Vendor & Third Party Risk Amsterdam 2025
November 18-19, 2025
Poll results
How confident are you in your organisation’s readiness for DORA
Multiple-choice poll
In one word, what does DORA mean to you
• Critical Business Focus
• DORA the explorer
• Rules
• Order
• Monitoring
• Cyber resilience
• headache
• Resilience
• Resilient
• Awareness
• Learning
• Nightmare
• Check in the box exercise
How
many (sub-) risk areas are to be assessed in your Third Party Risk process?
a) <=10
b) 10-20
c) 20-30
d)
Multiple-choice poll
How many different experts are involved in your TPR process if all risks apply? (Like CISO, Data Protection, Compliance. Include 2nd Line sign-off s as an additional function.)
Multiple-choice poll
How do you deal with the challenge that contract owners are no risk experts, but need todeliver high quality risk assessments?
a) We make them experts for all risk areas – from IT Security untilBribery & Corruption, they can smell all risks from a distancebecause they spend 1 day a week in trainings!
b) We provide them with contacts to the central expert functions.
c) We established decentral experts in each business line whosupport contract owners in the full risk assessment.
d) We have a system or process which provides sufficient guidance to answer each question appropriately without needing an expert.
e) We have a sign-off by all relevant central experts for consistentquality.
How do you want to see new content & insights from us?
Multiple-choice poll
Does your organisation have an approach to managing concentration risk?
Multiple-choice poll
Does your organisation assess concentration risk beyond 4th parties?
Multiple-choice poll
Do you believe Sovereign Cloud is a good idea?
A) Yes – we need European alternatives
B) No – diversification is more practical 11%
C) Not sure / still evaluating 8%
Multiple-choice poll
Does your organization have an exit strategy for politically sensitive jurisdictions
A) Yes 19%
B) Partially 0%
C) No
Multiple-choice poll
Multiple-choice poll What was the cost of recovery, customer compensation and regulatory penalties combined?
How long do you think the core payments were delayed for in this example?
Multiple-choice poll
Multiple-choice poll
Do you currently include geopolitical risk in your TPRM assessments?
A) Yes – integrated process
B) Partially – ad hoc
C) Not yet
Multiple-choice poll
Have you implemented/enhanced your securityprograms/third party around ai-enabled third parties?
Multiple-choice poll
Do you integrate threat intelligence into third party security operations?
Multiple-choice poll
Which emerging force will impact TPRM the most in the next 3 years?
Multiple-choice poll
How
confident are you that your organisation is future-ready in TPRM?
• Long way to go
• Always behind new regulation
• Don’t think technology will replaceus...
• Cautiously optimistic.
• We still have a lot of work to do
• Partially
• 50 %
• 10%
• 50/60
• 50%
• 50-50
• Confi dent
• 12% confi dent
• somewhat
What’s your biggest constraint in strengthening TPRM?
Multiple-choice poll
What is one action every TPRM leader should take tomorrow to prepare for the future?
Integration
Invest in technology
Holistic view workactual
Onboard MB
Have fun
Be agile procedures Translate Get trust
SiloCrasher Info sharing Regulation Resign Just Continue internal
Invest in execution power
Invest in people
Does your organisation have a dedicated TPRM tool?
Yes – a standalone TPRM solution
Yes – integrated within procurement/source-to-contract
No – we rely on GRC tools
No – we use manual processes (e.g., spreadsheets)
sure
Multiple-choice poll
Are you using AI in any part of your TPRM workflow?
Yes – chatbot/helpdesk automation
– contract intelligence/generation
Multiple-choice poll
If AWS went down for 48 hours tomorrow, what’s the first part of your business to fail?
Multiple-choice poll