPro Vendor & Third-Party Risk Europe Conference provided invaluable insights into the evolving landscape of third-party risk management. From the implications of the DORA Regulation to the importance of stressed exit plans, the event highlighted the need for proactive and informed risk management strategies.

Thank you to CeFPro for organising such a fantastic event and to all attendees for their valuable contributions. We're excited to continue these conversations and help elevate your TPRM strategies.

Interested in learning more about our Software Escrow Services?

Skip to navigation Skip to main content Skip to footer