Creating a robust risk portfolio involves crucial elements that businesses must consider. The Digital Operational Resilience Act (DORA) places responsibility on company leadership to actively and comprehensively manage ICT risks. This encompasses strategizing the digital operational resilience, gaining approval, and executing the strategy.

 

DORA (*) is more than just regulations—it empowers authorities to enforce administrative penalties, fines, and corrective measures for non-compliance. Organizations need to revamp their testing methods and craft business impact analyses based on plausible severe disruption scenarios. This helps in evaluating risks and their potential effects.

Financial entities are required to implement comprehensive systems tailored for ICT risk management, ensuring the reliability of ICT solutions via tools like the Thinking Portfolio Risk Portfolio. This minimizes the impact of risks on ICT services.

 

It’s vital for organizations to identify, classify, and describe critical services, functions, and key resources

Maintaining a comprehensive view of all ICT risk sources is essential, allowing for the description of preventive measures and risk-mitigating strategies. Swift responses to any irregular operations are crucial.

Defining specific and comprehensive operational principles is key to ensuring business continuity. Action plans for potential disasters must be regularly tested to guarantee their efficiency.

 

Establishing procedures to enhance both internal and external ICT service disruptions is equally important. A risk portfolio serves as a valuable tool for continual improvement.

Risk portfolio aids in classifying and documenting ICT service disruption incidents

It also maintains visibility into outsourced service scenarios, contract reviews, and service descriptions.

The functionalities of a risk portfolio include e.g:

  1. Risk Management Process: Identifying, accepting, analyzing, assessing impact, managing actions, and monitoring the risk lifecycle.
  2. Risk Management Actions: Mitigation actions and risk response strategies.
  3. Evaluation of Business Risk Impacts: Analyzing the impacts of risks on business.
  4. Monitoring and Reporting Risk Metrics: Key Risk Indicators (KRI).
  5. Collective Risk Assessment: Assessing risk situations collectively.
  6. Managing Risk Dependencies: Handling risk interdependencies.
  7. Management of Realized Risks: Dealing with occurred risks.
  8. Continuity Planning and Support.
  9. Integration with Various Portfolios: Linking risks to other portfolios such as project, idea, resource, investment, product development, application, and service portfolios.
  10. Diverse Risk Reporting: Generating comprehensive risk reports and dashboards.

 

*) DORA, the Digital Operational Resilience Act, introduced by the EU, aims to fortify digital capabilities in the financial sector. It became effective on January 16, 2023. Post-transition, financial entities are expected to adhere to the regulation’s requirements by early 2025.