Financial institutions will also be required to map out their third-party ICT relationships and ensure that their CIFs aren’t too heavily dependent on one provider or a small group of providers, i.e., assess and mitigate concentration risk.
Those third parties assessed as “critical” to operations will require heightened controls and greater oversight. As such, a risk-based approach is recommended to managing this risk. DORA aims to support this task via the provision of third-party registers: a suite of predefined templates that must be populated and maintained by in-scope organizations.
Implementing an Effective Vendor Management Cycle
With third-party management critical to meeting the requirements of DORA, organizations should follow a consistent process when working with key vendors.
At a high level, this includes:
- Selection and onboarding
- Classifying vendors using a risk-based approach
- Undertaking due diligence on the selected third parties before contracting
- Establishing necessary appropriate controls
Ongoing Assurance
- Undertake assessments and ongoing management of the risk associated with using specific third parties.
- Maintain the…