Prepare for DORA Part 5 – Governance & Risk Management

With DORA now in effect, financial institutions face stricter governance and risk management requirements, elevating cybersecurity from an IT issue to a boardroom priority. Organizations must demonstrate that executive leadership and boards of directors are actively engaged in overseeing ICT risk management, resilience testing, and third-party risk governance.

DORA establishes clear governance obligations, requiring financial institutions to:

Appoint a dedicated ICT risk management function (DORA Article 5)
Ensure board-level oversight of cybersecurity risks (DORA Article 4)
Develop a structured ICT risk management framework (DORA Article 6)
Enforce third-party ICT risk governance (DORA Articles 8 & 28)

This installment of our "Prepare for DORA" series explores how organizations can structure their governance models, risk management functions, and third-party oversight to ensure compliance and resilience under DORA, supported by practical examples, best practices, and regulatory insights.

1. Appoint a Dedicated ICT Risk Management Function (DORA Article 5)

DORA Article 5 mandates that financial institutions establish a dedicated ICT risk management function to oversee cyber risks, ensuring that security is integrated into broader business risk management. According to Article 5(1), financial institutions must:

Establish an internal governance framework defining roles and responsibilities for ICT risk.
Ensure the ICT risk management function operates independently from other IT functions.
Develop a documented strategy to manage cyber threats, vulnerabilities, and operational risks.

1-1. Appoint a Chief Information Security Officer (CISO) or ICT Risk Head

The CISO or ICT Risk Head should report directly to the CEO or board (as required by Article 5).
This role should bridge IT operations, cybersecurity, and business leadership, ensuring cyber risks are addressed at the strategic level.

Best Practice Example: A mid-size bank appointed a CISO with dual reporting lines—to the CEO for operational matters and to the board’s risk committee for strategic oversight. This structure ensures cybersecurity is prioritized at the highest levels.

1-2. Establish a Cross-Functional ICT Risk Committee

Include representatives from cybersecurity, compliance, IT operations, legal, and risk management.
This committee should review penetration testing results, third-party risk assessments, and incident response plans.
Meetings should be held at least quarterly, as mandated by Article 5(3).

Best Practice Example: A global asset manager created a Cyber Risk Steering Committee that meets monthly to review threat intelligence reports, incident response readiness, and third-party risk metrics. The committee’s findings are escalated to the board for strategic decision-making.

1-3. Develop a Risk-Based Cybersecurity Strategy

Implement a risk classification system to prioritize high-impact vulnerabilities (aligned with Article 5(4)).
Define acceptable risk levels for ICT-related disruptions and integrate them into operational planning.

Best Practice Example: A mid-size insurance company developed a risk heat map that categorizes ICT risks by likelihood, financial impact, and regulatory exposure. This tool helps prioritize resources for high-risk areas like payment systems and customer data platforms.

1-4. Automate ICT Risk Monitoring

Deploy real-time risk monitoring tools to track vulnerabilities across the organization.
Use AI-driven threat detection to enhance cyber resilience.

Best Practice Example: A multinational bank implemented a centralized risk dashboard that aggregates data from SIEM tools, vulnerability scanners, and third-party risk platforms. The dashboard provides real-time alerts and enables executives to track compliance with DORA requirements.

2. Ensure board-level oversight of cybersecurity risks (DORA Article 4)

DORA Article 4 holds boards of directors and executive leadership personally accountable for cybersecurity and ICT risk governance. Key requirements under Article 4:

The board must define the institution’s ICT risk tolerance levels (Article 4(1)).
Senior management must integrate cybersecurity into business strategy (Article 4(3)).
The board must approve all major ICT-related decisions, including outsourcing agreements (Article 4(5)).

2-1. Assign a Cyber Risk Champion to the Board

Appoint a board member with cybersecurity expertise or create a cybersecurity advisory board.
Ensure cyber risk discussions are a permanent agenda item in board meetings.

Best Practice Example: A mid-size bank appointed a non-executive director (NED) with a cybersecurity background to lead board-level discussions on ICT risk. This NED also chairs the bank’s Cyber Resilience Committee, which oversees DORA compliance.

2-2. Implement Quarterly Cyber Risk Reviews

Require the CISO or ICT risk team to present cybersecurity updates to the board every quarter.
Boards must review penetration test results, incident response reports, and third-party risk assessments (Article 4(4)).

