DORA: How we help you manage third-party risk
The EU’s DORA regulation requires financial institutions to maintain a register of all their ICT providers. We have developed a solution, in collaboration with one of the largest financial institutions in the Nordics, to ensure this is done correctly and efficiently.
Banks, insurance companies, and other financial institutions must have full control over their ICT providers when the EU’s DORA regulations take effect on January 17, 2025. With 20 years of experience in contract management and supplier oversight, it’s only natural that House of Control now assists our clients in complying with the fourth pillar of DORA: Managing third-party risk. In partnership with one of the largest financial institutions in the Nordics, we are developing a solution to help you gain full control over your suppliers.
What is third-party risk?
If you’re reading this, you probably already know that the Digital Operational Resilience Act (DORA) mandates that most financial institutions must now adhere to a common set of ICT security requirements. There are five pillars to these requirements:
- ICT risk management
- Incident management
- Testing digital resilience
- Third-party risk management
- Information Sharing
Of the five pillars of DORA listed above, we will focus on the fourth – managing third-party risks related to financial institutions’ ICT providers. The regulation has specific rules regarding supplier management, including requirements for handling risks associated with using third-party services.
Before a financial institution enters into an agreement with an ICT provider, it must conduct a series of assessments and evaluations related to that provider. Agreements can only be made with providers that meet relevant information security standards.
DORA requirements
Let’s take a closer look at the specific requirements for financial institutions' external ICT services. DORA mandates the following:
- A supplier risk management strategy.
- A register listing all ICT providers, along with an overview of which services support critical or important functions.
- The ability to provide the register to supervisory authorities upon request.
- Annual reporting to supervisory authorities on new agreements entered into.
- Informing supervisory authorities in a timely manner about planned agreements for ICT services that will support critical or important functions, as well as when a function becomes critical or important.
- A risk-based approach to access, inspection, and auditing of the provider. The frequency of audits and inspections, as well as the areas to be audited, must be predefined.
- Evaluations of whether the ICT provider would be difficult to replace or whether several key services would be concentrated with the same provider (to be done before the agreement is entered into).
- Cost-benefit evaluations of alternative solutions, such as using other providers.
- Assessing the implications of insolvency and data protection regulations that apply to the provider.
Beyond compliance: The system you need to manage your suppliers and contracts
At House of Control, we excel at creating practical ICT solutions for compliance with complex regulations, according to our clients. We have partnered with one of the largest financial institutions in the Nordics to develop a solution tailored to the requirements of DORA’s fourth pillar – managing third-party risks related to external ICT providers.
Our system, Complete Control, will offer a solution for recording information related to contracts, suppliers, and subcontractors to manage third-party risk. The solution will also help our customers track and maintain visibility into their entire supply chain for all contracts, including those covered by DORA.
At House of Control, we have nearly 2,000 customers using our cloud-based solutions to professionalize contract management and supplier oversight. Among our specialized tools, you’ll also find solutions for IFRS 16 lease agreements, CSDDD supplier assessments, and the EBA register for outsourced fintech in banks.
Time to make contract management and supplier oversight strategic
In addition to supporting DORA compliance, we help you keep track of all your company’s contracts, obligations, and suppliers, all within one system. This brings a host of benefits:
- User-friendly and mature technology from a strong company within the Visma family.
- ICT security that meets all relevant standards.
- Alerts before contracts expire, allowing for timely renegotiation.
- Overview of internal contract owners, reducing dependency on individual employees.
- Payment plans that make it easy to meet finance department budgeting requirements.
- Quick access to contract documents requested by auditors and accountants.
- The ability to extend usage to all company contracts and suppliers, including for IFRS 16 and CSDDD.
DORA can lead to more than just regulatory compliance. Contract management and supplier oversight are simply of strategic importance – enabled by smart technology from House of Control, where our customers have been at the forefront of innovation for nearly 20 years.
Book a digital demo of our solution for DORA