Vendor Amsterdam.indd

Page 1


Vendor & Third Party Risk Amsterdam

November 18-19, 2025

Amsterdam

Future proofing Third Party Risk Management across Europe’s evolving and complex landscape

20+

20+

150+ Sessions Speakers Attendees

Key themes 2025:

Post-DORA Implementation

What comes next? Clarifying obligations and compliance in the post-DORA landscape.

Concentration Risk

Managing the rise in concentration risk across extended supply chains.

Risk Assessment

Maintaining accuracy and governance across the automated risk assessment lifecycle.

ESG Mandates and Integration

Embedding CSRD, CSDDD, and ESG metrics into third party risk management frameworks.

AI Usage by Third Parties

Ensuring responsible and transparent use of AI by third parties in service delivery.

TPRM and Cybersecurity Resilience

Creating synergy between cybersecurity functions and third party risk frameworks.

Who’s Participating:

Christian Hoelters Regional Head of Third Party Risk Management

HSBC

Kurt Neilson Resilience and Supplier Oversight Aegon

Pallavi Srivastava Director, Head of Risk MUFG

Daniel Tyart Head of Third Party Risk ING Deutschland

Shashika Edwards Head of Third-Party Risk Management Natwest

Agenda | Day 1 | November 18, 2025

8:00 REGISTRATION & BREAKFAST

8:50 CHAIR’S OPENING REMARKS

DORA – PANEL DISCUSSION

9:00 Clarifying third-party compliance obligations post-DORA implementation

• Efficiently applying new DORA requirements across the ICT supply chain

• Preparing for DORA audits and cross-functional regulator reviews

• Incorporating DORA requirements, including broader ICT coverage and stressed scenarios

• Updating legacy contracts to reflect resilience, data, and AI risk

• Understanding DORA’s requirements for threat-led penetration testing

Anna Tsopelaki, Outsourcing Officer, Eurobank

Yulia Omelchuk, Head of Procurement and Vendor Management, Knab

Robert Bouwmeester, Head of Operational Risk, NIBC

Viktor Petermann, former Head of IT Service Intergration and Management, Luminor Group

REGULATORY LANDSCAPE

9:45 Managing third party compliance under the multi-jurisdictional regulatory landscape

• Interpreting EBA, EIOPA, and ESMA guidance for financial entities

• Engaging vendors early on to align practices and evidence with regulatory goals

• Aligning AI into risk analysis frameworks under upcoming EU AI Act

• Delays in official EU and UK designations and what firms can do now

• Identifying critical third parties and managing regulatory feedback

Karin Hartonian, formerly Global Head Operational Risk Wholesale and Rural Banking, (Currently) Rabobank

10:30 MORNING REFRESHMENT BREAK & NETWORKING

CONCENTRATION RISK

11:00 Managing increased concentration risk in extended supply chains

• Identifying the different types of concentration risk

• Understanding regulatory requirements and ensuring compliance

• Tools and techniques to address concentration risk effectively

• Real life case study of failure to manage this risk

Kurt Neilson, Resilience and Supplier Oversight, Aegon

INCIDENT REPORTING

11:40 Ensuring contractual requirements for incident notification are clear and enforceable

• Aligning internal policies to escalate supplier issues rapidly

• Facilitating transparency without triggering reputational panic

• Creating joint playbooks between firms and vendors for incident response

• Documenting root cause analysis and actions post-incident for audit readiness

Christian Hoelters, Regional Head of Third Party Risk Management, HSBC

12:20 LUNCHBREAK AND NETWORKING

ONGOING MONITORING

1:20 Integrating TPRM into enterprise risk management framework

Transitioning from manual risk scoring to real-time, data-driven insights Ongoing monitoring - KRIs and KPI

• Building integrated dashboards across compliance, ESG, and financial domains

• Leveraging cyber ratings, external intelligence, and supplier portals for continuous monitoring

• Responding to emerging risks with tiered reviews and stricter oversight for critical vendors

• Overcoming integration, data reliability, and internal adoption challenges

Pallavi Srivastava, Director, Head of Risk, MUFG

RISK ASSESSMENTS – FIRESIDE CHAT: INTERACTIVE SESSION

2:00 Automating the risk assessment lifecycle while maintaining accuracy and governance

