Third Party Risk ManagementEnhancing Digital Operational Resilience for Business Leadership under DORA

The EU’s Digital Operational Resilience Act (DORA) has ushered in a new era of responsibility for business leaders, executives, and board members in the financial sector. With the rising complexity of Information and Communication Technology (ICT) risks, traditional methods of training and risk assessment are being reevaluated.

Microsimulations present an innovative approach to meeting these enhanced responsibilities, offering a more dynamic and interactive way to build resilience against digital threats.

The Challenge of Digital Operational Resilience for Business Leadership

Executives face a number of challenges in maintaining operational resilience, especially with the involvement of third-party technology providers. These challenges stem from the complexities of modern business operations, where reliance on external entities for critical services and technology is common. Here are some of the key challenges:

  1. Complexity of Supply Chains: The involvement of third-party technology providers adds layers of complexity to a company’s supply chain. Executives must navigate these complexities to ensure that their third-party partners adhere to the same standards of resilience as they expect within their own operations.
  2. Cybersecurity Risks: Reliance on third-party providers introduces additional cybersecurity vulnerabilities. Executives must ensure these partners have robust cybersecurity measures in place to protect against data breaches, ransomware attacks, and other cyber threats that could disrupt operations.
  3. Compliance and Regulatory Requirements: Different jurisdictions have varying regulations regarding data protection, privacy, and operational resilience. Executives must ensure that their third-party providers comply with all relevant regulations, which can be a significant challenge when operating across multiple regions.
  4. Visibility and Control: Having third-party technology providers means that parts of the operational process are outside the direct control of the company. Executives face challenges in gaining full visibility into the operational health and risk management practices of these providers.
  5. Dependency and Concentration Risk: Relying on a limited number of providers for critical technology services can lead to concentration risk. If a single provider faces a disruption, it could significantly impact the company’s operations. Diversifying providers or having contingency plans in place is crucial but can be challenging to implement effectively.
  6. Change Management: Technology evolves rapidly, and keeping up with these changes can be difficult. Executives must ensure that their third-party providers are continually updating their services and security practices in line with the latest advancements and threats.
  7. Reputation and Brand Impact: Any operational disruptions, especially those related to data breaches or compliance failures by third-party providers, can significantly impact a company’s reputation. Executives need to manage these risks proactively to safeguard their brand.
  8. Contractual and Negotiation Challenges: Establishing contracts that clearly define the expectations, responsibilities, and liabilities of third-party technology providers requires careful negotiation and legal expertise. Ensuring these agreements also provide the flexibility to adapt to changing regulatory and business environments adds another layer of complexity.
  9. Cost Management: While leveraging third-party providers can offer cost efficiencies, unexpected expenses related to compliance, auditing, and managing these relationships can arise. Executives must balance the cost benefits against the potential hidden costs of third-party engagements.

Addressing these challenges requires a strategic approach to risk management, including thorough due diligence, continuous monitoring, and the development of strong relationships with third-party providers. Executives must also foster a culture of resilience within their organization, emphasizing the importance of operational continuity and the ability to adapt to and recover from disruptions.

DORA aims to strengthen the ICT risk management frameworks within financial entities, placing significant emphasis on the roles of executives and board members.

What is the Role of the Board and Executive Team under DORA?

The Digital Operational Resilience Act (DORA) introduces comprehensive obligations for the “Management Body” of covered entities, typically referring to the Board of Directors, across various financial services.

This framework extends to ensuring robust oversight, control, and input on policies and procedures, even within complex group structures. DORA designates the “Management Body” — often the Board — as responsible for overseeing the entity’s adherence to digital operational resilience standards. This includes ensuring that the entity has a grasp on ICT risk management and operational resilience, aligning with sector-specific regulations like PSD2 or MiFID.

