Receive the latest insights, news and more direct to your inbox.
The Digital Operational Resilience Act (DORA) aims to strengthen ICT management across the financial services sector by setting out rigorous responsibilities for how financial institutions mitigate, document and react to potential vulnerabilities.
One of DORA’s goals is to ensure that third-party relationships don’t compromise operational resilience. Over the past decade, financial institutions have become increasingly reliant on third-party providers for the delivery of their critical business services.
In a response to changing customer expectations, they have altered their business models to offer digital services that allow customers to conduct transactions quickly, easily and at any time. As a result, financial institutions depend on services of third parties that have the technical expertise required to build and manage these ICT products.
DORA requires financial institutions to implement robust processes for managing third-party ICT providers. However, managing third-party relationships can be complicated and time consuming. Below are four tips to help firms enhance their third-party management strategies to align with DORA requirements.
As part of the ICT risk management pillar, Article 8 stipulates that “financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk”.
A core element under DORA is for firms to determine their critical or important functions, which is any function that, if disrupted, would affect the institution’s financial performance, ability to maintain regulatory compliance or the quality/delivery of its services.
Performing a mapping exercise in which financial institutions identify the ICT risks that underpin their critical business functions allows them to obtain and document a holistic view of the third- and fourth-party landscape, including an illustration of the interdependencies critical for understanding how a threat will impact business operations.
To maintain compliance and save time later, financial institutions need to get serious about conducting a thorough, top-to-bottom mapping exercise that identifies risks related to third-party. Discovering these risks after implementation efforts have begun can result in compliance delays and wasted resources.
Once institutions have identified their critical functions, they need to evaluate those functions’ ICT assets and determine which assets carry risks associated with third-party delivery. For risk-carrying assets, firms need to thoroughly analyse the third-party provider to assess the likelihood of it encountering a problem that could compromise a critical function. This investigation includes looking at the provider’s processes, operations, location of facilities, supply chains and more.
Most financial institutions already catalogue their ICT assets to some extent. They often maintain an asset register containing hardware and software records with information tracked across a disperse set of spreadsheets. However, when it comes to DORA compliance, a decentralised approach to cataloguing assets creates challenges because institutions need a firm-wide view of functions, ICT assets and the associated third-party providers.
Financial institutions should invest in platforms that can centralise their ICT asset catalogues. With a holistic view of third-party providers, firms can better understand the potential risks they pose to the business and can take action to mitigate such risks.
Most platforms also contain automation features, so they can also simplify the review process. At a minimum, DORA requires an annual review of ICT assets and accompanying documentation, and for third parties deemed high risk, the review cycle occurs more frequently.
Automation lessens the administrative burden of coordinating a review and decreases the number of manual components within a review cycle—thereby reducing the potential for human error or the potential of a review cycle being missed.
Most platforms can automatically trigger a review process by generating an email that reminds stakeholders to review their asset inventories, and, because the stakeholder performs the review within system, the platform automatically logs their activity, thereby ensuring all aspects of the process are easily auditable from a regulatory perspective.
Financial institutions must review their third-party procedures to guarantee that their processes incorporate risk mitigation strategies. Under DORA, third-party contracts must provide details on certain procedures. For instance, the legislation mandates that firms obtain and document contractual clarity on service continuity, insolvency issues and off-boarding procedures.
To ensure that existing third-party contracts meet DORA requirements, firms can pursue a couple of options. They can perform an end-to-end review of current agreements and make updates to the clauses in each individual agreement to transform the document into a DORA-compliant contract.
Alternatively, they can add a ‘DORA Addendum’ to their contracts, which amends the terms of ICT service agreement, and then obtain the third-party provider’s approval for the addendum to take precedence over the underlying agreement. To determine the best option, institutions should engage with their legal provider or a law firm.
Under DORA, regulators expect firms to undertake due diligence on prospective ICT third-party providers, monitor third parties throughout the relationship and design off-boarding procedures in preparation for the termination of the contract.
While most firms already perform due diligence assessments—either as part of a supplier assessment form or questionnaire—for DORA compliance, they should evaluate their practices in terms of how they document this process. The ethos of DORA is that due diligence does not stop when contracts are signed, so firms should use tools that allow for ongoing reporting in an easy and straightforward manner, ensuring that due diligence records are easily accessible.
To maintain ongoing due diligence, financial institutions must proactively engage with their third-party providers throughout the duration of the relationship. This engagement involves continuously monitoring third parties to identify and mitigate risks related to financial irregularities, data security vulnerabilities, operational disruptions, reputational damage, potential conflicts of interest and other legal, ethical and compliance issues.
DORA also stipulates specific requirements for third-party exit plans. These plans must be comprehensive, documented, sufficiently tested and reviewed periodically. In particular, an exit strategy must include a mandatory adequate transition period and outline a process for how the firm will migrate to another third-party service provider or change to an in-house solution without compromising a critical function.
Financial institutions need to evaluate the proposed exit strategy during the pre-contractual risk assessment and incorporate the final strategy in the contractual agreement with the third-party provider. By requiring an exit plan from the get-go, DORA aims to reduce the risk of disruption to customers should a financial institution change its ICT suppliers.
DORA’s third-party requirements necessitate an increase in governance and oversight. Firms can begin by delegating responsibilities to ensure that the correct stakeholders take an active role in enhancing existing third-party management strategies. However, most firms will need to initiate new practices, such as performing quarterly reviews, updating a centralised register, assigning risk/ compliance ratings and developing a forum for escalating and reporting third-party issues.
As a result, the legislation’s requirements around third-party due diligence, management and governance could necessitate that firms make strategic investments into additional resourcing or structural changes.
At a minimum, firms should establish a dedicated senior management role to oversee these practices, ensure that all third-party risks are identified and confirm that these risks are being addressed. However, considering DORA’s vast and ongoing scope, larger financial institutions should rethink their organisational structure and consider strategic options such as the creation of a new function with a skilled team dedicated to third-party management.
Maintaining DORA compliance increases day-to-day management activities, due diligence responsibilities and reporting—all of which can create additional burdens for existing business functions and their employees. By creating a new central function that sits alongside procurement, manages the third-party supplier base and coordinates third party reviews, firms can simultaneously avoid overstretching current employees while ensuring regulatory compliance.
While each critical business function has a role in managing their ICT third-party providers, a dedicate third-party management function can offer firm-wide support by centralising documentation / reporting; assisting with ongoing due diligence; providing oversight in terms of how information is recorded, updated and shared; and more.
At the outset, implementing DORA requirements can be daunting. The depth and breadth of requirements across areas such as incident reporting and third-party risk management require action, and knowing where to begin can be tricky.
We support institutions of all sizes in their ongoing journey to DORA compliance. Our first-hand experience, bolstered by our involvement with our EU network of firms, brings strength to our service offerings, and our clients attest that by clarifying the scope and key dependencies, we have helped them avoid potential pitfalls and ensured compliance to the standard required.
We can provide differing combinations of services to create a best-fit model for DORA implementation that meets your organisation’s specific needs and ensures compliance by the January 2025 deadline.
