Webinar Recap: Operational Resilience, DORA, and Third-Party Risk

This stark warning from our latest webinar on operational resilience, DORA, and third-party risk underscores the growing regulatory pressure on firms. With DORA, the UK’s enhanced critical third-party (CTP) framework, and increasing scrutiny on outsourcing risks, organisations can no longer afford to take a reactive approach to resilience and compliance.

As firms prepare for 2025 and beyond, they must tackle key questions such as:

• How can they harmonise their resilience strategies across jurisdictions?

• How should they approach critical third-party oversight?

• And what practical steps can they take to ensure compliance by 2025?

In a highly insightful webinar, industry experts Paul Wood, Andrew Sheen, Jimi Hinchliffe, and Julien Haye delved into the evolving challenges and opportunities in operational resilience, the EU’s Digital Operational Resilience Act (DORA), and third-party risk management. The session, moderated by Julien Haye, provided practical guidance on regulatory compliance, strategic risk management, and the integration of resilience into business planning for 2025 and beyond.

The discussion was anchored by a recently co-authored white paper on operational resilience and consumer duty, which explores these critical regulatory intersections in greater depth.

In this article, you will find a summary of the CPD accredited webinar's key discussion points, along with additional insights that were not explicitly covered during the session—such as the broader impact of DORA—while ensuring that the main takeaways remain applicable to various regulatory frameworks. If you missed the session, you can also access the full webinar recording for a more in-depth exploration of these themes.

This webinar was presented in collaboration with Grath, bringing together industry experts to explore the evolving landscape of operational resilience, DORA, and third-party risk management.

🎥 Missed the session? Watch the full webinar recording below!

Why Operational Resilience and Third-Party Risk?

Operational resilience is now a regulatory non-negotiable. Financial institutions and businesses must ensure they can withstand, respond to, and recover from disruptions, particularly those arising from third-party dependencies.

Key Issues Discussed in the Webinar:

• The overlap between operational resilience regulations and third-party oversight—how can firms ensure a streamlined compliance strategy?

• Regulatory shift towards direct supervision of critical third-party providers—how will this impact firms relying on outsourced services?

• The role of technology in risk management—how can firms transition from reactive compliance to proactive resilience?

  
  

🔹 Key Takeaway: To effectively manage third-party risk and maintain operational resilience, firms must integrate these frameworks rather than treating them as standalone compliance exercises.

Key Regulatory Frameworks and Their Implications

Operational Resilience and DORA

Firms must understand how the UK’s operational resilience framework aligns with DORA to avoid compliance gaps.

Key Differences & Challenges:

• UK Operational Resilience: Focuses on identifying critical services, setting impact tolerances, and planning for disruptions.

• DORA: Mandates financial institutions in the EU to strengthen ICT risk management, conduct resilience testing, and report cyber incidents.

🔹 Key Takeaway: DORA requires stricter ICT compliance controls than the UK framework. Firms must develop cyber resilience strategies that go beyond basic operational resilience planning.

Critical Third Parties (CTPs)

The UK’s new regulatory framework for Critical Third Parties (CTPs) represents a major shift in how financial firms manage third-party risks. These changes aim to enhance resilience in critical providers, but they also raise new compliance burdens.

Key implications:

• CTPs must undergo direct supervision by financial regulators, including enhanced risk assessments and scenario testing.

• Firms relying on CTPs must align their risk management frameworks with new supervisory expectations.

• Regulators face challenges in effectively supervising CTPs, potentially increasing compliance risks for firms.

🔹 Takeaway: The shift toward direct regulatory oversight of third parties introduces both greater accountability and operational challenges, making third-party governance a strategic priority.

The Bank of England’s PS16/24 framework introduces stricter regulatory expectations for critical third-party providers. This regulation directly impacts how firms manage their vendor relationships and risk governance strategies. Learn more in our article: Understanding PS16/24 on Critical Third Parties.

Main Discussion Points and Strategic Insights

1. Harmonising Regulatory Efforts

Panellists stressed the importance of harmonising approaches to operational resilience and third-party risk management across jurisdictions. Leveraging existing frameworks and tools was recommended to avoid duplication and ensure efficiency.

New regulatory changes in CP17/24 impose tighter incident reporting and third-party risk management requirements on financial institutions. Firms must now establish real-time monitoring and structured resilience plans to stay compliant. Read more about CP17/24’s impact and strategies for adapting to these new requirements: CP17/24 on Incident and Third-Party Reporting.

2. Technology and Collaboration

The role of technology in scaling compliance efforts was emphasised. Integrated risk management systems can replace spreadsheet-based processes, enabling firms to manage risks more effectively. Additionally, fostering collaboration among firms using shared third-party providers can streamline oversight.

Recent real-world disruptions highlight the importance of incident response planning. The CrowdStrike Windows Outage serves as a case study in how firms must prepare for unexpected IT failures. Read more on lessons learned and proactive steps to strengthen response plans here: Lessons from the CrowdStrike Windows Outage.

3. Risk-Based Approach to Third Parties

A proportionate, risk-based approach to managing third-party and nth-party risks was advocated. Firms must focus their efforts on critical services and prioritise transparency and accountability throughout their vendor ecosystems.

One of the best ways to manage third-party risk is to establish clear monitoring triggers that signal when a vendor relationship may require review or termination. Our guide on Monitoring Triggers for Third-Party Vendor Exit outlines key risk indicators, compliance status monitoring, and proactive response planning to ensure firms are never caught off guard.

