STC SYCAMORE CONSULTING

Be compliant, but in a SMART way.

Claudia Craia

Hi, we’re STC!

A team of risk management and corporate governance professionals working in a partnership structure to provide top-tier expertise to a wide range of organizations. We offer our skills and talent to support your strategy.

Posted initially on LinkedIn: Claudia Craia

I am currently working on a DORA project.
 
Short comment. DORA is a European regulation on digital operational resilience for the financial sector. In my opinion, DORA is a very good legislation, it educates a lot in the area of ​​ICT risk management. In addition, it completes the list of requirements that makes the world a better place, such as TCFD for climate change, GDPR for personal data protection or the anti-money laundering regulation.
 
 So, let’s go back to DORA.
 
 One of the requirements is:
 “…specify the segregation of duties arrangements to avoid conflicts of interest, in the context of the three lines of defence model or other internal risk management and control model, as applicable…”
 
 Recently, in the list of deliverables, I saw:
 ➡ Three lines of defence model (3LoD)
 
I asked: Why?
Answer: Because that’s what DORA asks for….
 
Hmmm, not really. Or at least, I don’t understand this from the above requirement.
 
What I understand needs implementing is:
 ➡ segregation of duties arrangements
 ➡ to avoid conflicts of interest
 
Yes, the most accessible is probably the 3LoD.
 
BUT ONLY IF, i) you already have the 3LoD model in place, ii) you have the resources for it and iii) it delivers objectives that align with the above.
 
BUT if the three conditions above are not met, the 3LoD could be an inadequate solution. 3LoD can be designed in many ways and might:
 ➡ be expensive, if it is designed with many roles
 OR
 ➡ not cover the objectives of DORA (i.e., segregation AND avoid conflict of interest)
 
I for one would not go for 3LoD without analysing other options, especially since the legislation allows it. I would look for the SMARTEST solution in terms of cost, compliance, objectives.
 
We are now analysing several options, because this is the right thing to do. The legislation allows it, see “… or other…” above.
 
 After the discussion with the implementation team, I sat down and thought:
 💡 How many times have we made our lives more difficult just because we didn’t read what was written after “… OR …”
 💡 How many good initiatives and proposals have died from “… because the regulation says so…”

Claudia Craia avatar
Claudia Craia
Claudia is a seasoned risk management professional with expertise in Enterprise Risk Management. She collaborates closely with Executive Teams to identify and mitigate strategic risks, ensuring the achievement of their corporate objectives. STC Sycamore Consulting – Enterprise Risk Management Mentor

Featured Post

Categories