Implementing the Digital Operational Resilience Act (DORA) and operating in accordance with it is no easy task. Many of the activities involved are time-consuming and costly when performed manually. But is it possible to optimize DORA compliance? You will find the answer to this question in this article.
Risk assessment as one of the key processes in DORA
Given the scale of their operations, financial entities must rely on many processes. When information about resources, security status and processes is scattered, controlling business continuity and IT infrastructure development becomes challenging. Additionally, inconsistent information about processes across the organization hinders the planning and improvement of process security. Therefore, financial institutions must identify, classify and document all business functions, tasks and responsibilities, as well as all information and ICT resources related to ICT risk management.
Organizational security management requires risk assessment. This process involves identifying and evaluating risks. While it is not possible to eliminate third-party risk when using ICT services, virtually any threat can be quantified and assessed, provided an appropriate asset-based methodology and supporting tools are used. This enables activities aimed at managing an organization’s security to be rationalized. The result is an informed selection of the most significant risks, accepting those that are unlikely and/or have a low impact.
You can prepare for third-party risk management by incorporating the framework required by DORA, organization mapping and risk assessment into a ready-made schedule.
Mapping processes with ICT suppliers
The DORA Regulation provides general guidelines for risk assessment.
As part of identifying the ICT environment, financial entities must create a database containing an index of all information and ICT assets. They must record the configuration of these assets, as well as the links and interdependencies between them. Financial entities must also identify all processes that depend on external ICT third-party service providers, especially those related to critical or important functions.
After mapping their ICT environment, these entities must identify all ICT-related risk sources. One particular source is exposure to risk relating to other financial entities. These organizations assess cyber threats and vulnerabilities relevant to their ICT-supported business functions, essential information resources, and ICT resources. They must conduct a risk assessment whenever there is a major change to the network and IT infrastructure, processes, or procedures that affect their ICT-supported business functions, significant information resources, or ICT resources.
Manual risk analysis in accordance with DORA
After indexing the ICT environment, the financial entity should analyze and assess the risks that constitute the risk estimation for all ICT services and processes. This activity should be carried out regularly, in the form of periodic reviews at least once a year, or whenever there is a change in the ICT environment.
A medium-sized organization may use hundreds of ICT services and dozens of related processes. Manually performing risk assessments for such a large number of resources while taking into account the need for updates and regular reviews can be time-consuming, complex, and error-prone. Without a simple overview of the broader risk landscape within the organization and how it changes over time, those responsible for risk management may be unaware of the current and future level of digital operational resilience.
Automating the risk assessment process
What can be done to automate this process? How can the time and cost associated with ICT third-party risk management be reduced? One solution is IT governance, risk, and compliance tools. RIG DORA is a tool that is the result of many years of consulting experience in the areas of compliance, information security, business continuity, GDPR, and IT. RIG DORA is the product of 11 months of R&D work, resulting in a ready-to-use tool based on a methodology.
The graphic shows the areas that can be automated with RIG DORA. The most important area that cannot be automated is organizational mapping, including the glossary, process register, and other elements. Conversely, RIG DORA automatically fills in many areas or requires manual completion with a minimum amount of work hours.
To find out how much you could save by automating the risk assessment process, check out the calculator on our website. It allows you to calculate the approximate time and cost needed to perform all risk assessments for your organization.
We prepared the calculation by taking several variables into account, including the number of assets, processes, threats, stakeholders, products, and services. We also made several assumptions. First, we assumed that an ICT risk assessment requires careful consideration of the methodology and creation of a tool, such as Excel files, to assess risk within an organization. Another assumption is that an ICT risk assessment in accordance with ISO standards requires collecting information about processes, resources, vulnerabilities, security measures, stakeholders, products, and services.
Our methodology assumes that risk is the product of the convention rating and probability. In the business continuity domain, the convention rating requires combining information about the process and the supporting asset with the information asset, as well as assessing the severity of the consequences of losing a security attribute for stakeholders. For this reason, listing such connections in a medium-sized or large organization may require preparing a list of several thousand combinations. The second component necessary to estimate risk is probability assessment. Information about threats must be combined with supporting assets, their vulnerabilities, and safeguards, which are broken down into security attributes: confidentiality, integrity, availability, authenticity, and legal compliance. Typically, a risk analysis is performed by an expert according to an accepted scale.
How much can be saved through automation?
Time savings are linked to money savings. Every team member’s time is valuable, which is why hours were used as the unit of measurement in the calculations. In our example, we used the following input data:
- Number of assets: 50
- Processes: 35
- Number of threats: 80
- Number of stakeholders: 5
- Products/services: 5
In this example, the greatest time savings are in several areas. First, the preparation of the methodology and tools. RIG DORA customers receive these as part of the package, saving 80 hours of work. The second area is organizational mapping. Thanks to the tool’s simplicity, this stage can be reduced from 383 hours to 255 hours. Another significant time savings is in the estimation stage itself, including the assessment of consequences and probabilities. We reduced this stage from 105 hours to 5 hours and from 167 hours to 11 hours, respectively. The automated tool eliminates the need for manual risk calculation, reducing this stage from 40 hours to zero. It also eliminates the need for significant activity verification, reducing it from 27 hours to two.
In total, 526 hours are saved in this example. Manual risk assessment takes 801 hours instead of 275 hours when using RIG DORA. We assumed the gross salary of an employee performing risk management tasks is £15,000 for 100 hours per month. Therefore, the cost of performing a risk assessment independently, using the aforementioned assumptions, is £199,150. Using the RIG DORA tool reduces this cost to £1,800 (working time plus license) and reduces the project implementation time from 8.01 months to 2.7 months thanks to process automation. Thus, we save 66% of the time and 59% of the financial costs associated with DORA-compliant risk assessment. Use the calculator to find out how much time and money you can save with RIG DORA.
