The Digital Operational Resilience Act (DORA) recognises the importance of effective ICT risk management. DORA is the latest measure taken by the European Union to enforce upon financial entities the need to establish a robust internal governance and control framework thereby ensuring operational resilience in the digital age. Article 5 of DORA outlines the governance and organisational responsibilities that board directors and management must uphold, underscoring that board directors and management bear the ultimate responsibility.
Responsibilities of the Board
The specific responsibilities that board directors and executive management should fully embrace and prioritise are:
-
Ultimate Responsibility: The management body bears the ultimate responsibility for managing the financial entity's ICT risk. This overarching accountability underscores the weight of their role in ensuring digital operational resilience.
-
Data Integrity and Confidentiality: To maintain high standards of data availability, authenticity, integrity, and confidentiality, board directors must establish policies that safeguard the integrity and security of sensitive information.
-
Clear Roles and Responsibilities: It's vital to set clear roles and responsibilities for all ICT-related functions and establish governance arrangements that promote effective communication, cooperation, and coordination among these functions.
-
Digital Resilience Strategy: The board is responsible for setting and approving the digital operational resilience strategy, which includes determining the appropriate risk tolerance level for ICT risk within the financial entity.
-
Business Continuity and Response Plans: Approval, oversight, and periodic review of the financial entity's ICT business continuity policy and response and recovery plans are essential to ensure that the entity can weather any digital storm effectively.
-
Internal Audit and Budgeting: The management body must approve and periodically review the financial entity's ICT internal audit plans and related budget allocations to fulfill digital operational resilience needs.
-
Third-Party Service Providers: Board directors must approve the financial entity's policy on arrangements regarding the use of ICT services provided by third-party service providers. This involves understanding the potential impact of such arrangements and ensuring their alignment with the entity's digital resilience strategy.
-
Monitoring Third-Party Arrangements: In addition to establishing a role or designating a senior management member to oversee ICT third-party service provider arrangements, the board should remain vigilant in monitoring risk exposure and documentation.
-
Continuous Education: Members of the management body must actively stay up-to-date with ICT risk and its impact on the entity. This involves regular training and skills development to ensure they can effectively assess and manage ICT risk.
BDO Malta: Your Partner for DORA Compliance
The European Union has set January 17th, 2025 as the deadline to achieve DORA compliance. While this might seem a distant target, in fact achieving DORA compliance is a very complex and challenging task which requires a concerted effort by the in-scope financial entities. At BDO Malta, we understand the profound impact that the journey towards DORA compliance has on such organisations. Our team of regulatory and compliance technical experts is dedicated to helping your company navigate this complex environment. Our comprehensive range of services includes:
- Board and Management Training on DORA;
- Expert guidance on DORA compliance;
- Performing gap analyses;
- Conducting risk assessments;
- Developing and implementing incident management and business continuity plans;
- Providing continuous support and monitoring.
Is your company ready for DORA?
Get in touchDownload DORA Compliance checklist