Best Practice Example: A financial institution conducts quarterly cyber risk briefings where the CISO presents a cyber risk scorecard covering metrics like incident response times, vulnerability remediation rates, and third-party risk exposure.

2-3. Align Cyber Risk with Business Strategy

Cybersecurity should be part of enterprise risk management (ERM) strategies.
Establish cyber resilience goals that align with financial stability objectives.

Best Practice Example: A mid-size pension fund integrated cyber risk metrics into its enterprise risk dashboard, enabling the board to view cybersecurity alongside financial, operational, and reputational risks.

2-4. Require Regular Cyber Resilience Exercises

Conduct board-level tabletop exercises to simulate cyberattack scenarios.
Assess how executive leadership makes critical decisions under pressure.

Best Practice Example: A major investment firm conducts annual board-level simulations of ransomware attacks, testing decision-making on customer communications, financial losses, and regulatory reporting. These exercises are followed by actionable improvement plans.

3. Develop a Structured ICT Risk Management Framework (DORA Article 6)

DORA Article 6 mandates that financial institutions develop a formalized ICT risk management framework that:

Ensures business continuity during ICT disruptions (Article 6(1)).
Includes incident response, detection, and mitigation strategies (Article 6(3)).
Requires continuous cyber resilience testing (Article 6(5)).

3-1. Establish a Cyber Risk Classification Model

Identify mission-critical systems and their ICT dependencies.
Classify risks based on likelihood, impact, and regulatory priorities.

Best Practice Example: A mid-size bank developed a risk classification model that assigns criticality scores to systems like payment platforms, trading systems, and customer databases. This model guides resource allocation for risk mitigation.

3-2. Implement Continuous Security Monitoring

Deploy intrusion detection systems (IDS), endpoint security solutions, and real-time threat intelligence platforms.
Require automated security monitoring for all core banking and payment systems.

Best Practice Example: A mid-size insurer uses AI-powered threat detection to monitor its cloud infrastructure, reducing mean time to detect (MTTD) from 48 hours to 15 minutes.

3-3. Conduct Regular Risk Assessments & Cyber Resilience Testing

Implement annual penetration testing and threat-led red teaming (DORA Articles 25 & 26).
Require business continuity testing for all critical financial operations.

Best Practice Example: A financial institution conducts biannual red team exercises to simulate advanced cyberattacks, testing its incident response, communication protocols, and recovery capabilities.

3-4. Integrate ICT Risk Governance with Incident Management

Ensure incident detection, escalation, and response workflows align with regulatory reporting timelines.
Require joint crisis management exercises with third-party ICT providers.

Best Practice Example: A mid-size asset manager implemented a unified incident management platform that integrates SIEM, ticketing, and regulatory reporting tools, ensuring compliance with DORA’s incident notification rule.

4. Enforce Third-Party ICT Risk Governance (DORA Articles 8 & 28)

DORA extends governance obligations to third-party ICT providers, requiring financial institutions to:

Continuously monitor third-party cybersecurity risks.
Ensure ICT vendors participate in penetration testing & resilience exercises.
Enforce contract clauses for security, compliance, and incident reporting.

4-1. Require Mandatory Cyber Resilience Testing for Vendors

Include penetration testing, TLPT, and incident response simulations in vendor contracts.

Best Practice Example: A mid-size bank mandates that all critical vendors undergo annual TLPT exercises and share results as part of their compliance audits.

4-2. Implement Real-Time Vendor Risk Monitoring

Use third-party risk intelligence platforms to detect vulnerabilities in supplier networks.

Best Practice Example: A financial institution uses a vendor risk management platform to monitor its suppliers’ security posture, compliance status, and incident history in real time.

4-3. Establish Vendor Compliance Requirements in Contracts

Example Clause: "The ICT Service Provider shall conduct annual penetration testing and provide security assessment reports to the Financial Institution."
Example Clause: "In the event of a security breach, the ICT Service Provider must notify the Financial Institution within four (4) hours."

Best Practice Example: A global investment firm includes DORA-specific clauses in all vendor contracts, requiring suppliers to align with its ICT risk management framework and participate in joint resilience exercises.

Specifically, please refer to Part 2: Contracting with ICT Service Providers for DORA Compliance for more information about managing Third-Party ICT service providers.