-
Aviation Advisory
Our dedicated Aviation Advisory team bring best-in-class expertise across modelling, lease management, financial accounting and transaction execution as well as technical services completed by certified engineers.
-
Consulting
Our Consulting team guarantees quick turnarounds, lower partner-to-staff ratio than most and superior results delivered on a range of services.
-
Business Risk Services
Our Business Risk Services team deliver practical and pragmatic solutions that support clients in growing and protecting the inherent value of their businesses.
-
Deal Advisory
Our experienced Deal Advisory team has provided a range of transaction, valuation, deal advisory and restructuring services to clients for the past two decades.
-
Forensic Accounting
Our Forensic and Investigation Services team have targeted solutions to solve difficult challenges - making the difference between finding the truth or being left in the dark.
-
Financial Accounting and Advisory
Our FAAS team designs and implements creative solutions for organisations expanding into new markets or undertaking functional financial transformations.
-
Restructuring
Grant Thornton is Ireland’s leading provider of insolvency and corporate recovery solutions.
-
Risk Advisory
Our Risk Advisory team delivers innovative solutions and strategic insights for the Financial Services sector, addressing disruptive forces, regulatory changes, and emerging trends to enhance risk management and foster competitive advantage.
-
Sustainability Advisory
Our Sustainability Advisory team works with clients to accelerate their sustainability journey through innovative and pragmatic solutions.
-
Corporate Accounting and Outsourcing
At Grant Thornton we have extensive knowledge and experience in providing tailored solutions to our clients, whether on a short-term or long-term basis.
-
Financial Services Audit
Our Financial Services Audit team offers expertise and knowledge along with a horizontal approach to solving clients’ problems and queries.
-
Global Statutory Audit
Our Global Statutory Audit team ensures your statutory audit process follows a well-defined project plan, with no surprises, to maintain compliance across multiple jurisdictions. We invest time to understand your finance function and develop bespoke solutions built on the premise of central effort to remove duplication.
-
Pension Audit
The Grant Thornton Pension Audit team has vast experience in managing schemes and preparing annual reports on them for clients.
-
Corporate Tax
Our Corporate Tax team is made up of more than 40 highly experienced senior partners and directors who work directly with a wide range of domestic and international clients; covering Corporation Tax, Company Secretarial, Employer Solutions, Global Mobility and Tax Incentives.
-
Financial Services Tax
The Grant Thornton team is made up of experts who are fully up to date in terms of changing and evolving tax legislation. This is combined with industry expertise and an in-depth knowledge of the evolving financial services regulatory landscape.
-
Indirect Tax Advisory & Compliance
Grant Thornton’s team of indirect tax specialists helps a range of clients across a variety of sectors including pharmaceuticals, financial services, construction and property and food to navigate these complexities.
-
International Tax
We develop close relationships with clients in order to gain a deep understanding of their businesses to ensure they make the right operational decisions. The wrong decision on how a company sells into a new market or establishes a new subsidiary can have major tax implications.
-
Private Client
Grant Thornton’s Private Client Services team can advise you on all areas of financial, pension, investment, succession and inheritance planning. We understand that each individual’s circumstances are different to the next and we tailor our services to suit your specific needs.
Receive the latest insights, news and more direct to your inbox.
The Digital Operational Resilience Act (DORA) aims to strengthen ICT management across the financial services sector by setting out rigorous responsibilities for how financial institutions mitigate, document and react to potential vulnerabilities.
One of DORA’s goals is to ensure that third-party relationships don’t compromise operational resilience. Over the past decade, financial institutions have become increasingly reliant on third-party providers for the delivery of their critical business services.
In a response to changing customer expectations, they have altered their business models to offer digital services that allow customers to conduct transactions quickly, easily and at any time. As a result, financial institutions depend on services of third parties that have the technical expertise required to build and manage these ICT products.
DORA requires financial institutions to implement robust processes for managing third-party ICT providers. However, managing third-party relationships can be complicated and time consuming. Below are four tips to help firms enhance their third-party management strategies to align with DORA requirements.
Identify third-party risks at the outset
As part of the ICT risk management pillar, Article 8 stipulates that “financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk”.
A core element under DORA is for firms to determine their critical or important functions, which is any function that, if disrupted, would affect the institution’s financial performance, ability to maintain regulatory compliance or the quality/delivery of its services.
Performing a mapping exercise in which financial institutions identify the ICT risks that underpin their critical business functions allows them to obtain and document a holistic view of the third- and fourth-party landscape, including an illustration of the interdependencies critical for understanding how a threat will impact business operations.
To maintain compliance and save time later, financial institutions need to get serious about conducting a thorough, top-to-bottom mapping exercise that identifies risks related to third-party. Discovering these risks after implementation efforts have begun can result in compliance delays and wasted resources.
Once institutions have identified their critical functions, they need to evaluate those functions’ ICT assets and determine which assets carry risks associated with third-party delivery. For risk-carrying assets, firms need to thoroughly analyse the third-party provider to assess the likelihood of it encountering a problem that could compromise a critical function. This investigation includes looking at the provider’s processes, operations, location of facilities, supply chains and more.