• Aligning risk profiling and assessment depth across critical and noncritical services

• Overcoming documentation challenges and interpreting technical reports effectively

• Embedding RCSA, compliance, and penetration testing into businessas-usual

• Supporting non-experts in navigating risk decisions with practical frameworks

• Building scalable, cost-efficient models that reduce friction and staffing pressure

Daniel Tyart, Head of Third Party Risk, ING Deutschland

GEOPOLITICS – PANEL DISCUSSION

2:40 Building resilient third-party strategies amid shifting global power dynamics

• Assessing concentration risk across cloud and SaaS providers

• Mapping supplier geographies and factoring in geopolitical instability

• ‘’America First” tariff regimes, international conflicts

• Planning exit strategies for politically sensitive jurisdictions

• Navigating regulatory scrutiny around US-based tech vendors

• Balancing cost-efficiency with resilience in offshoring decisions

• Creating regional backup strategies for U.S reliant cloud infrastructure

Aleksandra Kuznecova, Senior Operational Risk Officer, Luminor Group

Onur Can Koltukcu, Policy Advisor, De Nederlandsche Bank

Shashika Edwards, Head of Third-Party Risk Management, Natwest

3:30 AFTERNOON REFRESHMENT BREAK & NETWORKING

EXIT STRATEGIES

4:00 Designing realistic exit strategies with third-party input

Stressed exit plans against high-impact scenarios and regulatory expectations

Defining governance: who triggers an exit and who signs off

• Ensuring third-party cooperation in data handover and continuity planning

• Simulating live exit scenarios to validate assumptions and timing

Agata Skalska, Head of Operational & Resilience Risk for Global Functions | Third Party Risk for Europe, HSBC

FOURTH- AND NTH-PARTY RISK MANAGEMENT

4:40 Gaining visibility beyond immediate vendors

• Mapping dependencies across SaaS, cloud, and critical tech infrastructure

• Enforcing disclosure through contracts and onboarding

• Challenges with audit rights and vendor cooperation

• Balancing oversight with operational feasibility

5:20 CHAIR’S CLOSING REMARKS

5:30 NETWORKING DRINK’S RECEPTION

Agenda | Day 2 | November 19, 2025

8:00 REGISTRATION & BREAKFAST

8:50 CHAIR’S OPENING REMARKS

ESG MANDATES & INTEGRATION

9:00 Embedding CSRD, CSDDD & ESG metrics into Third Party Risk programs

• Translating CSRD and CSDDD into actionable third-party oversight

• Embedding ESG criteria into onboarding, selection, and monitoring

• Managing risk across extended vendor chains, including fourth- and fifth-parties

• Handling ESG misalignment with non-EU vendors contractually

• Fostering cross-functional collaboration to align with firmwide goals

Daniel Meneghin, Head of ESG and CSRD, Lunar

AI USAGE BY THIRD PARTIES - FIRESIDE CHAT: INTERACTIVE SESSION

9:40 Understanding how third parties are using AI across service delivery

Updating contracts to reflect AI transparency, disclosure, and change notifications

Assessing risk from unvalidated or biased models impacting operations

Establishing data governance strategies to prevent data loss and reputational damage

Embedding ongoing AI usage reviews into monitoring frameworks

• Requiring AI governance frameworks and validation evidence from vendors

Marcin Ludwiszewski, Head of Third Party Security Risk, Standard Chartered Bank

10:20 MORNING REFRESHMENT BREAK & NETWORKING

TPRM & CYBERSECURITY RESILIENCE

10:50 Creating synergy between cybersecurity and third-party risk management frameworks

