Insight
Mastering DORA: navigating regulations with 3rdRisk
The effective third-party management tool
The financial sector faces a surge in cyber-attacks, causing disruptions through ICT incidents. To mitigate this threat, the European Commission introduces the Digital Operational Resilience Act (DORA). Effective from Jan 17, 2025, financial institutions must adhere to new requirements. Our expert series, led by Stefanie Ruys, Partner, Crisis and Resilience, provides valuable insights to navigate DORA and effectively manage third-party risk.
1. What are the most common challenges organizations face with managing ICT Third-party risk?
The combination of increased risk and legislation makes now the time to get serious about managing risk in your supply chains. With a start date of January 2025, organizations are mobilizing, and fast. These are the five common challenges I see:
- The interpretation of DORA requirements;
- Personnel training, including operational work instructions;
- The ability to meet deadlines;
- The capacity to assess existing third-party's contracts and resilience risk;
- Business commitment to tackling concentration and third-party risks;
In my experience, companies have had to reinvent the wheel when it comes to third-party risk management, making each company’s approach vastly different from one another. DORA will help set up a harmonized framework for managing third-party risk for critical operations.
2. Which teams are involved in ICT third-party management?
The contract owner is commonly the one responsible for the third-party relationship needed to operate a Critical Information Infrastructure (CIF). This role has become increasingly difficult with all the risk domains that are involved. Some institutions consider >20 risk domains! DORA sets the regulatory bar when it comes to managing the operational resilience risk domain.
To make this possible, the contract owner needs support from all sides. This support needs to cover processes, technology, data, and personnel. From a personnel perspective, addressing resilience risks is an orchestration between the contract owner, the procurement team, the legal team, the TPRM (Third Party Risk Management) team, the security team, and the business continuity team.
Here is what each one handles, and who they liaise with:
Contract Owner
The contract owner manages third-party risk within the DORA framework. They make certain that the contractual relationship with the third-party provider is aligned with the organization's risk management goals and that the provider meets the necessary cybersecurity and business continuity requirements.
Procurement
The procurement team supports the selection of third-party providers. They work closely with the business unit that is engaging the third-party provider to understand the scope of the services required and to identify potential providers that can meet those requirements.
Legal
The legal team reviews and interprets legal and regulatory requirements related to third-party risk management as well as making sure that the organization is in compliance. They commonly review and negotiate contractual terms with third-party providers. This ensures that requirements are clearly defined and that the organization's legal interests are protected. The legal team also works closely with the security and BCM (Business Continuity Management) teams to verify that contractual terms align with the organization's cybersecurity and business continuity requirements.
TPRM
The TPRM team oversees the overall third-party risk management program. They are responsible for establishing that the organization has an effective process in place for managing digital resilience risks associated with third-party providers. They work closely with the other teams with policies and procedures related to third-party risk management and monitor and assess the performance of third-party providers over time.
Security
The security team assesses the cybersecurity risks of third parties and evaluates their cybersecurity posture. They work closely with the third-party provider to guarantee that the provider's security controls and practices align with the third-party requirements and standards.
Business Continuity
The business continuity team ensures that the organization can maintain its critical functions and services in case of a disruption caused by a third-party provider. They work closely with the third-party provider to manage business continuity risks and develop contingency plans in case of a disruption.
Managing many suppliers can be a daunting task for organizations. To start tackling this challenge, organizations need to assess their strategy. Key questions to consider include:
- Can the organization handle thousands of suppliers on its own?
- Do they have the advantage of economies of scale?
- Do they have the necessary resources to manage this effectively?
If not, it may be beneficial to explore the possibility of using technology or seeking the support of another organization.
Another critical step is to recognize that not all suppliers pose the same level of risk and take a risk-based approach. It is crucial for organizations to prioritize their efforts and allocate resources accordingly. For instance, while some suppliers may supply flower delivery services, others may offer Bloomberg terminals. The operational resilience of these suppliers can vary significantly, with some having a greater impact than others.