Invest in technologies to tackle ICT asset catalogue and reviews
Most financial institutions already catalogue their ICT assets to some extent. They often maintain an asset register containing hardware and software records with information tracked across a disperse set of spreadsheets. However, when it comes to DORA compliance, a decentralised approach to cataloguing assets creates challenges because institutions need a firm-wide view of functions, ICT assets and the associated third-party providers.
Financial institutions should invest in platforms that can centralise their ICT asset catalogues. With a holistic view of third-party providers, firms can better understand the potential risks they pose to the business and can take action to mitigate such risks.
Most platforms also contain automation features, so they can also simplify the review process. At a minimum, DORA requires an annual review of ICT assets and accompanying documentation, and for third parties deemed high risk, the review cycle occurs more frequently.
Automation lessens the administrative burden of coordinating a review and decreases the number of manual components within a review cycle—thereby reducing the potential for human error or the potential of a review cycle being missed.
Most platforms can automatically trigger a review process by generating an email that reminds stakeholders to review their asset inventories, and, because the stakeholder performs the review within system, the platform automatically logs their activity, thereby ensuring all aspects of the process are easily auditable from a regulatory perspective.
Update existing third-party contracts
Financial institutions must review their third-party procedures to guarantee that their processes incorporate risk mitigation strategies. Under DORA, third-party contracts must provide details on certain procedures. For instance, the legislation mandates that firms obtain and document contractual clarity on service continuity, insolvency issues and off-boarding procedures.
To ensure that existing third-party contracts meet DORA requirements, firms can pursue a couple of options. They can perform an end-to-end review of current agreements and make updates to the clauses in each individual agreement to transform the document into a DORA-compliant contract.
Alternatively, they can add a ‘DORA Addendum’ to their contracts, which amends the terms of ICT service agreement, and then obtain the third-party provider’s approval for the addendum to take precedence over the underlying agreement. To determine the best option, institutions should engage with their legal provider or a law firm.
Take ongoing due diligence seriously
Under DORA, regulators expect firms to undertake due diligence on prospective ICT third-party providers, monitor third parties throughout the relationship and design off-boarding procedures in preparation for the termination of the contract.
While most firms already perform due diligence assessments—either as part of a supplier assessment form or questionnaire—for DORA compliance, they should evaluate their practices in terms of how they document this process. The ethos of DORA is that due diligence does not stop when contracts are signed, so firms should use tools that allow for ongoing reporting in an easy and straightforward manner, ensuring that due diligence records are easily accessible.
To maintain ongoing due diligence, financial institutions must proactively engage with their third-party providers throughout the duration of the relationship. This engagement involves continuously monitoring third parties to identify and mitigate risks related to financial irregularities, data security vulnerabilities, operational disruptions, reputational damage, potential conflicts of interest and other legal, ethical and compliance issues.
DORA also stipulates specific requirements for third-party exit plans. These plans must be comprehensive, documented, sufficiently tested and reviewed periodically. In particular, an exit strategy must include a mandatory adequate transition period and outline a process for how the firm will migrate to another third-party service provider or change to an in-house solution without compromising a critical function.
Financial institutions need to evaluate the proposed exit strategy during the pre-contractual risk assessment and incorporate the final strategy in the contractual agreement with the third-party provider. By requiring an exit plan from the get-go, DORA aims to reduce the risk of disruption to customers should a financial institution change its ICT suppliers.
Rethink internal structures
DORA’s third-party requirements necessitate an increase in governance and oversight. Firms can begin by delegating responsibilities to ensure that the correct stakeholders take an active role in enhancing existing third-party management strategies. However, most firms will need to initiate new practices, such as performing quarterly reviews, updating a centralised register, assigning risk/ compliance ratings and developing a forum for escalating and reporting third-party issues.
As a result, the legislation’s requirements around third-party due diligence, management and governance could necessitate that firms make strategic investments into additional resourcing or structural changes.
At a minimum, firms should establish a dedicated senior management role to oversee these practices, ensure that all third-party risks are identified and confirm that these risks are being addressed. However, considering DORA’s vast and ongoing scope, larger financial institutions should rethink their organisational structure and consider strategic options such as the creation of a new function with a skilled team dedicated to third-party management.
Maintaining DORA compliance increases day-to-day management activities, due diligence responsibilities and reporting—all of which can create additional burdens for existing business functions and their employees. By creating a new central function that sits alongside procurement, manages the third-party supplier base and coordinates third party reviews, firms can simultaneously avoid overstretching current employees while ensuring regulatory compliance.
While each critical business function has a role in managing their ICT third-party providers, a dedicate third-party management function can offer firm-wide support by centralising documentation / reporting; assisting with ongoing due diligence; providing oversight in terms of how information is recorded, updated and shared; and more.
How Grant Thornton can help with DORA compliance
At the outset, implementing DORA requirements can be daunting. The depth and breadth of requirements across areas such as incident reporting and third-party risk management require action, and knowing where to begin can be tricky.
We support institutions of all sizes in their ongoing journey to DORA compliance. Our first-hand experience, bolstered by our involvement with our EU network of firms, brings strength to our service offerings, and our clients attest that by clarifying the scope and key dependencies, we have helped them avoid potential pitfalls and ensured compliance to the standard required.
We can provide differing combinations of services to create a best-fit model for DORA implementation that meets your organisation’s specific needs and ensures compliance by the January 2025 deadline.