Business functions in DORA; The cornerstone of your ICT Risk management

business functions are the cornerstone of your entire ict risk management framework think of it as creating a blueprint of your organization, you need to know what you do (functions), what's essential (criticality), and what each function needs to operate (dependencies) without this map, you're managing ict risks blindfolded 1\ what are business functions? in the dora context, a business function is any set of activities or services your organization performs these are the building blocks of your operations, everything from customer facing services to supporting activities examples include core functions portfolio management, investor relations, payment processing, lending, trading, claims handling, etc supporting functions finance, it operations, hr, compliance, risk management, customer support, etc dora requires you to identify all functions performed by the entities in scope of your ict risk management framework you need to define your own functions based on your business model, there’s no pre defined regulatory list your internal taxonomy should reflect how your organization actually operates 2\ determining criticality not all functions are equal according to dora article 3(22), a function is “critical or important” if its disruption would materially impair your financial performance – causing significant financial losses or affecting your firm’s viability materially impair the soundness or continuity of your services and activities – disrupting operations in a way that affects service delivery to customers or counterparties materially impair your regulatory compliance – preventing you from meeting authorization conditions or other obligations under financial services law (aifmd, mifid ii, psd2, solvency ii, etc ) simple test if this function stopped working, would it materially damage your finances, disrupt your services, or cause regulatory non compliance? if yes, it’s critical or important key word “materially” the impact must be significant, not minor dora uses a risk based approach, focusing on functions where failure would have serious consequences for your firm, customers, or the financial system 3\ mapping dependencies and connections for each function, dora requires you to document and maintain an inventory of licensed activities – which regulated business activity does this function support? roles and responsibilities – who owns, operates, and oversees this function? information assets – what data does this function process or depend on? ict assets – which systems, applications, databases, and infrastructure components are involved? ict services – what technology services (intra group or third party) enable this function? processes – what processes depend on ict third party service providers? (these processes can be linked to one or more business functions) this inventory creates a clear dependency map showing exactly what each function needs to operate and highlights all third party dependencies per article 8 6 dora regulation, these inventories must be kept current through regular updates (at least annually) and whenever major changes occur in your ict environment or business operations 4\ why this matters identifying, classifying, and mapping functions isn’t bureaucratic busy work it’s fundamental because functions are your risk assessment starting point – you can’t protect what you don’t know you have criticality drives resource allocation – knowing what’s critical helps you prioritize security investments and controls impact analysis depends on this mapping – when incidents occur, you need to quickly understand what’s affected regulatory compliance requires it – demonstrating control over critical functions is core to dora 5\ how the platform helps the platform streamlines business function management the cornerstone of your ict risk management framework inventory maintenance keep your mandatory dora inventories current and complete automated periodic reviews – no manual tracking needed automatic updates triggered by changes review notifications sent to function owners full audit trail of completion comprehensive mapping visualize and manage all your dependencies simple maintenance of connections between functions, roles, services, and assets quick identification of critical interdependencies real time view of all dependencies instant impact assessment for incidents the platform handles the compliance workload, letting you focus on actual risk management rather than documentation