4. Strategic Governance and Continuous Improvement

Operational resilience is not static. It requires continuous monitoring, testing, and adaptation. Panellists urged firms to adopt dynamic governance models that evolve with regulatory and business landscapes.

Actionable Takeaways

1. Perform a Gap Analysis: Conduct independent assessments to identify weaknesses in your current frameworks and address them promptly.

2. Leverage Existing Tools: Build on established systems and processes rather than reinventing them.

3. Adopt a Centralised Strategy: Break down silos between operational resilience and third-party risk management teams to foster collaboration and efficiency.

4. Focus on Materiality: Prioritise critical services and vendors to direct resources where they are most needed.

5. Invest in Technology: Transition from spreadsheets to integrated risk management systems for better oversight and reporting.

6. Firms must also be prepared not only to manage third-party risks but also to effectively exit relationships when needed. Our guide, How to Develop a Third-Party Vendor Exit Strategy, breaks down:

   1. Regulatory expectations for exit strategies under DORA and FCA/PRA mandates

   2. Step-by-step guidance on structuring exit plans

   3. Triggers that warrant vendor termination and best practices for managing transitions

   Having a structured exit framework ensures that firms maintain business continuity, compliance, and operational resilience when a vendor relationship is no longer viable.

Additional Resources and Support

📥 Gain Key Insights: Download the White Paper on Operational Resilience

For a deeper dive into operational resilience and consumer duty, access our co-authored white paper, which provides comprehensive insights and practical guidance on harmonising regulatory compliance and risk management strategies.

🎧 Listen to Our Previous Webinar

In a highly informative webinar, industry experts Julien Haye, Andrew Sheen, and Jimi Hinchliffe explored the critical convergence of operational resilience and consumer duty regulations, highlighting their impacts, overlaps, and potential conflicts. If you missed it, watch the full recap here:

➡️ Webinar Recap: Navigating the Intersection of Operational Resilience, Consumer Duty, and RegulatoryCompliance

📌 Additional Reads for Practical Implementation

🏢 Business Continuity and Contingency Planning: A Case Study – How firms enhance resilience through robust continuity planning.

📩 Need Expert Guidance? Contact Us for Tailored Solutions

Closing Thoughts

Operational resilience and third-party risk management are integral to maintaining business continuity and regulatory compliance in an increasingly interconnected world. The strategies and insights shared during this webinar offer a roadmap for firms navigating these challenges, ensuring they are well-positioned for 2025 and beyond.

If you missed the session, the recording is now available. Download the white paper, explore the topics further, and connect with us to discuss your specific needs.

Next Steps

1. Download the white paper

2. Watch the full webinar

3. Contact our experts for tailored guidance

Frequently Asked Questions (FAQs)

1. What is the difference between operational resilience and business continuity?

Operational resilience focuses on an organisation’s ability to prevent, withstand, and recover from disruptions, ensuring critical services continue. Business continuity planning (BCP) is a component of operational resilience that deals specifically with preparedness and response plans to restore operations after disruptions.

2. What is DORA, and how does it impact financial firms?

The Digital Operational Resilience Act (DORA) is an EU regulation that strengthens ICT risk management and operational resilience in financial institutions. Key requirements include:

• Robust ICT security risk management

• Regular resilience testing and scenario planning

• Incident reporting within strict timelines

• Enhanced oversight of critical ICT third-party providers

DORA is more prescriptive than the UK’s operational resilience framework, requiring firms to implement stricter cyber resilience controls.

3. What are Critical Third Parties (CTPs), and why are they important?

CTPs are service providers that play a critical role in financial stability, such as cloud providers, payment processors, and outsourced IT services. The UK’s PS16/24 policy now subjects these firms to direct regulatory oversight. This means:

• CTPs must meet resilience, security, and compliance expectations

• Financial firms must align third-party risk management strategies with new regulatory standards

• Regulators will have direct powers to intervene in the event of systemic risks

4. How can firms prepare for increased regulatory scrutiny on third-party risk?

Firms should take the following steps to comply with regulatory changes:

• Conduct regular third-party risk assessments

• Monitor key triggers that indicate when a vendor relationship may need review

• Develop structured third-party exit strategies to ensure business continuity

5. What should financial institutions do to align with CP17/24 incident reporting requirements?

The Bank of England’s CP17/24 introduces stricter incident reporting obligations. To comply, firms should:

• Define clear incident thresholds for reporting disruptions

• Enhance internal monitoring systems to track operational failures

• Ensure timely reporting within the required 24-hour period

6. What lessons can firms learn from recent resilience failures?

Recent disruptions, such as the CrowdStrike Windows Outage, highlight the importance of:

• Strong incident response plans

• Resilient third-party vendor management

• Regular stress testing for operational failures

7. How can firms effectively integrate operational resilience with third-party risk management?

A holistic approach is essential to prevent compliance silos. Best practices include:

• Centralising governance frameworks across resilience and vendor risk teams

• Harmonising resilience strategies with outsourcing and ICT risk management

• Using technology for continuous monitoring and regulatory compliance

8. What are the key action steps firms should take now?

To stay ahead of regulatory changes, firms should:

• Perform a resilience gap analysis

• Map out third-party dependencies

• Develop contingency and exit plans

• Implement proactive incident monitoring

If you need guidance on integrating these frameworks into your organisation, contact us for tailored advisory services.