At our most recent London roundtable hosted in collaboration with Citisoft, we engaged in a wide-ranging discussion on operational resilience and third-party risk with technology and ops leaders from London’s asset management and servicing community. The conversation highlighted a significant shift towards a services-based approach, largely driven by regulatory mandates, such as the Digital Operational Resilience Act (DORA).
Following is a summary of key conversation points from the roundtable.
The impact of new regulations, such as the EU Data Act and DORA, was a significant point of discussion. DORA, which came into force in January 2025, was designed to ensure financial institutions can effectively manage risks associated with third-party vendors.
These regulations mandate strict switching periods and open interfaces for key providers, presenting substantial challenges, especially for legacy systems and existing contracts that may not meet the new standards. There is an ongoing debate within the legal community regarding the feasibility of fully complying with these regulations, particularly concerning the auditing of large, essential providers.
Participants discussed the increasing complexity of third-party risk and its evolution to include “fourth-party risk,” reflecting deeper chains of dependence within supply chains. One participant noted a growing concern as evidenced by the fact that 34% of senior IT decision-makers identify third-party risk as a major issue, with 30% facing high costs due to supply chain disruptions and 22% citing the volume of digital regulations as a barrier. The legal perspective also came into play, with mentions of the Critical Third Parties regime (including BoE, PRA and FCA), which enables regulators to have direct oversight of critical third party service providers to regulated financial services firms – despite the inherent difficulties in auditing such large entities directly.
Assessing the resilience of large organizations can be difficult, as their size sometimes leads to insufficient scrutiny. Integrating new due diligence requirements into existing long-term relationships also presents a hurdle, unlike new partnerships where these factors can be established from the outset. The question of who “owns” third-party risk within an organization was also considered, with the procurement function being suggested as a potential owner due to its existing due diligence processes for new vendors.
The discussion emphasized that regulations are moving away from a recovery-based approach to a service-based one. This requires businesses to actively demonstrate their ability to maintain critical services even during disruptions. A key component of this is the operational resilience framework, which involves identifying critical processes and applications, and conducting rigorous operational tests. The focus is now on ensuring critical business processes and applications remain functional in all situations, rather than simply recovering infrastructure. This new approach demands a deeper understanding of business operations and their dependencies, fostering more mature conversations with suppliers about recovery and continuous operations.
Crisis management and leadership were also central to the discussion. Attendees underscored the importance of a clear understanding of crisis management responsibilities, acknowledging that the CEO often bears ultimate responsibility in a true crisis, even if not explicitly named in formal documents. While many organizations recognize the importance of resilience, it often struggles to become a top priority unless mandated by regulators or driven by direct client demand.
Technological integration and data challenges were also highlighted. Participants discussed the difficulties in integrating new systems due to their interconnectedness and reliance on data, often making manual implementation seem easier but less efficient. The challenge of moving towards standardized, utility-based solutions was discussed, as not all participants are willing to compromise their proprietary systems. Additionally, the debate surrounding cloud security was addressed, with the consensus being that modern technologies inherently invest heavily in security as a core component, largely debunking arguments against cloud safety.
Regarding the question of responsibility and cost allocation in service failures, it was suggested that the asset servicer should bear the cost when a primary system of a service provider goes down – not the asset manager. A trend has been observed where large custodians are taking less responsibility due to low fees, leading to a disproportionate maximum payout for damages. Organizations need to be able to differentiate critical capabilities and prioritize security measures based on their impact on essential functions.
Outsourcing in the asset management industry was discussed as a cyclical phenomenon, with companies frequently outsourcing middle office functions only to eventually rehire staff internally for oversight. While outsourcing enables smaller managers to establish themselves and is a fundamental part of the ecosystem, service providers need to be pushed to enhance their offerings. The decision to outsource is not solely operational but also a fiscal one, impacting a company’s balance sheet and flexibility.
Operating models and integration challenges, particularly following mergers and acquisitions, were also touched upon – for example, in the case of one firm outsourcing heavily pre-merger while another largely insourced – leading to difficult decisions post-merger. Strong leadership, such as the CEO mandating a specific operating model, was highlighted as crucial for efficient integration and avoiding analysis paralysis. A range of operating models can be effective, emphasizing the importance of clear decision-making when selecting systems.
Finally, attendees discussed business focus and technology investment. Businesses, particularly asset managers, often need to clarify their core focus and how much technology build is truly necessary internally versus what can be outsourced. Many businesses struggle to answer questions about the return on investment of their activities and how their software developers contribute to business value. Participants also explored the potential of cloud-native and AI-driven technologies but it was stressed that their effectiveness is dependent on the quality and accessibility of the underlying data.
Strengthen your resilience strategy.
See how FundGuard enables asset managers and service providers to meet DORA and operational resilience requirements with confidence—through a unified, cloud-native accounting platform built for transparency, scalability, and control.
Request a Demo.
Join the conversation.
The dialogue will continue in January 2026 when we launch the next round of our ongoing global series of FundGuard Exchange (FGX) roundtables and industry forums.
Stay informed about upcoming events and insights.
Register your interest.
Citisoft is a global consulting firm dedicated to enabling change and solving complex technology and operations challenges for the investment management industry. We are proud to collaborate with FundGuard’s Exchange programme to advance meaningful dialogue and thought leadership across the sector. Find out more about Citisoft.
About the Author
