Preparing for DORA Step 1 - Enhancing Governance and Risk Management Frameworks

As discussed in a previous post there are five key parts to the DORA regulations that both European regulated financial service firms and those that supply them with services must comply with.  

      i.         ICT risk management frameworks.

     ii.         ICT-related incident reporting.

    iii.         Digital operational resilience testing.

    iv.         ICT third-party risk.

     v.         Information sharing.

This post is the first of five that will set out key steps that need to be taken to prepare for DORA compliance.

What are the implications of DORA on Business Service and IT governance?

DORA places an emphasis on clear business ownership and responsibility for the entire service chain for a Firm’s services. The focus is on making sure that services are built to withstand threats, and that customers are not impacted even when incidents do occur.

To achieve high levels of resilience a firm must examine its governance frameworks and ensure that from the top down there is ownership assigned for resilience with clear roles and responsibilities assigned into the governance framework. Delegating responsibility and hoping that it will be ‘all right on the night’ is no longer an option for senior management.

As with all governance, the roles and responsibilities must be backed with solid policy ownership, defined procedures aligned to the policies, and this must be steered by the stakeholders based on robust management information (MI). Stakeholders at all levels from Board down must be trained in what their operational resilience roles and responsibilities are.

Senior stakeholders must take responsibility for all aspects of service continuity by actively defining and overseeing:

• The Firm’s appetite and tolerance for disruption.

• Strategies and policies for operational resilience and business continuity.

• Oversight of resilience through relevant MI for the procedures, controls and testing aligned to the policies.

• Assurance of the entire service supply chain including diligence on outsourced third-party services resilience capacity.

How should risk management frameworks evolve to support DORA?

Firms should consider a holistic view of the threats to their services to customers and the marketplace. DORA places a heavy focus on the impact of cyber threats and IT service threats. The regulations require firms to create an ICT risk management framework that anticipates threats and that will assure the continuity of all their customer and market facing services in the event of one of those threats materialising.

Firms must set their tolerance to disruption by defining a clear risk appetite with consideration not only for the impact of the disruption on the firm itself but also to the consumers of the impacted services.

Aligned to the defined risk appetite for disruption the firm must prepare a set of policies to guide the firm’s approach and response for overall operational resilience. The policies should define the framework for crisis management, business continuity and recovery, and disruption communication strategy. Policies must be backed by clear procedures and have defined controls, managed by appropriate MI, and proven with regular testing.

The risk framework must take into account the entire service chain. Particular focus is required on the design of services for failover, redundancy, and contingency, as well as the backup of data and configurations. The framework must cover outsourced as well as internally supplied parts of the service chain with clear policies for outsourcing and management of outsourced services.

Pulling all of this into a coherent and well documented framework and then evidencing that you have management information that is reviewed and understood by the governing body is key. The benefits of doing so transcend the regulatory requirements, and if implemented in a commercially sensible way can be used as a business differentiator to retain and attract more customers.

Look out for our next publication about ICT related incident reporting- Enhancing Management Information (MI) – another of the five key areas of DORA.

At Shapes First we work with firms so that they have the tools they need to manage their operational resilience in a commercially sensible way while all the time complying with their regulatory obligations. If you would like to hear more about what we can do to help you, please get in touch at info@shapesfirst.com