As financial institutions and insurers in Europe navigate the complexities of 2025, third-party risk management (TPRM) is a critical focal point.
Cyber Resilience and sustainability are the two overarching strategic goals of ‘the next evolution’ of Third-Party Risk Management. Technology and data, and the linkage between them, sit at the heart of the transformative journey - most organisations agree on this interdependence and the need to create an integrated framework to manage the myriads of risks they face. With increasing operational, technological, and regulatory pressures, organisations must evolve their TPRM strategies to ensure resilience and compliance – not just to mitigate their own risk, but to avoid systemic risk to the wider economy.
We have identified several key initiatives in the financial sector, showing the shift to this evolved approach to risk management:
Revision of Third-Party Risk Management methodologies
More meaningful, ‘human’ and collaborative relationships with partners, that lead to increased trust and better value realisation.
AI / digitalisation becomes the vehicle to address new dynamics, with growing complexity in terms of data volumes, linkages and growing risk / reward.
Integration of cyber risk and ESG performance with other risk metrics
Those financial institutions who integrate cyber resilience and sustainability with pre-existing risk assessments on a single holistic framework are uniquely benefiting by breaking down silos, whilst addressing current and forthcoming regulatory compliance.
Dun & Bradstreet’s Sara de la Torre (Head of Financial Services and Insurance) and Jay DePaul (Chief Cybersecurity & Technology Risk Officer) recently discussed the challenges and opportunities for the sector on a webinar with UKFinance, and how to achieve an integrated third-party risk framework for operational resilience and ESG.
Why Interconnected and Holistic Third-Party Risk Management?
A holistic, interconnected approach to third-party risk management offers numerous advantages for financial services and insurance firms. By viewing third-party risk within the broader context of enterprise risk management (ERM), organisations can enhance their ability to anticipate and mitigate risks effectively.
A unified approach allows for a clear, comprehensive view of risks across the organisation. By breaking down silos and aggregating data from multiple departments, firms can identify risks earlier and take pre-emptive action.
While the focus from a regulatory point of view is largely on technology service providers today, an interconnected strategy allows financial services organisations to build resilience across their entire supply chain. Considering this wider ecosystem is important - according to Marsh, 73% of organisations have experienced significant disruption caused by a third party, whether it be a data breach or ethical violation – and means firms can better anticipate disruptions and minimise cascading impacts.
Adopting this interconnected approach strengthens supplier relationships, fosters collaboration, and enhances the overall effectiveness of risk management strategies. It can even become a competitive advantage.
Challenges in Third-Party Risk Management Today
Despite its benefits, third-party risk management remains fraught with challenges, especially as financial institutions deal with increasing complexity. During the webinar, we asked the question, ‘What is your biggest organisational challenge around third-party risk management?’ and attendees answered as follows:
Operational Silos and Jurisdictions: Many organisations still operate in silos, with different departments using varying criteria for assessing third-party risks. This fragmentation results in inconsistent evaluations and inefficiencies in managing risks.
Data Quality and Availability: Poor data quality, especially regarding emerging metrics like ESG, poses a significant challenge. Inconsistent or incomplete data makes it difficult to assess risks accurately, and collaboration with third-party vendors to enhance data frameworks is often lacking. When asked the question: ‘Do you feel you have the right data to support third-party risk challenges?’ during the webinar, 0% of the audience felt they had all the data they needed. Most had some data, but 20% felt they didn’t have any relevant data to support their challenges today.
This is supported by the findings from our recent survey of Financial institutions across Europe, which highlighted that 64% have had to reject potential customers and third-parties due to a lack of risk visibility and relevant data in the last 12 months.
Manual Processes and Resource Constraints: Many institutions continue to rely on outdated, manual systems such as spreadsheets. These approaches are labour-intensive, prone to errors, and ill-equipped to handle the growing volume and complexity of data.
Regulatory Pressures: New regulations, such as the EU’s Digital Operational Resilience Act (DORA) and the Economic Crime and Corporate Transparency Act (ECCTA), require organisations to demonstrate robust third-party risk management. Additionally, these regulations extend accountability to "fourth party" risks, or risks associated with the suppliers of suppliers, further complicating compliance efforts. However, existing regulations (i.e. around Anti-Money Laundering) and the overall fast pace of regulatory change (the financial services sector have seen demands increase around 35% YoY) exacerbates the pressure on teams to conduct due diligence on multiple third-parties.
