Breakfast and registration

Chair’s opening remarks

DORA – PANEL DISCUSSION

It’s here– but are you ready?
Session details: Clarifying third-party compliance obligations post-DORA implementation

• Efficiently applying new DORA requirements across the ICT supply chain
• Preparing for DORA audits and cross-functional regulator reviews
• Incorporating DORA requirements, including broader ICT coverage and stressed scenarios
• Updating legacy contracts to reflect resilience, data, and AI risk
• Understanding DORA’s requirements for threat-led penetration testing

IT DEPENDENCIES OF THE FINANCIAL SECTOR – A REGULATORY PERSPECTIVE

Session details: How to deal with non-European IT dependencies of the financial sector?

• The dependency of the financial sector on IT third party providers – nothing new
• The changing geopolitical landscape
• New risks, new challenges
• Short-term and long-term actions
• A regulatory perspective

Morning refreshment break and networking

CONCENTRATION RISK

Managing increased concentration risk in extended supply chains

• Identifying the different types of concentration risk
• Understanding regulatory requirements and ensuring compliance
• Tools and techniques to address concentration risk effectively
• Real life case study of failure to manage this risk

Navigating AI in Third-Party Risk Management

Session details: An update on the innovation waves of AI

• Understanding the key waves of AI from machine learning to AI agents to Agentic AI
• Decipher the hype from reality on what each type provides
• What are the third-party risk workflows where AI can have impact
• What are the cautions and risks to be aware of for your own AI implementation

INCIDENT REPORTING

When the unexpected hits – will your vendor notify you?
Session details: Ensuring contractual requirements for incident notification are clear and enforceable

• Aligning internal policies to escalate supplier issues rapidly
• Facilitating transparency without triggering reputational panic
• Creating joint playbooks between firms and vendors for incident response
• Documenting root cause analysis and actions post-incident for audit readiness

Pre-luncheon briefing: Continuous Monitoring using AI

Lunchbreak and networking

Keep the conversation going - Grab a bite to eat and build new connections

BUILDING YOUR “DATA FIRST” TPRM STRATEGY - FIRESIDE CHAT

Turning regulatory challenges into operational reality
Session details: Leveraging Deloitte’s Global TPRM Survey 2025 findings to embed objective data, unlock risk insights, and operationalise compliance

• Interpreting EBA guidance, EU DORA, and AI Acts through stronger collaboration between Risk and Operational Resilience teams
• Blending AI, existing technology, in-house expertise and managed services to focus in on high impact risks across the ecosystem
• Simplifying compliance and strengthening resilience through a “data-first” TPRM strategy

RISK ASSESSMENTS – FIRESIDE CHAT: INTERACTIVE SESSION

Transforming risk assessments: Automate, Align Action
Session details: Automating the risk assessment lifecycle while maintaining accuracy and governance

• Aligning risk profiling and assessment depth across critical and non-critical services
• Overcoming documentation challenges and interpreting technical reports effectively
• Embedding RCSA, compliance, and penetration testing into business-as-usual
• Supporting non-experts in navigating risk decisions with practical frameworks
• Building scalable, cost-efficient models that reduce friction and staffing pressure

GEOPOLITICS – PANEL DISCUSSION

Resilience without boarders: Geopolitics in the TPRM era
Session details: Building resilient third-party strategies amid shifting global power dynamics

• Assessing concentration risk across cloud and SaaS providers
• Mapping supplier geographies and factoring in geopolitical instability
• ‘’America First” tariff regimes, international conflicts
• Planning exit strategies for politically sensitive jurisdictions
• Navigating regulatory scrutiny around US-based tech vendors
• Balancing cost-efficiency with resilience in offshoring decisions
• Creating regional backup strategies for U.S reliant cloud infrastructure

Afternoon refreshment break and networking

STRESSED EXIT PLANNING

Session title: Demonstrating successful stressed exit planning with software escrow

• Disruption as usual
• Severe but plausible risks: Supplier failure, service deterioration and concentration risk
• Global regulatory alignment: Stressed exit planning
• The temporary stages: Escrow's role

FOURTH- AND NTH-PARTY RISK MANAGEMENT

Chain reaction: Controlling the ripple effect of Nth party downfalls
Session details: Gaining visibility beyond immediate vendors

• Mapping dependencies across SaaS, cloud, and critical tech infrastructure
• Enforcing disclosure through contracts and onboarding
• Challenges with audit rights and vendor cooperation
• Balancing oversight with operational feasibility

Chair’s closing remarks

End of day one and networking drink’s reception

Debrief with your new connections in a relaxed settings and get ready for day two