3. What role can technology play in managing third-party risk?
Technology plays a critical role in managing third-party risks and compliance operations for organizations. Through its partnership with the 3rdRisk platform, Deloitte offers a unified, secure, and cost-effective way to assess hundreds of third parties quickly and efficiently. This approach replaces the traditional ad-hoc, labor-intensive, time-consuming, spreadsheet-driven process that many organizations rely on.
With technology, the process of completing, reporting, amending, or updating assessments for more than 100 third-party third parties becomes easier, faster, and more transparent. This is particularly valuable for organizations that deal with many suppliers and need to streamline their risk management processes. The use of technology lets organizations manage third-party risks more effectively and efficiently, allowing them to focus on their core business activities while ensuring compliance with regulatory requirements.
4. What does the use of technology for third-party management mean for organizations? What do they need to do for their suppliers?
For organizations, this growing focus on third-party management means a greater investment in both time and priority. There will potentially be a mostly manageable financial impact. We see in the market that most organizations will need to improve their capability and data quality. A good place to start is by reevaluating the TPRM strategy, roles, and responsibilities between procurement, legal, security, and business contract owners.
Organizations are highly encouraged to inform suppliers about the coming change and what the organization’s DORA readiness journey will be like. As part of this communication, we recommend informing third parties that contact information, contracts, and security postures will be reviewed.
5. Please tell us about a real-life example. What were the main insights?
One of the main challenges we see is that it is time-consuming to understand DORA assessment capability. To solve this, organizations can come to Deloitte for support when figuring out their level of DORA readiness. Deloitte has spent 2.5 years with its own DORA work group, collecting self-assessment tools and assessors to support this. We see that organizations find it extremely helpful to have that outside perspective.
A lot of industry-leading banks known for being very cyber-risk aware, have started preparing for DORA regulations. A key part of those preparations is doing third-party risk management. This is also driven by the regulators. These organizations take a risk-based approach, selecting somewhere between an initial batch of 100 to a volume of 500 to 750 assessments, covering their most critical and key suppliers. They are not eager to understand how good the suppliers are but rather focus on the ones that are at serious risk to the organization.
6. What is your approach to supporting clients with understanding DORA assessment capability?
At Deloitte, we offer two approaches to support our clients with third-party risk management.
Firstly, we provide advisory services to help clients gain insights and develop effective strategies for managing their third-party risks. Our team of experts works closely with clients to understand their unique needs and provide tailored solutions that address their specific challenges.
Secondly, we offer a managed service that allows clients to use our delivery centers in Greece and India to handle the bulk of the work. This approach lets clients free up internal resources and focus on their core business activities, while we take care of the day-to-day tasks of managing third-party risks. Our managed service gives clients access to a dedicated team of professionals experienced in third-party risk management, who can deliver high-quality results in a cost-effective and prompt manner.
7. What is your call to action for organizations?
Organizations should take a closer look at the DORA regulatory requirements and assess their current strategy and the maturity of their third-party risk management capabilities. If organizations need help with this, they can contact us. We offer advisory services and managed services to help you navigate the complex landscape of third-party risk management.
For organizations that are confident they can abide by the DORA regulatory requirements, we recommend that they improve their data quality and set up clear roles and responsibilities for the effective assessment and mitigation of risks. Using Excel for assessments can be time-consuming and challenging to maintain, especially when the number of assessments grows beyond 100. Technology can make the process easier, faster, and more transparent, enabling organizations to complete, report, amend, or update assessments for large numbers of third parties.
Collaborating with Deloitte and 3rdRisk can help organizations customize compliance frameworks and risk questionnaires to better assess third-party risks. Our secure platform allows for information sharing and risk monitoring across their value chains. By prioritizing their most important suppliers using a risk-based approach, organizations can ensure compliance with DORA requirements and minimize their exposure to third-party risks.
We encourage organizations to take a proactive approach to managing third-party risks and use the latest technologies and industry expertise to protect their business operations and reputation.