Delivering DORA in an Asset Management Firm

In our previous post on DORA, we explained what it is, and summarised the content of the four papers that were released on 10^th January 2024 explaining what is required. In this article, we take a look at how these translate into practical steps that an asset manager can take…

1. Develop an ICT Risk Management Policy

Assemble a cross-functional team that includes representatives from IT, risk management, legal, compliance, and business units to develop the ICT risk management policy. The policy should detail the management of ICT risks, specifically focusing on the use of ICT services supporting critical or important functions provided by third-party service providers.

2. Create an ICT Risk Assessment Framework

Implement a structured risk assessment framework that allows for the identification, assessment, and prioritisation of ICT risks associated with third-party service providers. This framework should include criteria for evaluating the criticality of services, the business reputation of the provider, their security measures, and the potential impact on the financial entity's operations.

3. Implement Due Diligence Procedures

Develop and implement comprehensive due diligence processes to evaluate potential and existing third-party ICT service providers. This should cover the examination of the provider's financial stability, expertise, security measures, compliance with legal and regulatory requirements, and the ability to meet contractual obligations.

4. Review Contractual Arrangements and Monitoring Arrangements

Negotiate detailed contractual arrangements that clearly define the services to be provided, service level agreements (SLAs), data protection measures, audit rights, and termination clauses. Ensure that contracts provide for the right to conduct audits, including on-site inspections, and specify the mechanisms for incident reporting and resolution. Establish a monitoring program to regularly assess the performance of third-party providers against SLAs and compliance with contractual terms.

5. Train Your Staff (and Keep Them Updated)

Conduct training and awareness programs for all employees involved in managing and overseeing the use of third-party ICT services. This includes training on the risk management policy, due diligence processes, and procedures for monitoring and reporting ICT risks. Continuous education on emerging ICT threats and regulatory changes should be included on an ongoing basis.

6. Adapt Business Continuity and Incident Management Plans & Testing

Integrate third-party ICT services into the financial entity's business continuity plans. Develop and test incident management and disaster recovery protocols that involve third-party providers to ensure that critical functions can be maintained or quickly restored in the event of a service disruption or security incident.

7. Periodically Review Actions Taken

Implement a process to ensure that all regulatory requirements related to ICT risk management are being met. This includes maintaining up-to-date documentation on risk assessments, due diligence efforts, contractual agreements, and incident management activities. Prepare for regular internal audits and be ready to demonstrate compliance to regulatory bodies and senior management as required.

8. Foster Continuous Improvement

Adopt a continuous improvement mindset, regularly reviewing and updating the ICT risk management policy, practices, and procedures based on lessons learned, changes in the regulatory landscape, and evolving industry standards.

Conclusion

How the business approaches this set of tasks is very much down to the corporate culture, the size of the firm, and the accepted norms of getting things done. Some aspects (where there are specific deliverables) might fit nicely into a project structure, whereas other (future ongoing recommendations) are perhaps more suited to the ongoing management of the firm, and sit with specific “business as usual” teams within the organisation (e.g. Risk Management, Central Procurement, etc.)

DORA may be the blueprint for EU Digital Operational Resilience going forward, but the guidance it details is underpinned by principles that all firms should be considering and adopting regardless of regulatory edicts. At the same time, we should all take note that the technology advances that we are seeing today (and will do in the future) are accelerating at a rate never previously experienced, meaning that the struggle to maintain digital operational resilience will never cease, and will (probably) only become more demanding.