third-party-operational-resilience

Drafts a portfolio-level concentration view across the firm's third-party arrangements. Reads single-vendor concentration, sub-contractor (fourth-party) concentration, geographic and jurisdictional concentration, technology-stack concentration (hyperscaler region, foundation-model vendor, shared utility), and sponsor-bank or BaaS concentration against named supervisory thresholds and substitutability tests. Output is a concentration matrix, the concerning concentrations flagged for committee, and a substitutability-grounded recommendation set. The skill stops at the recommendation; the head of TPRM, head of operational resilience, and CRO office decide. Best for: - An annual third-party portfolio review where leadership wants the concentration picture across vendors and fourth parties. - An ICT third-party preliminary concentration assessment cycle in an EU-nexus regime where the firm must form a view before contracting or recontracting a critical-or-important function. - A specific arrangement diligence pack flags concentration as a residual concern and chains here via `concentration_flag = watch` or `breach`. - A supervisory information request on cloud, market-data, identity-utility, or shared-fintech concentration. - Stress-event readiness: the firm wants to know which single failure removes the largest set of critical-or-important services at once. Not the right tool when: - The firm's third-party register or DORA register is not populated to a useful level (run `dora-register-builder` first where DORA applies, or rely on the firm's TPRM register). - The question is single-arrangement diligence (use `vendor-diligence`). - The question is single-arrangement exit posture (use `exit-plan`). - The question is single-arrangement contract clause coverage (use `contract-gap-review`). - The question is whether one arrangement is critical-or-important (use `criticality-assessment`).

Reviews a third-party contract or master services agreement against named regulatory clause-coverage expectations and produces a clause-by-clause gap matrix with severity, remediation posture, and the legal-review triggers a control owner needs before signature, renewal, or assignment. Output is the second-line clause-coverage view that sits next to (not in place of) legal redlines. Best for: - A new vendor contract is in negotiation and the firm needs the second-line clause-coverage view before legal redlines land. - Renewal, assignment, or material amendment of an existing contract triggers a refresh against current regulatory expectations. - A digital-operational-resilience preparation cycle requires evidence that critical-or-important-function ICT contracts meet the mandatory-clause set. - A vendor-diligence pack needs the contract-coverage section closed out (chains via `contract_gap_summary`). Not the right tool when: - The criticality tier has not been set (run `criticality-assessment` first; clause depth and the mandatory-clause overlay depend on tier). - The work is the full diligence pack rather than the contract layer (use `vendor-diligence`). - The work is exit and termination logistics rather than clause coverage (use `exit-plan`). - The work is portfolio-level concentration across many contracts (use `concentration-risk-review`).

Sets the criticality tier of a single third-party arrangement and ties it to the firm's important business service, recovery time and recovery point objectives, customer impact, regulatory impact, operational substitutability, and concentration considerations. Produces the upstream record that vendor-diligence, contract-gap-review, exit-plan, concentration-risk-review, and dora-register-builder consume. Audience: head of TPRM, head of operational resilience, business owner. Best for: - A new arrangement is being proposed and the firm needs the tier set before kicking off vendor-diligence. - An annual third-party portfolio review where tiers are stale or inconsistently applied. - A DORA preparation cycle that requires a critical-or-important-function flag for every ICT arrangement. - A material change to the service or to the firm's important-business-service map triggers a re-tier. Not the right tool when: - The firm has not yet defined the important business service the arrangement supports (the criticality call depends on the IBS read; do that first or default and flag). - The portfolio question is concentration across vendors (use concentration-risk-review). - The arrangement is a non-ICT third party with no information, technology, or business-process dependency the firm relies on. - Full diligence is needed (use vendor-diligence; this skill is the upstream input).

EU-DORA-context build pack and data-quality aid for firms preparing Register of Information entries for ICT third-party arrangements. Helps a US-deep practice with EU-touching engagements populate register fields, surface data-quality gaps, and structure a build-pack narrative for the named approver before the firm's regulatory-reporting pipeline takes over. The skill's local B-table convention is preparation-grade. It is not the official EBA Register of Information template and not submission-grade against the Commission Implementing Regulation (EU) 2024/2956 taxonomy. Best for: - An EU-nexus financial entity scoping the first-cycle register build, where a structured data-quality view and a reviewer-ready build pack matter before the firm's submission tooling formats the official template. - An EU subsidiary of a non-EU group where the parent needs visibility into EU register data quality before the subsidiary files individually to its national competent authority. - A second-line review of an existing register where data-quality, relational integrity, and the firm's internal-to-ITS service-type taxonomy mapping need a structured check before the accountable executive signs off. - An off-cycle preparation pass following a material onboarding, termination, restructuring, or criticality re-classification. Not the right tool when: - The output is intended for direct submission to a national competent authority. The skill helps populate fields and surface data-quality gaps; it is not the official Register of Information template. - The firm needs the official EBA RoI taxonomy / Implementing Reg (EU) 2024/2956 structure verbatim. The skill's local B-table convention is preparation-grade, not submission-grade. - The firm has no DORA nexus. Use the firm's own TPRM register and skip this skill. - The criticality flag has not been set (run `criticality-assessment` first; the register consumes the determination). - The job is per-arrangement diligence (use `vendor-diligence`), contract clause coverage (use `contract-gap-review`), portfolio-level concentration (use `concentration-risk-review`), or exit posture for a specific arrangement (use `exit-plan`). - The submission is governed by an NCA-specific technical filing rule that diverges from the ITS templates. The skill drafts to a preparation-grade structure; the firm's regulatory-reporting pipeline applies the NCA-specific channel, validation overlay, and the official ITS template.

Drafts the second-line exit plan for a critical or important third-party arrangement. Covers trigger events across vendor, firm, regulator, and market drivers; transition target options scored against impact tolerance; data return-and-destruction choreography; contract-termination mechanics; customer- and regulator-notice posture; supervisory readiness through a multi-month transition; testing cadence; named approver. Consumes the vendor-diligence record (criticality, subcontractors, data_access, residual_risk, exit_plan_status). Handles AI vendors via an explicit AI-vendor branch covering prompt-template portability, RAG migration, model-version pin handling, and agent-tool offboarding. Best for: - A new critical or important arrangement is being onboarded and the exit plan is required as part of pre-onboarding evidence. - Annual recertification of an existing critical or important vendor where the prior plan is stale, untested, or absent. - DORA preparation for critical-or-important-function arrangements where Article 28(8) requires a documented and tested exit strategy. - A concentration-risk-review or resilience-test surfaces a single point of failure and the exit posture needs hardening. - A vendor incident or distress signal opens an off-cycle re-review. Not the right tool when: - The criticality tier has not been set (run `criticality-assessment` first). - The arrangement is genuinely low risk and firm policy does not require a formal exit plan (record the rationale and stop). - The job is full diligence on the vendor (use `vendor-diligence`) or contract-clause coverage (use `contract-gap-review`). - The job is the integrated test programme across many arrangements (use `resilience-testing-pack`).