• Responding to increasing cyberattacks through joint planning and governance

• ntegrating security reviews into procurement workflows and TPRM onboarding

• Understanding supply chain attack vectors and prevention strategies

• Defining joint responsibilities between security teams and vendor owners

• Responding to increasing cyberattacks through joint planning and governance

Cedric d’Albis Chief Auditor, Innovation and Technology, Rabobank

TECHNOLOGY ENABLEMENT - PANEL DISCUSSION

11:30 Evaluating third-party platforms for scalability and usability

• Integrating TPRM tools with procurement, legal, and security systems

• Using AI and analytics to triage risk and flag anomalies

• Ensuring vendors contribute directly through portals and uploads

• Supporting change management when moving off spreadsheets

Mickael Abid, Senior Manager and Director, IT, Sourcing, Operations Risk, ING

12:20 LUNCHBREAK AND NETWORKING

VENDOR ONBOARDING

1:20 Automating the onboarding journey from intake to risk profiling

Defining tiering methodologies and assigning criticality

• Ensuring cross-functional input on classification decisions

Linking classification to assessment depth and contract terms

• Reassessing vendor tiering post-incident or post-service change

Natascha Bernstorff, SVP, Head of TPRM & Regulatory Management, Danske Bank

Kirsten Merete Anderson, Head of TPRM Strategy and Framework and Execution, Danske Bank

CLOUD GOVERNANCE & RISK

2:00 Mitigating vendor lock-in and ensuring continuity in cloud migration

• Managing third-party reliance on hyperscalers and SaaS tools

• Conducting shared responsibility assessments for cloud risk

• Embedding cloud resilience requirements in onboarding

• Validating cloud recovery capabilities and backup controls

• Mitigating cloud concentration risk by setting contingency plans

2:40 MORNING REFRESHMENT BREAK & NETWORKING

CONTRACT GOVERNANCE

3:10 Embedding resilience clauses including incident response and exit rights

Addressing ambiguity in breach notification timing and escalation

• Negotiating AI usage clauses and transparency provisions

• Aligning contracts with risk tiering and criticality assessments

• Harmonizing clauses across multijurisdictional agreements

FUTURE TRENDS & STRATEGIC RESILIENCE – PANEL DISCUSSION

3:10 Predicting how AI, geopolitical tensions, and regulatory change will shape TPRM

• Designing future-ready TPRM strategies that support agility Embedding third-party risk into broader enterprise risk frameworks

• Maintaining resilience despite constrained budgets and talent shortages

• Driving board-level understanding and commitment to TPRM evolution Elli Tsiala, Senior Supply Chain Security Lead, ABN AMRO Bank N.V.

Anifat Atanda, Enterprise Risk Manager, First Bank of Nigeria

4:40 CHAIR’S CLOSING REMARKS

4:50 END OF VENDOR & THIRD PARTY RISK AMSTERDAM

Why should you be attending these sessions?

FOURTH- AND NTH-PARTY RISK MANAGEMENT

• Mapping dependencies across SaaS, cloud, and critical tech infrastructure

Enforcing disclosure through contracts and onboarding

Balancing oversight with operational feasibility

EXIT STRATEGIES

Stressed exit plans against highimpact scenarios and regulatory expectations

• Defining governance: who triggers an exit and who signs off

• Simulating live exit scenarios to validate assumptions and timing

GEOPOLITICS

Assessing concentration risk across cloud and SaaS providers

‘’America First” tariff regimes, international conflicts

• Creating regional backup strategies for U.S reliant cloud infrastructure

RISK ASSESSMENTS

• Overcoming documentation challenges and interpreting technical reports effectively

• Embedding RCSA, compliance, and penetration testing into business-as-usual

• Building scalable, cost-efficient models that reduce friction and staffing pressure

DORA

• Efficiently applying new DORA requirements across the ICT supply chain

• Updating legacy contracts to reflect resilience, data, and AI risk

• Understanding DORA’s requirements for threatled penetration testing

ONGOING MONITORING

• Transitioning from manual risk scoring to real-time, data-driven insights

• Leveraging cyber ratings, external intelligence, and supplier portals for continuous monitoring

• Overcoming integration, data reliability, and internal adoption challenges

ESG MANDATES & INTEGRATION

• Translating CSRD and CSDDD into actionable third-party oversight

• Embedding ESG criteria into onboarding, selection, and monitoring

• Handling ESG misalignment with non-EU vendors contractually

VENDOR ONBOARDING

• Defining tiering methodologies and assigning criticality

• Ensuring cross-functional input on classification decisions

• Reassessing vendor tiering post-incident or post-service change

Sponsorship & Partnerships

Thought leadership

Advance your expertise, knowledge, and experience with a presentation, a panelist, or a roundtable discussion. Why not enhance that with an article published in Connect Magazine and CeFPro® Connect?

