For a Successful DORA Implementation
On the 17th of January marks the one-year countdown until the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) enters into force. Time is relentless, and it is crucial to recognise that DORA is not merely an 'IT or security' concern.
DORA is a large and detailed regulation that encompasses everything from the risk framework to information security, compliance, resilience, and outsourcing. It requires collaborative management involving various stakeholders, with the Board of Directors taking the lead.
To date, we have assisted several clients in preparing for DORA, and through this experience, we have identified two essential prerequisites for the successful initiation of a DORA implementation program:
First, DORA is a team effort, and a collaboration forum of stakeholders is needed to manage the DORA implementation program.
Second, business process mapping is fundamental to implementing DORA, as several critical areas in DORA directly depend on updated process mapping. This means that time is a scarce resource, as process mapping needs to be completed before starting the actual DORA implementation.
A typical DORA implementation is usually divided into different underlying projects. In the overarching program to implement DORA, governance, organisation, Board reporting and the above-mentioned coordination are all typically part of the overarching DORA program.
The underlying areas to the program can, of course vary, but usually include further development of the ICT risk management framework, incident management, ICT testing framework, resilience projects and ICT third-party outsourcing.
We see a greater focus not only the governance aspects of DORA but also on the development of risk and security indicators, along with formalised internal control. Additionally, there is a significant focus on enhancing Board reporting.Timo Tamminen
Contact us today to navigate DORA and ensure a seamless implementation.