The TPRM Concentration Risk Playbook: DORA’s Approach to Exit Strategy and Termination

What is DORA’s approach and process to exit strategy and termination?

In earlier parts of The TPRM Concentration Risk Playbook series, we covered the three main types of concentration risk and how Digital Operational Resilience Act (DORA) addresses them through due diligence, stronger ICT contracting, and ongoing monitoring.

In our final article, we focus on how DORA addresses concentration risk during the exit strategy and termination process, ensuring organizations can move away from over-reliance on a single ICT or cloud provider without compromising operational resilience.

Although DORA is a very important regulation that includes new requirements for managing concentration risk, another unique framework exists in the area of financial organization governance known as Basel.

The Basel Framework is a set of international banking regulations that must be followed by banks that are members of the Basel Committee on Banking Supervision (BCBS). The BCBS is the primary global standard setter for the prudential regulation of banks. Member jurisdictions have agreed to fully implement these standards and apply them to internationally active banks in their regions. This alignment ensures that banks adhere to necessary regulatory adjustments and transitional arrangements, maintaining the stability and integrity of the global financial system.

Although the Basel Framework is not targeted at third-party risk specifically, all of the requirements below incorporate elements related to identifying concentration risk areas:

1. Pillar 2 (Supervisory Review and Evaluation Process – SREP)

• • Bank Responsibilities –  Banks are expected to identify, measure, monitor, and manage all material risks, including concentration risk, under their internal capital adequacy assessment process (ICAAP).
  • Supervisory Review –  Under Pillar 2, supervisors review and evaluate a bank’s ICAAP to ensure it appropriately assesses concentration risk and maintains adequate capital to cover it.
  • Concentration Risk in Pillar 2 –  This includes evaluating the potential impact of credit exposures to single counterparties or groups of connected counterparties, geographical locations, industry sectors, specific products, or service providers, according to the Bank for International Settlements. 

Understanding the Large Exposures Framework and Its Role in Managing Concentration Risk

The Large Exposures Framework complements Pillar 1 by limiting a bank’s exposures to single or connected counterparties. A large exposure is defined as the sum of all exposures to a single counterparty (or connected group) that is 10% or more of a bank’s Tier 1 capital. Generally, exposures to a single counterparty are limited to 25% of Tier 1 capital, with a tighter 15% limit for exposures between global systemically important banks (G-SIBs).

This framework applies to various exposures in both the banking and trading books. For interconnected counterparties that could cause cascading failures, the limit applies to the combined exposures of the group.

In conclusion, concentration risk is no longer a theoretical concern. It is a rapidly evolving and increasingly critical component of Third-Party Risk Management (TPRM). As organizations become more reliant on external vendors for essential services, the potential for operational, compliance, reputational, and cybersecurity disruptions due to over-reliance on a single provider, region, or service type becomes more pronounced.

Preparing Your TPRM Program for the Future of Concentration Risk

Looking ahead, we can expect continued development of regulatory frameworks such as DORA and Basel, along with new tools, controls, and best practices designed to help organizations identify, assess, and mitigate concentration risk more effectively. As this area matures, proactive engagement, diversified vendor strategies, and robust oversight mechanisms will be key to building a resilient and future-ready TPRM program.

If you are overseeing your own TPRM program, the list of questions below can help you begin identifying concentration risk:

1. How many specific vendors does our company leverage for data center / cloud hosting?
2. Have we confirmed the service locations / area of operations for all of our vendors?
   1. Are these information / locations tracked?
3. How many different solutions are used across the organization for meetings, calls, instant messages?
4. Do we have a centralized support team, or is support assistance decentralized?
5. How many different vendors do we use for staffing?
6. Which of our vendors support multiple business units or functions across the organization?
7. How many vendors within our population provide a service/product that is considered a sole provider with no backup options?
8. Are Concentration Risk questions or factors included in our IRQ / Due Diligence process?
9. Have we considered determining quantifiable characteristics for concentration risk by service type, business unit, or risk tier?

This article is part of The TPRM Concentration Risk Playbook blog series, which explores how organizations can identify, assess, and mitigate concentration risk in third-party risk management programs.

How Can Schneider Downs Help?

Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.

For more information contact the team at [email protected] or visit www.fengyiting.com/tprm.