Lead generation

Meet with key decision makers and senior professionals at CeFPro® events, roundtables, or at an invite-only dinner.

Branding and awareness

Want to advance your organization and/or your products or offerings? What better way than at a live in-person event where you will meet leading decision-makers, or online through CeFPro®’s market intelligence reports, Connect Magazine, or Connect member’s hub.

Networking

Whether over coffee, lunch, drinks reception, or dinner, expand your network connections in person.

Positioning in the industry

Whether you are the industry leader or a start-up, CeFPro® has opportunities to maintain, advance, or promote your standing among the risk community.

Targeted and one-on-one meetings

General promotion is no replacement for connecting with key decision-makers and C-suite professionals, whether at an event, a closed-door forum, a networking reception, or a VIP dinner.

Reach business buyers

Outside of marketing and promotion, CeFPro®’s extensive range of offerings can provide clients with opportunities to reach key decision-makers and buyers.

Would your organization like to partner with us on this event?

To discuss how we can deliver your thought-leadership at the event, help you generate leads, and provide you with unique networking and branding opportunities, please contact sales@cefpro.com or call us on (+1) 888 6777007 | +44 (0)207 164 6582 for more information.

Past sponsors

2025 Speaker Line-up

Kirsten Merete Anderson Head of TPRM Strategy and Framework and Execution Danske Bank

Robert Bouwmeester Head of Operational Risk NIBC

Christian Hoelters Regional Head of Third Party Risk Management HSBC

Daniel Meneghin Head of ESG and CSRD Lunar

Anifat Atanda Enterprise Risk Manager First Bank of Nigeria

Cedric d’Albis Chief Auditor, Innovation and Technology Rabobank

Onur Can Koltukcu Policy Advisor De Nederlandsche Bank

Natascha Bernstorff SVP, Head of TPRM & Regulatory Management Danske Bank

Shashika Edwards Head of Third-Party Risk Management Natwest

Aleksandra Kuznecova Senior Operational Risk Officer Luminor Group

Mickael Abid Senior Manager and Director, IT, Sourcing, Operations Risk ING

Viktor Petermann former Head of IT Service Intergration and Management Luminor Group

Daniel Tyart Head of Third Party Risk ING Deutschland

Pallavi Srivastava Director, Head of Risk MUFG

Kurt Neilson Resilience and Supplier Oversight Aegon

Agata Skalska Head of Operational & Resilience Risk for Global Functions | Third Party Risk for Europe HSBC

To view the full Vendor & Third Party Risk Amsterdam 2025 speaker biographies scan the QR code or click here

Karin Hartonian formerly Global Head Operational Risk Wholesale and Rural Banking (Currently) Rabobank

Marcin Ludwiszewski Head of Third Party Security Risk Standard Chartered Bank

Yulia Omelchuk Head of Procurement and Vendor Management Knab

Elli Tsiala Senior Supply Chain Security Lead ABN AMRO Bank N.V.

Convince your Boss

#1 What Your Boss Will Say: “What’s included within the ticket price?”

“For the price of my ticket, I’ll have full access to both days of CeFPro’s Vendor & Third Party Risk Amsterdam, featuring expert-led discussions on DORA implementation, concentration risk, incident reporting, ESG mandates, AI oversight, cloud governance, and fourth-/nth-party risk. The event includes interactive panels and fireside chats designed to deliver clear, practical steps we can bring back to our TPRM program.

There’s also structured networking throughout, breakfast, lunch, and a dedicated drinks reception on day one, giving ample opportunity to connect with senior professionals from across procurement, risk, compliance, and resilience functions.

Beyond the face-to-face experience, I’ll gain access to speaker slides, post-event materials, and the CeFPro Connect platform, where I can dive deeper into research, best practices, and insights on third party risk, keeping us ahead in this evolving landscape.”

#2 What Your Boss Will Say: “Will you learn anything of value that we can integrate into our strategy?”

