Operational Resilience in a Changing World
Operational resilience has become a core focus of regulatory bodies, with the establishment of requirements across jurisdictions at both national and international levels. In many countries, new regulations require that companies take action to ensure that they have robust practices in place to identify, mitigate and react to the evolving and escalating threat landscape.
A comprehensive EU regulation, the Digital Operational Resilience Act (DORA) has introduced rigorous responsibilities for financial institutions and their essential third-party providers. It makes an organisation’s management body—boards, executive leaders and senior stakeholders—responsible for ICT management by requiring that they define appropriate risk-management frameworks, actively assist in the execution and oversight of these strategies and stay abreast of the ICT risk landscape.
Our DORA practice
Our team of subject matter experts supports institutions of all sizes in their ongoing journey to DORA compliance. We can provide a combination of different service offerings, depending on your organisation’s specific requirements, to create a best-fit model for DORA implementation that ensures compliance by the January 2025 deadline.
The requirements spanning DORA’s five pillars are vast. We can deploy our experts into your company to conduct a scoping exercise and gap assessment that will provide a robust platform to progress from.
To begin, we provide a risk-based prioritisation and scoping exercise on the application of proportionality. We’ll then review existing policies, controls and frameworks and map them to DORA requirements.
Following the gap assessment, our experts can design a remediation plan that includes tactical actions with owners, activities and timeframes.
By collaborating with cross-functional stakeholders and putting effective roles and responsibilities in place, our team will implement agreed upon remediation actions in a timeline that works best for your organisation’s needs.
Following the agreed-upon remediation plan, our team will execute an appropriate governance structure and delivery-focused model, that aligns with the five pillars of DORA:
- ICT risk management framework,
- ICT-related incident management, classification and reporting,
- Digital operational resilience testing,
- ICT third-party risk management, and
- Information sharing.
For a large-scale regulatory initiative such as DORA, obtaining practical assurance support and guidance in advance of the implementation guideline offers an immediate ‘value add’ to your newly implemented operating model.
We have a range of SMEs available to conduct assurance reviews and quality checks. They have skills, knowledge and experience of gap assessments and market trends, and can support your company’s DORA readiness efforts.
Our SMEs provide training, tools and templates that deliver immediate results. Working closely with your team, they leverage a flexible, best-in-class suite of toolkits designed to meet your specific needs, manage your implementation programme, and enhance the delivery of DORA requirements– all of which ensures a strong level of compliance.
DORA introduces an increased rigour on the expectations around threat-led penetration testing (TLPT) that goes above and beyond TIBER (as a relatable example).
To meet the requirements laid out in DORA Articles 26 and 27, our cyber experts will manage an end-to-end TLPT programme, guaranteeing completion of the advanced testing requirements, which are mandated from 2025 onwards.
Why Grant Thornton
We help clients from a variety of sectors boost their operational resilience and take the appropriate steps towards achieving DORA compliance by January 2025. Our first-hand experience, bolstered by our involvement with our EU network of firms, brings strength and depth to our service offerings. By collaborating with peers across this global network, we harness knowledge from various jurisdictions and ensure that your requirements are met in full.
DORA’s requirements are extensive and prescriptive in nature. To ensure your organisation’s readiness, our subject matter experts follow a three-phased approach that includes a gap assessment, remediation planning and implementation of remediation actions. With our customisable DORA Readiness Programme, we support clients in adhering to regulatory guidelines and making the wider organisational advancements required for a robust operating model.
Our clients attest that by clarifying the scope and key dependencies, we have helped them avoid potential DORA pitfalls and ensured compliance to the standard required.