The Digital Operational Resilience Act (DORA) requires financial entities to ensure the security of data processing in their ICT environments. The management board plays a key role in this regard because it is ultimately responsible for the organization’s compliance with DORA. This article discusses the specific tasks arising from the regulation.
The management board is responsible for implementing and applying DORA.
A company’s success depends on the effectiveness of its management board, among other things. This team defines the company’s strategy and enforces the implementation of tasks by its departments. The same applies to the issue of digital operational resilience. Article 5(2) of DORA states the following: “The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).”
Senior Management in the context of DORA
Management, together with the operational team, defines the rules for implementation. They are also responsible for approving the results of the work and the prepared documents. However, the management of the entity is not responsible for the operational implementation of the ICT risk management framework. Additionally, the regulation requires the organization to either appoint a board member to supervise the related risks and documentation or introduce a function to monitor contracts concluded with external ICT service providers regarding the use of these services.
The management board is responsible for keeping its knowledge up to date. The ICT environment is constantly changing, so methods that worked yesterday may not work today. Therefore, DORA requires managers to develop the skills necessary to understand and assess ICT-related risks. This enables them to evaluate the potential impact of risk on the company’s operations.
Article 5 of DORA specifies several areas over which the management board must have control. Without these key activities, the success of the entire implementation may be called into question.
ICT risk management
Management monitors the effectiveness of ICT risk management. According to the DORA provisions, the management board is ultimately responsible for coordinating activities related to the identification, assessment, and management of ICT risks. The management board is also responsible for aspects of data availability, authenticity, integrity, and confidentiality.
Additionally, the management board introduces and monitors policies related to the ICT risk management framework. This includes implementing procedures to ensure secure information processing and maintaining appropriate security systems. These activities are intended to protect the entity’s financial interests and meet the standards and requirements set by DORA.
Roles
The management board must not only supervise ICT risk management but also precisely define the roles and responsibilities associated with each ICT-related function and implement appropriate management solutions.
To ensure efficient and timely communication, cooperation, and coordination between various ICT functions, it is necessary to introduce an effective management process. This allows the management board to actively shape the organizational structure and effectively manage the areas covered by DORA requirements. The management board decides if external advisors will support the organizational structure.
Strategies
The management board is responsible for defining and approving strategies related to ICT risks. This includes, among others, a digital operational resilience strategy that sets the level of tolerance for ICT-related risks. The management board is responsible for approving and implementing strategies for the continuity of the financial entity’s ICT operations and for the organization’s business continuity.
Control
One of the management board’s tasks is to oversee the organization’s activities. The board must conduct regular checks on the implementation of approved strategies and other documents. This includes approving plans for ICT audits, familiarizing themselves with the results, and periodically reviewing audit plans. The management board, or individuals designated by it, analyzes audit conclusions and creates development plans based on them.
Budgets
The management board is responsible for creating budgets, including those for DORA implementation. In accordance with the regulation, the management board should allocate an appropriate budget to enable the organization to ensure digital operational resilience. The funds must be sufficient for all necessary resources. This applies to internal programs that promote security awareness and improve employee skills.
ICT providers
The management board is responsible for approving the policy regarding cooperation with ICT service providers, as well as the arrangements made with them. This issue should be reviewed periodically. The management board implements an internal communication policy that establishes channels through which information will be communicated regarding:
- agreements with ICT service providers;
- planned important changes in cooperation with ICT service providers;
- the possible impact of changes on critical or important functions of the organization.
What are the responsibilities of individual teams?
If you are wondering what tasks DORA imposes on teams such as IT, Cyber Security, and Compliance, we have prepared articles describing these issues:
- DORA and the tasks of the IT Department;
- DORA and the tasks of the Cyber Security Department;
- DORA and the tasks of the Compliance Department.
Non-compliance with the DORA regulation may result in consequences for the management board, including a ban on performing this role.
Implementing DORA in your company should correspond to your organizational structure. Verifying the tasks to be performed will make it easier for you to assign responsibility for the DORA implementation project. In the DORA implementation schedule we developed, we propose specific tasks for each department. Download this helpful implementation material to verify managers’ competencies in relation to the necessary actions. With the schedule in hand, you can easily verify the project’s progress and ensure your organization’s compliance with DORA according to the Supervision Authority.
The management board guarantees DORA compliance
As the key decision-making body, the management board plays an important role in ensuring the financial entity’s compliance with DORA regulations and the effectiveness of ICT risk management. While the management board does not implement the guidelines operationally, it must approve all policies and strategies. The management board is the final authority responsible for compliance with the regulation in question.