Here’s a  summary of the key roles and responsibilities outlined under DORA for board members and executives:

  • Ultimate Board Responsibility
    The Board is entrusted with the ultimate oversight of ICT risk management strategies and operational resilience, marking a significant regulatory expectation for board members to be actively involved in managing digital operational resilience risks and compliance with DORA.
  • Skills and Training
    Board members are required to maintain and update their knowledge on ICT risks, necessitating regular, specific training. This ensures they have a foundational understanding of ICT security, the entity’s specific ICT risks, and the strategies in place to mitigate these risks.
  • Reporting and Briefings
    DORA mandates annual briefings for the Board from senior ICT staff on testing outcomes, audits, and incidents, plus reports on major ICT-related incidents. This is to ensure that boards are well-informed and can make knowledgeable decisions regarding the entity’s digital operational resilience.
  • Policy Approval and Review
    The Board must actively engage in the implementation, approval, and periodic review of key policies and procedures related to ICT. This encompasses roles and responsibilities, governance arrangements, data integrity, ICT business continuity, and more. The aim is for boards to ensure that their organizations not only comply with DORA but also maintain high standards of ICT security and resilience.
  • Establishing a Culture of Continuous Improvement
    Entities are encouraged to document board training and engagement activities, aligning approval and review processes with the Board’s educational activities. The goal is to establish a culture of continuous improvement and adaptation to evolving digital resilience requirements.

In essence, DORA empowers boards with a proactive role in governing digital operational resilience, emphasizing the need for informed leadership, regular training, and an active review process to adapt to the challenges of a digital age.

Common strategies for leadership engagement such as traditional tabletop exercises, training regimes, and business continuity plans, while useful, often lack the engagement and realism needed to effectively prepare leaders for the complexities of digital operational resilience. This is where Microsimulations come into play.

Microsimulations: A Gamechanger in Executive Engagement

What are Microsimulations?

Microsimulations are short, scenario-based simulations that mimic real-world ICT risk situations. Unlike lengthy tabletop exercises, these simulations are concise, focused, and highly interactive. They provide an immersive experience that replicates the pressure and decision-making scenarios leaders would face in real incidents.

Microsimulations serve as a powerful tool to engage executive and board teams in meeting the Digital Operational Resilience Act (DORA) requirements through interactive and practical experiences. Here’s a consolidated overview of how they help:

Realistic Understanding and Engagement
Microsimulations immerse leaders in realistic ICT risk scenarios, enhancing their understanding of potential impacts on the organization. This active participation promotes deeper engagement with the material, moving beyond theoretical discussions to practical, hands-on experience.

Customized Scenario-Based Learning
By tailoring scenarios to the specific operational and risk profile of the organization, microsimulations ensure relevance and direct applicability. This customization helps leaders see the practical value of compliance with DORA, making it easier for them to prioritize and champion resilience initiatives.

Strategic Decision-Making and Policy Development
Insights gained from microsimulations inform strategic planning and policy development, ensuring that decisions are based on tested scenarios. This aids in aligning organizational strategies with DORA requirements and enhancing overall digital operational resilience.

Testing and Refining Response Strategies
Microsimulations offer a direct way to test and refine the organization’s response strategies to ICT disruptions, in line with DORA’s emphasis on regular testing. This practical approach to identifying and addressing vulnerabilities facilitates continuous improvement.

Demonstrating Leadership and Setting Organizational Tone
Executives and board members actively participating in microsimulations demonstrate a commitment to operational resilience. This leadership by example sets a positive tone throughout the organization, emphasizing the importance of resilience and compliance with regulatory requirements.

Microsimulations are instrumental in engaging executive and board teams in a meaningful, practical approach to meeting DORA requirements, fostering a culture of resilience and proactive risk management. Incorporating microsimulations into regular training programs ensures that board members and executives are not only aware of their responsibilities under DORA but are also prepared to act effectively. These simulations can cover a range of topics, from cyberattack response to managing third-party risks, aligning with the diverse requirements of DORA.

 

From the Boardroom to the Shop Floor

As the financial sector and technology sectors navigate the complexities of digital operational resilience under DORA, Microsimulations offer an innovative and effective tool for business leaders. By providing realistic, engaging, and focused training experiences, these simulations play a crucial role in preparing executives and board members to effectively manage ICT risks.

Book a demo to learn more about how iluminr can help you engage your leadership team in meeting the requirements for the EU’s Digital Operational Resilience Act.

 

 

Author

Paula Fontana

VP, Global Marketing

iluminr