The risk does not disappear: it changes address

The structural shift of risk

For decades, risk governance operated on an implicit assumption: that risk lives inside the institution. Contain the perimeter, control the processes, and the risk is managed.

That assumption no longer holds. A growing share of critical functions, information systems, operational processing, data management, cloud services, even certain regulated activities, now depends on external providers. The shift is not marginal. It is structural: the day-to-day functioning of financial institutions has become inseparable from providers they do not fully govern.

Supervisory findings confirm this gap. Many institutions still lack a comprehensive view of their outsourced services, their actual criticality, and their real dependencies. They manage internal risk with precision while remaining largely blind to the risk they have transferred outside.

The architecture of dependency

The deeper problem is not outsourcing itself. It is the accumulation of dependencies, each individually rational, collectively opaque.

Consider the layers:

• Technological dependence on cloud platforms and APIs;
• Operational dependence on delegated processes;
• Regulatory dependence on outsourced reporting and calculations;
• And chain dependence, where subcontractors themselves rely on further subcontractors the institution has never assessed.

No single decision creates the vulnerability. The architecture does.

Supervisory reviews repeatedly surface the same findings: concentration risk is underestimated, exit strategies are theoretical rather than tested, and resilience exercises rarely include third parties in any meaningful way. An institution can be fully convinced it controls its risk exposure while being critically dependent on a single provider it cannot replace.

Risk, in this environment, is no longer an event. It is a structural condition.

DORA and third-party risk management: regulatory recognition of extended risk

DORA does not create third-party risk. It formalizes the regulatory recognition that ICT risk cannot be contained within the institution's own perimeter.

The regulation's core premise is consequential: critical functions supported by external providers, dependency chains, and shared infrastructure all fall within the institution's risk governance obligations. Outsourcing an activity does not transfer the associated risk. The institution remains accountable, regardless of who executes the function.

For many institutions, this represents a meaningful shift. DORA third-party risk management can no longer be discharged at the contract level. It requires active, ongoing governance of third-party relationships, including dependency registers, resilience testing that encompasses external providers, and demonstrated capacity to manage concentration and substitution risk. The contractual checkbox is necessary but not sufficient.

Under DORA, concentration risk refers specifically to the exposure created when critical ICT functions depend on a single provider or a small group of providers, without credible substitution strategies in place. Supervisors expect institutions to identify, measure, and actively govern this exposure, not simply declare it acceptable in a risk register.

A fragmented view of the legal entity

Despite this regulatory pressure, most institutions still view their third parties through fragmented lenses:

• TPRM governs supplier relationships.
• KYC covers counterparties and customers.
• GDPR imposes obligations on data processors.
• Sapin II in France addresses corruption risk in commercial relationships.
• CSRD extends scrutiny to value chains.

Each framework captures a partial view of the same underlying entity, using its own data sources, its own risk criteria, and its own governance process. None of them communicates with the others. The result is that a single third party, a cloud provider that is also a data processor, also a regulated entity, also a concentration risk, is assessed five times over without ever being understood as a whole.

This fragmentation is not a minor inefficiency. It creates a structural blind spot. The question "what does this entity actually represent for our institution?" has no owner and no answer.

Towards a new discipline: extended knowledge of third parties

In this context, DORA third-party risk management can no longer function as a documentation exercise. The compliance question, "is the questionnaire complete, does the contract include the right clauses?", is necessary but insufficient. What institutions actually need is a fundamentally different capability: the ability to know their third parties, not just administer them.

This means understanding real dependencies rather than declared ones. It means being able to trace how an operational failure at a critical provider propagates through the institution. It means having a credible, tested answer to the substitution question, not just a contractual right to exit. It means continuous, explainable monitoring rather than point-in-time assessments.

This shift, from supplier management to genuine third-party knowledge, does not require discarding existing frameworks. It requires connecting them. The fragmented views described in the previous section, TPRM, KYC, GDPR, CSRD, need to be organized around a shared understanding of the legal entity. That consolidated view is what is currently missing, and what the next generation of risk governance must provide.

Conclusion: the real issue is not risk, it's visibility

The central challenge is not that institutions face more risk than before. It is that they face risk they cannot see. More dependent than ever on external providers, yet equipped with frameworks designed for internal control, many institutions govern a perimeter that no longer reflects where their exposure actually sits.

Visibility is the precondition for control. An institution that cannot reconstruct a consolidated picture of its third-party ecosystem, its dependencies, its concentrations, its propagation paths, cannot credibly claim to govern its risk.

TPRM is the mechanism through which that visibility is built. Not as a compliance function, but as a strategic capability. The question is no longer whether to invest in it, but whether the approach in place is genuinely fit for purpose.

Frequently asked questions about DORA third-party risk management

What does DORA require for third-party risk management?

DORA requires financial institutions to actively govern all ICT third-party relationships, not merely document them. This includes maintaining a comprehensive register of ICT dependencies, integrating third-party providers into resilience testing, managing concentration and substitution risk, and demonstrating that outsourcing arrangements do not impair the institution's capacity to meet its regulatory obligations.

How does DORA change the approach to third-party risk management?

DORA shifts third-party risk management from a contract-level compliance exercise to an active governance obligation. Institutions can no longer discharge their responsibilities by including the right contractual clauses. They must demonstrate ongoing visibility over dependencies, tested exit strategies, and the capacity to maintain critical functions if a provider fails.

Why do financial institutions struggle with DORA third-party risk management?

Most institutions still govern their third parties through fragmented frameworks, TPRM for suppliers, KYC for counterparties, GDPR for data processors, each with its own data and processes. This creates blind spots: the same entity is assessed multiple times without ever being understood as a whole. DORA requires a consolidated view that most existing governance structures are not designed to produce.

What is the role of concentration risk in DORA third-party risk management?

Concentration risk is one of the most consistently underestimated dimensions of DORA compliance. It arises when critical ICT functions depend on a single provider or a small group of providers without viable substitution alternatives. DORA requires institutions to identify, monitor, and actively manage this exposure, not simply acknowledge it in a risk register.

How should financial institutions build a DORA-compliant third-party risk management programme?

An effective programme starts with a complete and accurate map of ICT dependencies, including sub-outsourcing chains. It requires integrating third-party providers into governance processes, stress-testing exit strategies, and moving from periodic assessments to continuous monitoring. The goal is genuine knowledge of third parties, not just administrative compliance with documentation requirements.

Harmoney's compliance platform helps financial institutions build consolidated visibility over their third-party ecosystem, map ICT dependencies, and govern concentration risk continuously. Get in touch to learn how we can support your DORA compliance programme, or stay up to date via our newsletter ⬇️.