Emerging Technologies: The rise of generative AI and other advanced technologies introduces additional complexity. Financial institutions must navigate issues such as acceptable use, data governance, and transparency regarding AI-driven tools and services used by third-party vendors.
How Innovative Organisations Are Transforming Third-Party Risk Management Strategies
Leading organisations are adopting innovative strategies to transform their third-party risk management approaches, turning them into proactive, opportunity-driven processes.
Harnessing Emerging Technologies: Generative AI, robotic process automation (RPA), and advanced risk platforms are being used to streamline manual processes, improve data quality, and enhance scalability. Real-time monitoring enables organisations to identify risks early, such as data breaches or vendor vulnerabilities.
Digital currencies and Blockchain can provide traceability, particularly around ESG claims and tracking the movement of goods. Finally, Unified Data Platforms, such as Databricks, enable organisations to centralise and harmonise data from multiple sources into a single view of third parties (and their associated risks) across the enterprise, while also supporting monitoring and real-time risk assessments.
However, whilst robust governance frameworks are essential for managing these emerging technologies, it’s important to ensure that tools are used responsibly, and that due diligence is done on the companies providing them.
Dynamic and Tailored Risk Assessments: Organisations are moving away from static, checklist-based assessments toward continuous, adaptive risk management. This approach reflects the rapidly changing nature of supplier relationships and external risks. Rather than applying a one-size-fits-all approach to all suppliers, innovative organisations are adopting tiered risk assessments, prioritising vendors based on their access to critical systems and data, or the criticality of the service they provide to day-to-day operations. This ensures that resources are allocated efficiently and can be supported with third-party data and automated workflows – for example for screening.
Collaborative Resilience: Some, particularly the larger financial institutions, are working to improve the strength of their wider ecosystems, including smaller vendors and SMEs. By setting clear expectations for suppliers and ensuring that they adhere to high standards of environmental, social, and governance performance and cyber resilience, they are creating a collaborative hardiness.Suppliers should be required to demonstrate ongoing commitment to ESG principles and tech security, including transparency in reporting and accountability for their environmental impact. It’s a journey, not a destination. Organisations should focus on continuous improvement, encouraging suppliers to adopt best practices and work collaboratively to achieve long-term sustainability goals.
KEY TAKEAWAYS: Recommendations for Integrating ESG and Cyber Resilience into Third-Party Risk Management
To effectively integrate ESG into third-party risk management, financial institutions and insurers should follow these key recommendations:
- Enhance Data Quality: Consolidate and unify internal and external data for compliance, service providers, ESG, cyber risk and more across the organisation to ensure transparency and traceability. Implement a master data management approach to align global third-party risks with ESG goals and achieve a ‘single view of truth’ for each third-party, accessible across the organisation.
- Adopt a Holistic Risk Scoring Model: Integrate this data into a unified risk-scoring methodology based on your risk policies. This provides a more comprehensive view of risks and supports better decision-making.
- Streamline Processes: Create efficiencies by, for example, consolidating ESG, cybersecurity, and compliance questionnaires. Leverage technology to automate data collection, scoring, reporting, and risk monitoring – ideally all in one place.
- Foster Collaboration: Treat suppliers as partners in ESG and resilience efforts, encouraging mutual growth and shared responsibility. Shared knowledge is an ongoing exercise and it requires the education of employees and vendors on best practices for sustainability and compliance, fostering collective resilience.
- Promote Global Transparency: Develop frameworks that address risks across global supply chains. Ensure transparency and accountability to meet evolving regulatory and stakeholder expectations.
By following these recommendations, organizations can successfully integrate ESG into their third-party risk management strategies, driving both sustainability and resilience.
Conclusion
As financial institutions and insurers move into 2025, adopting a holistic, interconnected approach to third-party risk management is essential. By integrating ESG considerations and cyber resilience, leveraging emerging technologies, and fostering collaboration across the supply chain, organisations can enhance resilience, ensure compliance, build a human partnership with partners that can drive co-creation and create long-term value. The future of third-party risk management lies in continuous improvement, transparency, and innovation—fundamental elements that will help organisations stay ahead in an increasingly complex and dynamic risk environment.
To watch the webinar and hear the discussion in full, click the button below: