DORA, Vendor Risk Monitoring, and Adverse Media

Under DORA, financial institutions must demonstrate robust controls around third-party risk management1. While the law focuses on contractual controls, there is much more to TPRM than just having the proper clauses in place with strategic ICT vendors.

To get grips on risks associated with third-party vendors, financial institutions would need to look beyond what is put on paper and check whether their ICT suppliers continue to be able and willing to meet their contractual obligations. In other words, processes for ongoing management of a third-party risk management program are needed to do TPRM properly, which includes continuous monitoring.

Leveraging technology for continuous vendor risk monitoring in financial institutions

However, continuous monitoring may be challenging for financial entities, as PricewaterhouseCoopers (PWC) describes in its DORA Thought Leadership Pager³:

“Overseeing and managing the ICT risks for the full third-party chain in sufficient depth and responding in the right way to the risks arising from third parties (or their third parties) will be a big undertaking. A key challenge will be getting the relevant information promptly from the third-party chain”.

This blog series explores how financial institutions can leverage technology for continuous vendor risk monitoring. It explores explicitly using adverse media signals as early indicators for ICT-vendor risk.
Check the blog ‘Leveraging Technology for Continuous Vendor Risk Monitoring’

What is DORA?

The Digital Operational Resilience Act (DORA) is a significant milestone in the ever-evolving financial industry landscape. Scheduled for enforcement in January 2025, this legislative framework imposes binding obligations on financial institutions and their essential suppliers operating within the European Union (EU). DORA requires them to demonstrate they can withstand and effectively navigate ICT-related disruptions.

Vendor risk monitoring: assessing and mitigating risks from third-party vendors

Monitoring and analyzing vendors’ activities, practices, and performance to identify potential risks or vulnerabilities that could impact the organization is crucial for maintaining a secure and resilient business environment. Vendor risk monitoring involves assessing and evaluating the risks associated with third-party vendors or suppliers that provide an organization with goods, services, or support.

Traditionally, monitoring vendors to detect any changes in their risk profile or operational practices involves regular assessments, site visits, audits, security testing, and reviewing vendor performance against agreed-upon Service Level Agreements (SLAs) or Key Performance Indicators (KPIs).

Adverse Media Monitoring as a crucial element of  vendor risk management

Over the recent years, organizations have been focusing more and more on monitoring external factors or signals that could impact the vendor’s stability or security posture. Identifying any negative trends in their performance through external signals can serve as an essential early warning signal that enables organizations to take timely measures to mitigate risks.

A common term for monitoring these external signals is adverse media monitoring, also known as negative news or media monitoring. Adverse media monitoring involves screening vendors for negative news across official and unofficial online sources. For ICT Vendors, various external signals can be considered adverse media, for example, signals indicating financial instability, cybersecurity incidents, or legal and regulatory issues.

Financial instability

Adverse media indicators may involve reports or articles discussing financial instability or distress within an ICT vendor. These could include news of bankruptcy filings, significant financial losses, or ongoing financial difficulties. 

Want to know how to overcome the challenge of continuous vendor risk monitoring?

In our blog ‘Leveraging Technology for Continuous Vendor Risk Monitoring’, we explore the complexity of continuous monitoring and offer practical solutions to overcome this challenge. 

How Owlin can help you manage the operational risk of ICT Vendors

Organizations can proactively manage vendor risk with the AI platform Owlin. The platform’s machine learning algorithms and natural language processing capabilities quickly identify relevant information in multiple l languages and detect early risk signals, allowing organizations to make informed decisions and proactively manage risks such as cyber-attacks and IT system failures, which are critical areas of focus for DORA. 

Owlin’s platform can be customized to meet client needs and integrated into existing workflow systems, making it a flexible and scalable solution for managing operational risks.

Sources

• European Commission (2022, November 17). Regulation on digital operational resilience for the financial sector. European Commission.
• Prevalent (2022). Meeting EU Digital Operational Resilience Act (DORA) Third-Party Risk Requirements. Prevalent.
• PWC (2023). How the Digital Operational Resilience Act (DORA) helps your continuity, come rain come shine. PWC.
• NCC Group (2023, January). EU adopts landmark IT resilience laws – a look at the Digital Operational Resilience Act (DORA). NCC Group.