Following the recent publication of DORA’s Regulatory Technical Standards, firms received confirmation on DORA strategy requirements, included in Article 6 (ICT Risk Management Framework).
An essential element of Article 6, the strategy will communicate how digital operational resilience objectives will be achieved and how the framework will be implemented. The strategy should communicate not only the firm’s digital operational resilience objectives but also how they link to corporate goals and enterprise strategy.
Requirements are broken down into eight discrete points and must include methodology “to address ICT risk and attain specific ICT objectives”.
The strategy will be developed to:
- “Explain how the ICT risk management framework supports the financial entity’s business strategy and objectives;
-
establish the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analyse the impact tolerance for ICT disruptions;
-
set out clear information security objectives, including key performance indicators and key risk metrics;
-
explain the ICT reference architecture and any changes needed to reach specific business objectives;
-
outline the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it;
-
evidence the current digital operational resilience situation on the basis of the number of major ICT-related incidents reported and the effectiveness of preventive measures;
-
implement digital operational resilience testing;
-
outline a communication strategy in the event of ICT-related incidents.”
(Ref: Article 6.8: REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL)
In short, firms are required to document their objectives, capabilities, and methodologies for ICT risk management, monitoring, measurement, reporting, testing, and incident / crisis communications.
For firms without an established ICT Risk Management capability, they must also develop methodologies to support these outcomes, meaning that DORA strategy development will be a significant undertaking.
For those firms, a logical approach may be iterative strategy development. Start with what’s already in place and develop and build on that over time.
There are likely to be existing, if disparate, threads of DORA strategy, such as Information Security KPIs and Metrics, Risk / Business Impact Assessments for ICT Risk, Cyber Risk, and Threat and Vulnerability assessments and identification tools.
The first step should be to assess current state aligned to DORA regulation and Regulatory Technical Standards (RTS). Firms can use the DORA strategy and framework requirements to guide their assessment, and following completion, firms will know if, and where, current capabilities exist.
Using DORA Article 6.8 as a strategy strawman, firms can then start to connect these threads and a loose strategy will start to take shape.
The key to taking the strategy on to maturity, will be working with the Executive to determine how everything links together to support the firm’s business strategy and corporate objectives and to understand their appetite to invest in digital resilience capability.
That input from the Executive is key to maturing DORA strategy requirements.
Without that input and clear direction, determining how DORA will be implemented, and supported, is anyone’s guess. The result will be a programme which loosely meets regulatory requirements but lacks direction and will ultimately not achieve the intended objectives of DORA policy.
