Third-Party Risk Management And Operational Resilience | A Compliance Priority For 2025

With DORA and the UK’s operational resilience rules introducing stricter oversight of third-party risks, firms must ensure they have robust resilience frameworks.

Under the new rules – which came into effect on 31st March, 2025 – businesses must assess the resilience of critical ICT providers, implement enhanced risk management measures and establish contingency plans for severe service disruptions (PS21/3). UK regulators are also introducing mandatory registration of material third-party arrangements, increasing compliance complexity.

Non-compliance may lead to regulatory enforcement, financial penalties and heightened supervisory scrutiny. Firms that fail to properly assess third-party risks could experience significant operational failures that impact business continuity.

Here's what firms should be doing now to prepare:

• Review all third-party contracts: do agreements meet new resilience expectations, including risk assessments and contingency planning?
• Conduct third-party risk assessments: identify which vendors and ICT providers are critical and ensure they meet operational resilience standards.
• Strengthen business continuity plans: firms must prove they can operate within impact tolerances if a key provider fails.
• Prepare for regulatory reporting: if your business is subject to the mandatory registration of material third-party arrangements, ensure processes are in place to document and report.
• Test resilience frameworks: are systems ready for real-world disruptions? Or is there a gap between policy and practice?

Speak to Edmund today for expert guidance on how you can ensure your firm meets third-party risk compliance requirements.

#ThirdPartyRisk #OperationalResilience #DORA #Compliance #RiskManagement #Edmund