Contents
- ICT risk management procedures
- Integration into the ICT Risk Management Framework
- Approval of ICT Risk Tolerance (Article 3(a) RTS RMF; Article 6(8)(b) DORA)
- ICT Risk Assessment Procedure and Methodology (Article 3(b) RTS RMF)
- ICT Risk Treatment Procedure (Article 3(c) RTS RMF)
- Management of Residual ICT Risk (Article 3(d) RTS RMF)
- Monitoring Requirements (Article 3(e) RTS RMF)
- Integration with Strategic Changes (Article 3(f) RTS RMF)
- Article 3 RTS RMF
ICT risk management procedures
Integration into the ICT Risk Management Framework
Financial entities must develop, document and implement ICT risk management policies and procedures that form an integral part of the ICT risk management framework under Article 6 DORA.
The procedures must be comprehensive and must cover the full lifecycle of ICT risk:
- risk identification,
- risk assessment,
- risk treatment,
- residual risk handling,
- monitoring, and
- integration with strategic changes.
Approval of ICT Risk Tolerance (Article 3(a) RTS RMF; Article 6(8)(b) DORA)
The procedures must include:
- an indication of the approval of the risk tolerance level for ICT risk,
- as established in accordance with Article 6(8)(b) DORA.
This ensures documented linkage between governance-level risk appetite and operational ICT risk management.
ICT Risk Assessment Procedure and Methodology (Article 3(b) RTS RMF)
The procedures must define a formal procedure and methodology for conducting ICT risk assessments, including:
Identification of Vulnerabilities and Threats
Identify vulnerabilities and threats that affect or may affect:
- supported business functions,
- ICT systems, and
- ICT assets.
Indicators to Measure Impact and Likelihood
Define quantitative or qualitative indicators used to measure:
- the impact, and
- the likelihood
of the vulnerabilities and threats identified.
ICT Risk Treatment Procedure (Article 3(c) RTS RMF)
The procedures must include:
- the identification, implementation, and documentation of ICT risk treatment measures, and
- determination of measures necessary to bring ICT risk within the approved risk tolerance level.
Required control elements
The risk treatment procedure must ensure:
- monitoring the effectiveness of implemented measures;
- assessing whether risk tolerance levels have been attained; and
- assessing whether corrective actions or improvements are necessary.
Management of Residual ICT Risk (Article 3(d) RTS RMF)
Where residual ICT risks remain after applying risk treatment measures, the procedures must specify:
Identification of Residual Risks
Document provisions for identifying residual ICT risk.
Assignment of Roles and Responsibilities
Define roles and responsibilities for:
- Acceptance of residual risks exceeding risk tolerance;
- The review process for residual risks.
Inventory of Accepted Residual Risks
Maintain an inventory that includes:
- all accepted residual ICT risks;
- a justification for their acceptance.
Annual Review of Residual Risks
Procedures must provide for a review at least once a year, including:
- identification of changes in residual risks;
- assessment of available mitigation measures;
- evaluation of whether reasons for acceptance remain valid.
Monitoring Requirements (Article 3(e) RTS RMF)
The procedures must include monitoring of:
Changes to ICT Risk and Cyber Threat Landscape
Continuous monitoring of external and internal developments.
Internal and External Vulnerabilities and Threats
The Financial Entity’s ICT Risk Profile
Monitoring must allow prompt detection of changes affecting ICT risk.
Integration with Strategic Changes (Article 3(f) RTS RMF)
The procedures must include provisions ensuring that:
- any changes to the business strategy, and
- any changes to the digital operational resilience strategy,
are fully taken into account in ICT risk management.