“The agenda for Vendor & Third Party Risk Europe was shaped from research with senior leaders in TPRM, procurement, cyber resilience, sustainability, and compliance across Europe. It’s built around the realworld challenges we’re facing, the new DORA framework, EU regulatory fragmentation, concentration risks, and the growing complexity of AI, ESG, and cloud ecosystems.

Sessions will provide actionable strategies for implementing DORA rules, tiering critical vendors, embedding ESG and AI clauses in contracts, and building resilient exit and incident response plans. We’ll return with forward-looking strategies and practical tools to enhance our frameworks and strengthen resilience.”

Below is a breakdown of the seniority of the speakers you’ll gain insights from:”

#3 What Your Boss Will Say: “What specific benefits will attending this event bring to our team?”

“This summit offers direct professional development for our procurement, risk, compliance, and IT teams, covering ESG mandates, geopolitics, cloud, AI, contracts, and fourth-party risk.

Group discounts are available, so we could attend together to align strategies and strengthen crossfunctional collaboration. If I attend solo, I’ll bring back slides, summaries, and recommendations to share with the team, and point them to further resources via CeFPro Connect.”

#4 What Your Boss Will Say: “What will we do with you out of the office for 2 days?”

“The venue has full Wi Fi access, and the agenda includes regular breaks to stay connected.

But the value goes beyond staying in touch, it’s a chance to benchmark our TPRM framework against peers, learn how others are implementing DORA, managing AI, and building resilience in supply chains. The insights I bring back will help us modernize our vendor risk strategy and improve future readiness, far outweighing the two days out of office.”

#5 What Your Boss Will Say: “How will you share the knowledge and insights gained with the rest of the team?”

“I’ll take detailed notes and can prepare a concise presentation summarizing key takeaways and suggested next steps tailored to our program.

I’ll also bring back access to speaker slides, interviews, and articles, which we can integrate into team training and our TPRM documentation, ensuring the team adopts current thinking on AI risk governance, ESG due diligence, cloud continuity, and incident response.”

For further help in convincing your boss to let you attend, Scan the QR code or click here for access.

Venue & Location

Rijksmuseum

Explore one of the world’s most renowned art museums, home to masterpieces by Rembrandt, Vermeer, and other Dutch masters.

Vondelpark Amsterdam’s largest park, perfect for a walk, informal discussions, or a breather between sessions.

Leonardo Royal Hotel Amsterdam, Paul van Vlissingenstraat 24, 1096 BK Amsterdam, Netherlands

Museumplein / Stedelijk Museum

A cultural hotspot featuring modern and contemporary art, ideal for afterconference visits.

Nearby Hotels

De Pijp District & Albert Cuyp Market

Just a short tram ride away, this vibrant neighborhood offers dining, cafés, and the lively Albert Cuyp street market.

Booking a hotel near the event venue ensures you’re well-placed to attend every session while enjoying the best of Amsterdams’ professional and cultural scene.

Other nearby accommodation options include:

• Leonardo Royal Hotel Amsterdam

• Corendon Vitality Hotel Amsterdam

• Hotel Jakarta Amsterdam

• Park Plaza Victoria Amsterdam

Registration

Launch Rate

August 15

Early Bird Rate

October 3

Standard Rate

After October 3

*For those representing a financial institution/government body

Group Rates

Seize the opportunity, bring the team to advance their professional development and knowledge with our group booking promotion.

50% OFF:

Purchase two tickets and receive the third registrant at 50% off the prevailing rate

Free Pass:

Don’t stop there, as the more people you register, the better the savings. With every four tickets bought, the fifth is on us, completely free!

Bringing your team not only enhances the overall experience, but also fosters significant team building among colleagues while allowing you to save on your registration.

What’s Included

Access to 20+ sessions

Networking: 7+ hours

Lunch + Refreshments

Networking cocktail reception

PPT slides/decks

Podcasts with industry experts

Videos and interviews from the event

Connect Magazine complimentary

CeFPro Connect membership

Community network and engagement

Market intelligence reports access

To register your place at the best rate possible, click here, or scan the QR code.

Topic Related Insights

What Impact Does the Changing Trajectory of TPRM Have on the Financial Services Sector?

