DORA and the Information Register: How Effort Can Be Transformed into Tangible Benefits for Financial Institutions

Von
Hussam Greg
Veröffentlicht am
Nov 5, 2024

Most financial institutions affected by DORA find it difficult to associate the words 'information register' and 'benefits' in the same sentence, as the effort required for DORA implementation currently seems more visible than the potential advantages. However, the question of whether the information register brings more pros or cons for a financial institution will not be the focus here.

Instead, we aim to show that despite the initial effort involved in implementing DORA, especially in establishing the information register, significant benefits for financial institutions are hidden within. These benefits need to be recognized and further developed in order to scale them and generate real value for the organization.

This blog post will take a closer look at these benefits.

Transparent Group Relationships:
The first templates of the information register – RT.01.01, RT.01.02, and RT.01.03 – contain information about the providers and recipients of ICT services, as well as the hierarchy within the company. Additionally, attributes like country, company type, and parent company within the corporate group are recorded.

When this information is available, an appropriate Third Party Risk Management tool can be used to create a clear, dynamic, and interactive hierarchy of the entire corporate group as input for the information register. This allows quick insights into which companies and subsidiaries belong to the organization and how they are interconnected.

In relation to templates RT.02.01, RT.02.02, RT.02.03, and RT.03.01, it is particularly useful for displaying which ICT contracts have been signed by which companies and which companies and subsidiaries within the group use the ICT services from these contracts.

This hierarchy can serve as a 'Single Point of Truth' for all topics related to the exchange of services within the group. In the case of group-wide measures or controls in the field of information security, the relevant companies and contacts are always up-to-date. In the event of ICT incidents, it is immediately clear which company could be affected. The affected parties can then be quickly informed to take immediate action if needed.

Standardized Contract Structures:
The information register defines three types of contracts:

  • Standalone Arrangement
  • Overarching Arrangement
  • Subsequent or Associated Arrangement

A subsequent or associated arrangement is always part of an overarching arrangement. Additionally, other types such as appendices and attachments can be defined. While these are not relevant for the information register, they are indispensable in practice.

By assigning contract documents according to contract type, hierarchies of contracts are created across the entire organization and stored in a central location. Of course, displaying such dynamic hierarchies would not be possible without a suitable contract management solution.

Contract managers can always have an overview of all their contracts, and it is clear which documents belong to which contractual structure and service provider. This ensures transparency and enables better contract management. Other contract-specific fields in the information register, such as annual costs in template RT.01.01, can assist in planning ICT costs and generating valuable statistics and development trends for management reports.

Unified Definitions:
Template b_99.01 in the information register contains definitions of terms and evaluation scales that apply to the entire register. This includes definitions of various contract types. For example, the template asks how the company defines the contract type 'Overarching Arrangements.' It also requests information about data sensitivity and the impacts and probabilities related to various topics (e.g., 'low,' 'medium,' and 'high').

These definitions are not only relevant to the information register, but also to users who need to make evaluations for individual contracts, ICT services, or other matters in other areas. Clear definitions improve the quality of evaluations and lead to higher consistency when assessing similar matters.

Conclusion and Outlook:
The implementation of DORA, particularly the introduction of the information register, may seem like a daunting task at first. However, the more financial institutions engage with the subject, the clearer it becomes: behind the initial effort lie long-term benefits that enhance transparency and efficiency within the organization.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote zxcZDcasdcasdcasd

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C
Text link

Bold text

Emphasis

Superscript

Subscript

Andere Beiträge erkunden