Risk assessments evaluate the risks posed by your ICT third-party providers and document findings, mitigations, and exit strategies. DORA requires ongoing assessment of ICT concentration risk and substitutability, particularly for providers supporting critical or important functions.
Creating a Risk Assessment
Navigate to Register of Information → Risk Assessments and click "Add Assessment".
Assessment Form Fields
| Field | Type | Required | Details |
|---|---|---|---|
| ICT Provider | Dropdown | Required | Select the provider being assessed from your registered ICT providers list. |
| Risk Level | Radio buttons | Required | Four options with colour coding:
|
| Findings | Textarea | Optional | Document the findings from the risk assessment. Include specific risks identified, evidence gathered, and areas of concern. |
| Mitigations | Textarea | Optional | Document the mitigation measures in place or planned to address the identified risks. |
| Substitutability Score | Number input (0–10) | Optional | Score from 0 to 10, with a step of 0.1. 0 = irreplaceable (no viable alternatives exist), 10 = easily substitutable (many alternatives available). This maps to the ESA's assessment of ICT concentration risk. |
| Next Review Date | Date picker | Optional | The date by which this assessment should be reviewed. Set regular intervals based on the provider's criticality. |
| Concentration Risk | Checkbox | Optional | Tick this box if the provider presents concentration risk under DORA Art 31. This flags the provider in the concentration risk analysis. |
Exit Strategy Section
In accordance with ITS 2024/2956 template B_07.01, each risk assessment includes a dedicated exit strategy section:
| Field | Type | Required | Details |
|---|---|---|---|
| Substitutability Reason | Textarea | Optional | Explain why the provider is or is not easily substitutable. Consider factors like proprietary technology, market availability, transition complexity, and data portability. |
| Exit Plan Exists | Select dropdown | Optional | Options: Not assessed, Yes, No. Indicates whether a formal exit plan has been documented for this provider. |
| Alternative Providers Identified | Select dropdown | Optional | Options: Not assessed, Yes, No. Whether viable alternative providers have been identified in the event of exit. |
| Reintegration Possibility | Select dropdown | Optional | Options: Not assessed, Easy, Difficult, Highly complex. How feasible it would be to bring the service back in-house. |
| Discontinuation Impact | Select dropdown | Optional | Options: Not assessed, Low, Medium, High. The impact on the entity if this ICT service is discontinued. |
| Alternative Provider Names | Text input | Conditional | Shown only when "Alternative Providers Identified" is set to "Yes". Enter the names of identified alternative providers, separated by commas. |
The exit strategy data populates ESA template
B_07.01 (Assessment of ICT services) in the xBRL-CSV export. Completing this section is essential for a valid regulatory submission.Risk Assessments Table
The assessments list page shows all completed assessments in a table with the following columns:
| Column | Description |
|---|---|
| Provider | The ICT provider's display name |
| Date | The date the assessment was conducted |
| Risk Level | Colour-coded badge showing Low/Medium/High/Critical |
| Concentration | Shows whether the concentration risk flag is set |
| Next Review | The scheduled next review date |
| Findings | Truncated preview of the findings text |
| Actions | View, Edit, Delete buttons |
Schedule risk assessments at least annually for all providers, and quarterly for providers classified as Critical. Set the "Next Review Date" to remind yourself when reassessment is due.
Providers flagged with concentration risk and a substitutability score below 3.0 should be prioritised for exit planning. DORA regulators will pay particular attention to these dependencies.