The European Union’s Digital Operational Resilience Act (DORA) takes third-party risk management very seriously. Upcoming regulatory compliance requirements under DORA will require financial institutions to have a thorough understanding of the end-to-end supply chain and enhance the way they conduct Third Party Risk Management (TPRM) by January 2025.
Many financial services firms risk having insufficient operational resilience intelligence on their core ICT suppliers and will need to ramp up their efforts to become compliant or face significant penalties for non-compliance.
Here are some key pointers to help you and your partners meet regulatory requirements painlessly.
Visually map out key functions within your business
Begin by identifying each vital part of the organisation and then break it down into: the PEOPLE who are responsible for managing the function; the PROCESSES that underpin its daily operation; the TECHNOLOGY (systems, data, information) which enables the processes and management; and THIRD PARTIES, who supply you with the necessary systems and solutions.
As a first step, this will provide a clear overview of how the business operates and how functions overlap and interconnect. It lays the stage for the next critical step, and to build operational resilience across the supply chain.
Mapping third party risks
Every moving part within the organisation will have some level of operational risk attached. For example, could be ‘key-person’ risks. These occur when just one or two people in a function have access to critical system knowledge. This leaves them and the function highly exposed. Or perhaps there are functions that rely on third-party systems to the extent that there are no viable manual or internal workarounds in the event of outage. Such third-party risks are particularly important, because exercising control over them is less straightforward than risks arising from in-house activities.
Successfully mapping such risks will depend on collaboration between vendor owners and subject matter experts across the organisation: professionals who are close to the coal face and have a detailed understanding of potential risks and associated impacts and can prioritise accordingly.
Identify well-governed risk treatment plans
Having identified risks in each functional area, and the potential impact they might have on the business’s resilience posture, it’s time to develop well-governed risk treatment plans. Begin by securing sign off on remedial actions from the board; senior buy-in is essential to underline the importance of implementing the plans.
Each plan should summarise the impact of the risk to resilience, specify mitigation methods, identify who is responsible for implementation, and set deadlines for action. Ongoing monitoring and reporting will assess the effectiveness of implemented measures so they can be adjusted as necessary.
Ensure that staff are trained on DORA
With the January 2025 deadline looming, now is the time to begin training employees on DORA and how it will affect their roles and responsibilities. The sooner people are made aware of the implications, what is required of them and how it will impact their day to day activities, the more time there will be to strengthen these practices and really bed them in before DORA is live.
There are a range of DORA training courses that provide the know-how and confidence to navigate the route to DORA compliance, as well as e-learning courses that cover essential compliance knowledge.
Develop an Operational Resilience testing framework
It is vital to regularly test threat-led testing on specific components and systems across all essential functions to calibrate assumptions made about their resilience. By integrating the outcomes of test exercises into a continuous risk assessment, organisations can enhance their resilience posture, even as external and internal threats continue to evolve.
Remember that operational resilience is an ongoing process. Regularly review and update your framework to adapt to changing circumstances and emerging risks.
Implement Governance Risk and Compliance (GRC) Tools
Third Party Risk Management is of the utmost importance to operational resilience. These tools act as a single source of truth for all vendor relationships, as well as highlighting the associated risks and mitigating controls in place. Nominate vendor ‘owners’ within the business who can use GRC tools to oversee the relationship and mitigate risk for each supplier.
At the same time, create and maintain a vendor directory, which provides complete visibility of your vendor ecosystem and the associated risks so you can make informed decisions. With all the relevant information in one central repository, you can streamline the risk management process and reduce the potential for human error.
Finally, instead of random manual checks, implement an automated Third Party Risk Management (TPRM) platform to manage the ongoing assessment of risk. This will take on the hassle of repetitive tasks and continuous verification, ensuring a consistent approach to vendor-related risk.
For example, in the case of a vendor questionnaire, it begins with automation, but then enables individuals to thoroughly review and evaluate the provided responses, as well as the findings from any compliance audit report. Leveraging pre-mapped controls can save organisations significant time compared to carrying out manual assessments of third parties. Features like flagging and risk scores measure supplier performance, and reports provide real-time visibility into how third parties are impacting the risk and security posture of an organisation.
By deploying such GRC tools, organisations can minimise vendor risks and the residual operational impact of any outages.
As the clock continues to tick down to January 2025, the sooner you begin addressing DORA, the better. By following these simple steps, you can ensure that you’ll be well placed to meet compliance standards and build operational resilience measures across the entire supply chain.
- Risk & Resilience
- Sourcing & Procurement