DORA and the information register: How expenses can be converted into tangible benefits for financial institutions

Most financial institutions affected by DORA find it difficult to get used to the words “information register” and “benefits” in the same sentence, as the effort required to implement DORA currently appears even more visible than the potential benefits. However, the question of whether the information register is more of an advantage or a disadvantage for a financial institution should not be a priority at this stage.

Rather, we want to show that, despite the initial effort involved in implementing DORA, in particular establishing the information register, there are significant benefits hidden for financial institutions. These must be identified and further developed in order to scale them and generate real added value for the company.

In this blog post, we would like to take a closer look at these advantages.

Transparent group relationships:

The first templates of the information register — RT.01.01, RT.01.02 and RT.01.03 — contain information on service providers and service recipients of ICT services and on the hierarchy within the company. In addition, attributes such as country, type of company and parent company within the group of companies are recorded.

If this information is available, a clear, dynamic and interactive hierarchy of the entire group of companies can be formed as input to the information register using a suitable tool for third party risk management. This makes it possible to quickly understand which companies and branches belong to the company and how they are linked to each other.

In connection with templates RT.02.01, RT.02.02, RT.02.03 and RT.03.01, it is possible in particular to show which ICT contracts have been signed by which companies and which companies and branches within the group use the ICT services under these contracts.

This hierarchy can serve as a “single point of truth” for all topics relating to the exchange of services within the group.

For group-wide measures or controls in the area of information security, the relevant companies and the right contacts are always available up to date.

In the event of ICT incidents, it is always known which company could be affected. Those affected can then be quickly informed in order to take immediate action if necessary.

Standardised contract structures:

The information register provides for three types of contracts:

• Independent agreement (Standalone Arrangement)

• Overarching Arrangement

• Subsequent or Associated Arrangement

A subsequent or subsequent agreement is always part of an overarching agreement. Optionally, other types such as attachments and attachments can also be defined. Although these are not relevant to the information register, they are essential in practice.

By assigning contract documents according to the contract type, hierarchies of contracts are created throughout the company, which are stored in a central location. Of course, the presentation of such dynamic hierarchies is not possible without a suitable solution for contract management.

Contract managers thus have an overview of all their contracts at all times and it is clear which documents belong to which contract structure and which service provider. This ensures transparency and enables better management of contracts. The other contract-specific fields in the information register, such as the annual costs in template RT.01.01, can help to plan ICT costs and create valuable statistics and development trends for management reports.

Uniform definitions:

The template b_99.01 in the information register contains definitions of terms and rating scales that apply to the entire information register. This includes, for example, the definitions of the various types of contracts. For example, the template asks how the company defines the “Overarching Arrangements” contract type. Information on the sensitivity of data and the effects and probabilities relating to various topics (e.g. “low”, “medium” and “high”) is also requested.

These definitions are relevant not only for the information register, but also for users who should carry out these assessments for individual contracts or ICT services or other issues in other areas. With clear definitions, the quality of assessments can be improved and greater consistency can be achieved when evaluating similar issues.

Conclusion and outlook:

The implementation of DORA, in particular the introduction of the information register, may seem like a demanding task at first glance. But the more financial institutions look into the subject matter, the more it becomes clear: Behind the initial expenditure there are long-term benefits that increase transparency and efficiency in the company.

‍