DORA in practice: IT governance and risk management
DORA, the Digital Operational Resilience Act, affects companies in the financial sector. In this expert discussion, CIS network partner and BCM expert Margit Mann asks Thomas Bachner from Calpana questions about the implementation of IT governance and ICT risk management and practical tips on how technical tools can support this.
Further information on the requirements and implementation deadline can be found here.
DORA is currently just under six months away from being implemented. Although it can be assumed that companies have already been working flat out on DORA for some time, what would be your recommendation for a general approach?
Thomas Bachner: First and foremost, the objective question of whether specialist expertise and the necessary resources for implementation are available in your own company in order to optimise expenditure and get off to a good start. In any case, the evaluation and utilisation of existing information and best practices in order to supplement or improve existing governance and already implemented management models in line with DORA.
In your experience, what approach can be taken to assess the current status of governance/ICT risk in order to recognise any GAPs or necessary measures?
Thomas Bachner: If a company is affected by DORA, the first step is to carry out a comprehensive GAP analysis for the individual articles, including RTS and IST, with an initial resource estimate and formulation of measures to close the GAPs. Based on this, the second step is to carry out the best possible resource planning and planning for the implementation of measures with action plans as well as the definition of responsibilities and the timing of implementation.
In your opinion, what are the general points that need to be considered?
Thomas Bachner: In the area of governance, of course, supplementing the risk management framework with the requirements of ICT risk management. This includes, for example, considering creating a supplementary and comprehensive framework for ICT risk management that also includes strategies, guidelines and policies as well as documented procedures and tools. It is also necessary to classify ICT risks and integrate the review into an annual cycle.
Practice shows that a functioning ISMS (information security management system) following ISO 27001 is required as a general valve to implement DORA requirements in the company. There are also numerous interface topics, such as business continuity following ISO 22301.
How can companies utilise existing synergies?
Thomas Bachner: You could ask whether there are already established best practices that can help with implementation.
In order to avoid insular thinking and create the necessary synergies, a strong commitment from top management is necessary. This is also important because newly required roles and strategies have to be formulated in the course of DORA, topics are sometimes cross-departmental or cross-functional and, above all, proactive collaboration is of great importance.
About Thomas Bachner
Partner and Senior Consultant at Calpana business consulting GmbH since the end of 2019. Expert in the field of IT risk management (ISMS, ISO 27001, BCM) with over 10 years of implementation experience in the corporate environment and as a consultant in various industries (retail, IT, finance, etc.)
About the author
Margit Mann, MSc
As manager of the Business Resilience, BCM division of a large insurance company in Austria, she knows the importance of the interaction of management systems, the interface topics to ISO 22301 and the adaptation of new guidelines and topics. Her personal motto: Continuous improvement as the path to success.
Read more about concrete implementation and how technical tools can support this in Part 2.
More articles on the topic of DORA
Contact us, we look forward to your enquiry!
More news
