I think I’ve addressed some of this with my comments on DORA and third-party providers.

Supply chains and critical third parties will be the Achilles heel for most organisations – balancing innovation and transparency has always be important, but will be key going forward.

There’s some evidence of a growing discussion about how risk is defined, let alone dealt with.

It is possible this could influence the new set of ideas needed to move policymaking on from its current moribund state.

A large number of significant data breaches in the last year means that a lot of companies will for the first time start looking more closely at the multiplicity of third-party vendors that they employ and their exposure to operational risk as a result of these relationships.

Perhaps one way of addressing the risk will be to try to find one big vendor to outsource to, one with a track record of robust systems and processes that match those of the company doing the outsourcing.

It is one way of trying to minimize risk, or at least gain a little bit more control, but, of course, it also creates different types of risks as well.

The ability to address operational risk will be a key success differentiator for companies. Those who are best able to manage these risks are likely to thrive and, with their reputations and systems intact, outcompete those who struggle.

But regulatory attention will continue shifting away from in-house systems to critical third-parties because their wide-spread adoption means that they constitute a systemic risk for many industries – including finance, justice, healthcare, etc.