Financial sector entities are exposed to several risks that can result in significant losses. These losses can take the form of various penalties or lost revenue. However, there are also potentially more serious losses for businesses, such as an inability to continue operations, reputational damage, or regulatory penalties, including the revocation of a license for a specific type of activity or criminal liability. In this article, you will learn how to perform risk analysis in accordance with DORA.
Why is risk analysis so important?
Risk assessment, including ICT risk analysis, is crucial for financial institutions. It has a real impact on improving security. That is why DORA imposes an obligation to conduct ICT risk analysis, which must be carried out and reported in order to maintain “accountability.”
Risk analysis in accordance with DORA enables the identification, assessment, and management of risks related to maintaining the ICT environment and ensuring the confidentiality, integrity, and availability of information. This is crucial for ensuring the stability and security of financial entities. DORA requires financial institutions to protect their customers’ interests by identifying potential operational risks and taking measures to minimize them. Conducting a risk analysis in accordance with DORA allows for the early detection of potential threats, enabling the implementation of preventive measures that can reduce the risk of ICT incidents affecting digital operational resilience. Thus, risk analysis plays a key role in ensuring stability and security, protecting customer interests, and preventing potential operational incidents.
Risk assessment methodology for maintaining full control
In order to maintain full control over ICT-related risks, financial entities must have comprehensive skills to manage such risks in a robust and effective manner. DORA defines ICT risk in Article 3 as any reasonably identifiable circumstance in relation to the use of network and information systems that, if materialized, may compromise the security of the network and information systems, of any technology-dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment.
While DORA does not impose a specific risk assessment methodology, it does require a methodology that focuses on the value and criticality of information and supporting assets (e.g., Art. 5 RTS JC 2023 86) as well as the impact that the loss of their security attributes (e.g., confidentiality, integrity, availability, and authenticity) would have on the organization’s business functions. For this reason, the Asset-Based Approach methodology fulfills EU requirements in this area. Therefore, we assume that a risk assessment based on ISO 27000 and 22300 standards fulfills the regulation’s obligations.
Risk management framework
Risk analysis is part of the risk management framework. Having such a framework is one of the basic tasks of financial entities in connection with DORA. The regulation requires the framework to be robust, comprehensive, and well-documented to allow for a quick, effective, and thorough response to ICT-related risks. Specifically, the framework consists of strategies, policies, procedures, protocols, and ICT tools that protect information resources and ICT together. Entities listed in Article 16 of the Regulation may apply a simplified risk management framework to facilitate the risk management process.
Developing a risk framework involves creating and assigning documents to the appropriate policies, which is an important part of the DORA implementation process. Would you like assistance with this stage of the project? We can help by providing a list of all the documents that should be included in risk management.
Risk assessment as part of risk analysis
Risk mitigation is impossible if the risk is not identified. For this reason, the risk identification and assessment process is a key element of DORA compliance.
According to DORA, financial entities must demonstrate an understanding of their ICT environment, which includes business functions, tasks, and responsibilities; information and ICT resources that support these functions and tasks; and dependencies related to ICT-related risks.
Knowledge of one’s own ICT environment allows one to move on to the next stage, which is risk identification. Financial entities must assess the likelihood of all risks, even unlikely ones, in the context of each identified ICT environment component. This assessment covers the likelihood of incidents, various types of cyber threats, human error, malicious intent, threats from other financial entities, the influence of external ICT suppliers, natural disasters, and other potential risks. This analysis should be performed at least annually and whenever there are significant changes to the ICT environment, such as the introduction of new technologies or systems. The entire process must be well-planned in advance because the analysis and risk management can be complex. Repeated analyses covering multiple areas may be too complex for manual assessment, making it impossible to evaluate the current level of ICT risk without an appropriate tool.
Proportional approach
Financial market participants have different capabilities and needs for protection against ICT threats depending on their level of development. DORA recognizes this fact and has therefore established the principle of proportionality. According to this principle, financial entities apply DORA’s provisions in a manner that is proportionate to their size, risk profile, and the nature, scale, and complexity of their services, activities, and operations. These organizations must analyze how they apply this principle to ICT risk management and report their findings to the relevant authorities.
Certain financial entities may be subject to less stringent requirements due to their size or the type of service they provide. This applies to small investment firms, small institutions providing occupational pension schemes, payment institutions, and electronic money institutions, which are exempt under specific provisions.
Critical or important functions
The Regulation repeatedly emphasizes the significance of critical and important functions, the disruption of which could significantly impact financial results, security, or the continuity of services. These functions also significantly impact compliance with the conditions and obligations arising from the granted authorization or other financial service regulations.
Those responsible for risk analysis must pay particular attention to critical or important functions when cooperating with external ICT providers.
Risk-Based Approach
The above points concerning risk analysis can be incorporated into the Risk-Based Approach model. This model focuses on identifying and managing the most significant types of risk within an organization.
The approach prioritizes areas of risk with the greatest potential impact on company operations.
The first step is to thoroughly identify all ICT security risks. This is possible because the entire ICT environment of the financial entity has been mapped out in advance. Risks should be assessed based on their potential likelihood of occurrence and the potential consequences of an incident. The least critical risks have a low probability of occurrence and minimal consequences, while the most critical risks have a high probability of occurrence and significant consequences. The organization prioritizes the risks, focusing on those with the greatest potential to negatively impact the business and that are most likely to occur. This allows for the effective allocation of resources and attention.
Once risks have been identified, an effective risk management plan must be developed. This includes implementing control tools that act as “brakes” to prevent incidents and other threats. If these tools prove insufficient, the financial entity should prepare alternative measures. If existing control tools do not cover all identified risks, the policies, procedures, and other tools used to secure the ICT environment must be adjusted. A well-executed risk analysis and assessment process should result in one of four risk management strategies: avoidance, reduction, transfer, or acceptance.
The value of a risk-based approach also stems from its ability to generate clear risk reports. These reports facilitate communication with management and the supervisory body.
Risk management as a holistic process
In the context of ICT services, risk management is a complex process that requires cooperation between different departments within an organization. Important competencies are spread across IT, cybersecurity, risk, legal, and compliance teams. DORA imposes additional responsibilities on the procurement department, particularly in the area of risk assessment. DORA also requires reporting to management on contracts with ICT suppliers and monitoring exposure to risks related to external suppliers. DORA requires identifying and documenting processes that depend on external suppliers and establishing links with them. Consequently, financial organizations must implement more comprehensive procedures within the procurement department, among other things. It should be noted that IT risk and security analysis are often scattered across different departments, which can result in inconsistency and an inability to take a holistic view of risk.
