[Reading time: 57 seconds]

Thanks to everyone who attended the Compliance Institute webinar on the likely challenges of DORA yesterday. 93 people now realise that Carina Myles knows about regulatory compliance, and I know.. how to operate PowerPoint!

During the Q&A, we were asked how the concept of proportionality applies with DORA.

The question may have arisen because I mentioned a couple of times during the presentation that there is a theory of proportionality within DORA, and yet a distinct lack of proportionality within the Regulation text itself.

  • For example, Article 16 describes a simplified risk management framework, reducing the obligations described within Articles 5 to 15. But the simplified risk management framework is only available to a very small subset of firms, and the criteria is not based on the size, scale, or complexity of the firm.



The Technical Standards published a few weeks ago do not make this any easier either. As I mentioned yesterday, they actually seem to broaden the scope and raise the bar for DORA compliance.

  • To see what I mean, you only need to look at the recent Technical Standard (Recital 6 on page 4) that reveals internal intra group service providers are actually a subset of external third party service providers.



I hope the answers we provided during the webinar were coherent.

But between you and me, here’s what I really think.


What can a smaller organisation that does not have the resources of a large financial institution do?

Firstly, I am not a legal advisor, and this is atrocious advice from a legal perspective.

But we have to deal with reality here.

We need to figure out ways to start eating this DORA elephant*, even if we already fear (or know) that we’re not going to be able to digest the whole animal.

And there’s only one way to eat an elephant:

One bite at a time.


Which bites to take first?

I think it is reasonable..

to focus on what a reasonable person ..

would think is reasonable.

There is a reason why I used the word ‘reasonable’ three times in that sentence.

We must focus on what is ‘reasonable’, appropriate, proportionate for a firm with our risks, resources, capabilities, and constraints.

And let’s admit it – It’s exactly how we did it for GDPR.

Because it’s the only way to do it without losing our sanity.


What is reasonable?

I remember a regulator being asked this question.

And their answer was: You tell me what you think is reasonable!



So what do I think is reasonable?

I think it is reasonable to start with a focus on:

  • Foreseeable incidents (e.g. ransomware; account compromise; system outage; breach in a third party), and
  • Appropriate controls to reduce the likelihood and impact of these foreseeable events (e.g. immutable backups; Multi-Factor Authentication; proven disaster recovery and incident response plans; ongoing oversight of the security controls operated by third parties).


Will that be enough?

Maybe focusing on what a reasonable person would think is reasonable won’t be enough.

And maybe we will be asked (by an unreasonable person who lives in an ivory tower) why we did not do more.

But in that scenario, we will be having a conversation about why we focused on ensuring we got a C-grade, rather than targeting an A-grade (but increased the likelihood of a D or F grade because we focused on the wrong things).

And at the end of the day, when I did my Leaving Cert, a C-grade was still an Honour.


* No elephants were harmed in the making of this article.