DORA
How does BCMLogic ONE support specific DORA requirements?
ICT risk management
BCMlogic One is a platform dedicated to risk management at various levels of the organization and for various risk categories. The applications include both the management of specialized risks (Business Continuity Risk, Information Security Risk) and the management of Operational Risks and Strategic Risks. A common data model, permissions mechanism and screen creator enable specialist teams to use the methodology that is most appropriate and exchange information with other teams, as required by the organization.
​
The application guides users through the full cycle - from identifying risks, through assessing their impact and probability, introducing and monitoring risk reduction plans and subsequent audit of the solutions used. An integral part is the management reporting module and monitoring of KRI indicators.
Article 5
Governance and organisation
Regulation: 3. Financial entities, other than microenterprises, shall establish a role in order to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.
​
BCMLogic: The contract register combined with the Risk and Audit modules enables regular risk assessment and monitoring of contractual arrangements with external ICT service providers
Article 11
Response and recovery
Regulation: 3. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall implement associated ICT response and recovery plans which, in the case of financial entities other than microenterprises, shall be subject to independent internal audit reviews.
​
BCMLogic: Combining the BCM Module data with the Audit Module results in additional possibilities in terms of planning control activities, proposing, accepting and monitoring recommendations and post-audit recommendations.
ICT incident management, classification and reporting
Incident Management Module offers everything an advanced organization needs to meet DORA requirements in this area. Particular attention should be paid to the requirement to "Centralize the reporting of serious ICT-related incidents". The organization may use several sources of information about incidents, especially where a given sector is at the interface with another management area (BCM Incidents, Information Security Incidents, Operational Events, etc.). In this case, BCMLogic allows you to easily integrate these sources and further manage incidents in one place. However, if the organization has one common tool (the so-called reporting or ticketing system), it may turn out that it does not meet DORA requirements. Typical limitations include: lack of good separation of information, lack of support for correct classification, difficult communication between different units when handling an incident, lack of consistent forms and documents, and, above all, insufficient tools for monitoring and reporting incidents to the management level.
​
BCMlogic One will enable the connection and mutual use of risk assessment and related incident data (risk materialization) to assess security measures and implement changes to increase the organization's resilience.
Testing operational digital resilience
​Testing operational resilience means regularly performing and supervising various types of tests: from staff simulations, through tests of security systems, recovery and restoration of applications that are key to business processes, to penetration tests and social engineering.
​
Meeting all requirements regarding operational resistance testing requires the use of a tool that allows:
Determine what elements should be tested - (result of previous analysis and risk assessment
Prepare and approve a periodic (e.g. annual) digital resilience operational test plan
Identify the persons responsible for their implementation and inform them in advance
Monitor the level of test execution so that at the end of the period it does not turn out that most of them were not performed
Record the course and results of tests in a structured way, allowing for easy access to the data by managers
Submit comments and recommendations and, above all, monitor their implementation
Report test results to management and supervisory levels.
​
BCMLogic ONE has been supporting and supporting the organization's resilience to emergency events within BCM and DRP for years, especially for financial clients. From an application perspective, managing operational digital resilience tests only requires adding new test types to the configuration and adapting some forms.
Risk management from external ICT service providers
The risk related to ICT service providers from the application point of view is another risk category that requires parameterization, form configuration and permissions, and the implementation of another process in the application. The risk requirements of external suppliers are fully addressed by the previously mentioned Risk Management module.