One of the DORA consultants that I have worked with started his work with us by saying “you must think like a regulator!”. I thought it was the perfect advice.
What’s even better, it came from a cybersecurity expert. We since connected via LinkedIn and seeing how he sees the world and the business environment, I understood it was not a one-time strike.
So, “THINK LIKE A REGULATOR”!
The regulator aims to safeguard the financial sector from major digital threats and IT outages. I believe their intention is not to impose undue burdens on small to medium-sized, non-banking financial institutions.
They aim to identify the biggest risks to the sector and determine which technology companies control the majority of the global digital infrastructure.
DOCUMENTATION
They will start by reviewing your digital operations documentation, including procedures for business continuity, resilience activities, incident management, and resilience testing. At this stage, they can’t challenge your thinking; they’re still forming their judgement. In one of the EU markets I work with, the regulator admitted they lack the technical expertise needed to supervise DORA compliance. So, START DOCUMENTING YOUR PROCESSES IN ALIGNMENT WITH DORA.
ROLES AND RESPONSIBILITIES
The regulation emphasises the responsibility of the MANAGEMENT BODY (board, supervisory body, management board) and the allocation of responsibilities to ensure segregation of duties and conflict of interest. It DOESN’T have to be the Three Lines of Defence Model. ALLOCATE THE ROLES AND RESPONSIBILITIES IN THESE TWO AREAS. IDENTIFY THE GAPS. RESOURCE THOSE GAPS IN A proportional WAY. You have to know what your gaps are. The regulator will not raise fines and measures if you did not yet find every single expert you need, but they will if you didn’t even try to understand those gaps.
PROCESSES
There are a few processes that need to be in place, especially around business continuity, incident management, and resilience testing. However, if you work in risk management for a while, these are nothing new. These are simply the most common processes in almost all risk management disciplines. MAKE SURE YOU HAVE THEM IN PLACE FOR ICT RISKS.
TOOLS
A number of inventories are required by DORA: key ICT assets, functions, suppliers etc… Is this a surprise? No! Actually, similar to Climate Change, DORA is simply a regulation that sets out the requirements for a good risk management process. Try to understand DORA and you will not need a (operational) risk management book.
Now, similar to Climate Change, there are so many tools that were developed in a short period of time to support with DORA implementation. I believe some of these tools help with good ICT risk management. But if you don’t deliver DORA because you don’t have a specific tool, you are doing something wrong. IDENTIFY THE TOOLS THAT MAKE YOU DORA COMPLIANT. I do not think the regulator intended to create more costs for the companies.
You can find DORA text HERE.
Posted initially on LinkedIn: Claudia Craia
