Sign up to save your podcasts
Or
Share DORA 2026: Exposing Critical Gaps in Financial Third-Party Risk Management (TPRM)
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
DORA 2026: Exposing Critical Gaps in Financial Third-Party Risk Management (TPRM)
In this in-depth episode of The Third Party Risk Institute Podcast, we take a hard look at how the Digital Operational Resilience Act (DORA) is fundamentally changing expectations for third-party risk, cybersecurity, procurement, compliance, and governance teams.
Rather than treating DORA as another regulatory checkbox, this episode focuses on what DORA will expose inside most third-party risk management programs including gaps that many organizations are not yet prepared to defend during regulatory inspections.
This conversation goes beyond regulatory summaries. We break down the organizational, operational, and technical impact of DORA, and explain why many existing TPRM programs will struggle to meet the “prove it” resilience standard regulators are now enforcing.
Together, we unpack:
• Why DORA is not just an ICT regulation, but a resilience mandate
• How third-party risk programs are being stress-tested for the first time
• Where vendor oversight, incident response, and exit strategies fall short
• Why policies alone will no longer satisfy regulators
• How real third-party failures explain why DORA exists
We also examine real-world third-party incidents and outages to show how concentration risk, fourth-party exposure, and untested recovery assumptions can quickly become systemic failures.
What We Cover in This Episode
• What DORA will expose in most third-party risk management programs
• Why operational resilience is replacing checkbox compliance
• How DORA reshapes expectations for vendor oversight and governance
• The most common gaps in third-party risk, incident response, and resilience testing
• Why dependency mapping and critical service identification are failing points
• How vendor concentration and fourth-party risk are coming under scrutiny
• What regulators expect organizations to prove, not just document
• Why exit strategies and substitutability matter more than ever
• Lessons from real-world third-party outages and cyber incidents
• How organizations should prepare for DORA inspections and audits
This Episode Is Essential For:
• Chief Risk Officers (CROs) and Operational Resilience Leaders
• Third-Party Risk and Vendor Risk Management Professionals
• Cybersecurity and ICT Risk Teams
• Procurement and Strategic Sourcing Leaders
• Compliance and Governance Professionals
• Executives accountable for regulatory readiness and resilience
If your intrested in learning about DORA and getting certified check out our upcoming live class: https://thirdpartyriskinstitute.com/dora/
🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com
📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd.
📬 Have a question or topic you'd like us to cover?
Email us at: [email protected]
View all episodes
By Linda Tuck ChapmanIn this in-depth episode of The Third Party Risk Institute Podcast, we take a hard look at how the Digital Operational Resilience Act (DORA) is fundamentally changing expectations for third-party risk, cybersecurity, procurement, compliance, and governance teams.
Rather than treating DORA as another regulatory checkbox, this episode focuses on what DORA will expose inside most third-party risk management programs including gaps that many organizations are not yet prepared to defend during regulatory inspections.
This conversation goes beyond regulatory summaries. We break down the organizational, operational, and technical impact of DORA, and explain why many existing TPRM programs will struggle to meet the “prove it” resilience standard regulators are now enforcing.
Together, we unpack:
• Why DORA is not just an ICT regulation, but a resilience mandate
• How third-party risk programs are being stress-tested for the first time
• Where vendor oversight, incident response, and exit strategies fall short
• Why policies alone will no longer satisfy regulators
• How real third-party failures explain why DORA exists
We also examine real-world third-party incidents and outages to show how concentration risk, fourth-party exposure, and untested recovery assumptions can quickly become systemic failures.
What We Cover in This Episode
• What DORA will expose in most third-party risk management programs
• Why operational resilience is replacing checkbox compliance
• How DORA reshapes expectations for vendor oversight and governance
• The most common gaps in third-party risk, incident response, and resilience testing
• Why dependency mapping and critical service identification are failing points
• How vendor concentration and fourth-party risk are coming under scrutiny
• What regulators expect organizations to prove, not just document
• Why exit strategies and substitutability matter more than ever
• Lessons from real-world third-party outages and cyber incidents
• How organizations should prepare for DORA inspections and audits
This Episode Is Essential For:
• Chief Risk Officers (CROs) and Operational Resilience Leaders
• Third-Party Risk and Vendor Risk Management Professionals
• Cybersecurity and ICT Risk Teams
• Procurement and Strategic Sourcing Leaders
• Compliance and Governance Professionals
• Executives accountable for regulatory readiness and resilience
If your intrested in learning about DORA and getting certified check out our upcoming live class: https://thirdpartyriskinstitute.com/dora/
🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com
📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd.
📬 Have a question or topic you'd like us to cover?
Email us at: [email protected]