Anne McGowan, Head of Supplier Management, Lloyds Banking Group

Hilda Andeliz, VP, Third-Party Risk Performance Analyst, Valley Bank

Third-Party Risk Management (TPRM) is no longer a static compliance exercise.

Instead, it has evolved into a dynamic and multifaceted discipline requiring constant adaptation in order to keep pace with rapid change. And as we all recognize, in the highly regulated world of corporate finance, fast-moving targets always present unique challenges.

So, as regulatory landscapes shift and risks proliferate, just what will it take for financial institutions to refine their strategies and ensure the maturity of their TPRM programs measure up to those challenges?

In a recent CeFPro webinar, industry leaders Anne McGowan, Head of Supplier Management, Governance & Risk with Lloyds Banking Group, and Hilda Andeliz, Vice President & Enterprise Vendor Performance Analyst at Valley Bank in the US, shared their expertise on navigating the regulatory pressures of TPRM.

In today’s interconnected financial ecosystem, third-party risk management (TPRM) has become a cornerstone of operational resilience. Industry leaders like McGowan and Andeliz see both threat

and opportunity in the requirement to oversee extensive and critical supplier networks.

“We’ve been on a journey developing our TPRM,” McGowan explains. “But the real focus is building more strategic relationships with our most important suppliers.”

Striking a balance between confidence and preparedness

A recurring theme in TPRM is the gap between confidence in existing systems and the reality of regulatory scrutiny. “Sometimes overconfidence comes from having a structured system in place without understanding if it’s robust enough to withstand regulatory examination,” admits Andeliz, candidly.

She points out that many programs rely on static assessments rather than dynamic monitoring to adapt to evolving risks. “Defending a TPRM program requires ongoing oversight, up-todate data, and senior leadership engagement. It’s more than having a nice framework; it’s about showing evidence of risk prevention and management,” she adds.

To continue reading click here, or scan the QR code.

Topic Related Insights

AI Revolutionizes Third-Party Risk Management: Enhancing Resilience and Compliance

What specific productivity and quality control improvements have you observed from implementing AI in third-party risk management, and how has it enhanced your overall risk management processes?

The productivity and quality control improvements have been significant from the implementation of AI tools, and it has transformed the process, moving it from being largely manual, reactive and backward-looking to being predictive, focused and real-time.

These enhancements to TPRM have also made a significant contribution to the Operational Resilience profile.

Specific improvements to TPRM which have been noted include:

• Enhanced risk assessment and due diligence, (both initially and ongoing), across multiple risk domains and taxonomies. Risk assessment output is based on actual observable data, not on stale questionnaire responses.

• Automated continuous monitoring of risks and deviations from compliance requirements

• Enhanced classification of risks and potential threats. These are aligned to the tiering and criticality of business services and to the third

party suppliers. Therefore this has enabled significantly improved focus on the highest priority risks and highest priority suppliers of services.

• Enhanced Cybersecurity and Threat detection. The AI tools have enabled me to identify anomalies in network traffic, system behavior, or user activity that could indicate potential cyber threats. They have also enabled improved Vulnerability Assessment, by identifying system vulnerabilities by analyzing patterns in historical data and proactively suggesting security measures.

• Improved Incident Response and Recovery due to real-time monitoring across multiple risk domains. This has enabled a swift response to incidents, implementation of mitigating actions and the minimisation of operational disruptions.

• Improved Vendor / Supplier Management process. The enhanced visibility of supplier risks has also fed into the contractual and relationship management processes and has driven a better focus on contractual requirements and obligations from priority suppliers. To continue reading click here, or scan the QR code.

Great minds think alike, but brilliant minds think differently.

Your New Personalized Gateway to the Latest Risk Intelligence has Arrived.

Join a community of industry leaders and the new generation of talent shaping the future of risk management.

For our global audience, Connect means access to exclusive, collaborative, high quality risk management insights and discussions, no matter where you are:

• Watch, listen, and read your way through our extensive library of resources

• Access exclusive interviews, presentations, thought-pieces, industry intelligence, and more

• Discuss the most talked about trending topics and share your perspective

• Collaborate with like-minded professionals and build new relationships

Embark on an exciting journey of discovery. Start exploring Connect today.

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.
Vendor Amsterdam.indd by cefpro - Issuu