The introduction of the Digital Operational Resilience Act (DORA) from January 17, 2025 takes the importance of robust ICT risk management to a new level. As part of operational risk, ICT risks are becoming particularly relevant, as their impact not only directly influences operational stability, but also the capital and liquidity planning of banks. Operational risks, including ICT risks, must therefore be systematically identified, assessed and managed as part of the Internal Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Adequacy Assessment Process (ILAAP). The article highlights approaches for approximating and quantifying ICT risks, analyzes their profile using the scenario technique and discusses the impact of operational incidents on the liquidity situation and possible liquidity outflows. The medium-term goal of credit institutions must be to develop practicable approaches for the integration of ICT risks into existing risk management systems.
ICT risks as part of operational risks
In European (banking) regulation, ICT risks are made up of five sub-risk types in accordance with EBA [2017]. The specific risk potential of a credit institution results from the respective amounts of the ICT availability and continuity risk, the ICT security risk, the ICT change risk, the ICT outsourcing risk and the ICT data integrity risk. The ICT risk itself is assigned to the operational risk of a credit institution. In accordance with Art. 4 No. 52 CRR, it is defined as the risk of losses caused by the inadequacy or failure of internal processes, people, systems or external events, including legal risks.
ICT availability and continuity risk comprises the risk that the performance and availability of ICT systems and data are adversely affected, including the inability to recover from a failure in a timely manner. ICT security risk focuses on unauthorized access to ICT systems and data access from inside or outside the institution (e.g. through cyber or insider attacks). The risk arising from the institution’s inability to manage ICT system changes in a timely and controlled manner is referred to as ICT change risk. A particular focus here is on extensive and complex IT transformation programs. ICT outsourcing risk (also referred to as ICT third party risk under DORA) is defined as the risk that commissioning a third party to provide ICT systems or related ICT services will adversely affect the credit institution’s performance and risk management. The requirements under DORA relate to these four sub-risk types.
EBA [2017] defines the ICT data integrity risk as the fifth sub-risk type. This is the risk that the data stored and processed by ICT systems is incomplete, inaccurate or inconsistent across different ICT systems. The regulatory requirements for this component of ICT risk are set out in ECB [2024a] and in AT 4.3.5 MaRisk.
Comparison of credit and ICT risk management
The three elements “asset worthy of protection”, “potential threat” and “vulnerability” are key prerequisites for the emergence of risk. All three elements must occur together in order to have adverse effects in the future, such as a loss of equity or liquidity. The interaction is not static, but highly dynamic, especially in the case of ICT risks. The task of risk management is to constantly monitor and evaluate the changes in the three elements and, if necessary, initiate countermeasures.
In credit risk management, the bank’s receivables from customers are the assets worth protecting. Their (deteriorating) creditworthiness represents a risk. In addition, weaknesses can occur in the bank’s credit process for various reasons. This results in a risk amount that must be covered by the bank’s risk appetite. If a customer’s creditworthiness deteriorates, e.g. due to unemployment, this amount tends to increase. More intensive support from the bank (reduction of information asymmetry as a weak point) or the repayment of open lines and the demand for additional collateral (reduction of assets worthy of protection) can be suitable measures for active credit risk management.
Figure 1: Three components for the emergence of risk
The interplay of elements shown in Fig. 1 also applies analogously to ICT risk management. Banks must always have an up-to-date overview of their ICT assets, such as hardware and software components, which are fundamentally exposed to ICT risks. Multi-layered threats such as geopolitically influenced attackers, financially motivated criminals or inadequately trained employees are potential sources of danger. Regular exchanges with the financial sector also reveal a wide variety of vulnerabilities, ranging from numerous “end-of-life” applications that are still in use to insufficiently tested IDV solutions and deficiencies in operational information security. A particular challenge for the necessary ICT risk management is the high pace of innovation, which is particularly evident in the areas of sources of risk and vulnerabilities. Experience from credit risk management, which has already been established over the long term, is therefore extremely valuable for the further development of existing ICT risk management systems.
ICAAP and ILAAP for the Bank as a whole
ECB [2018a] and ECB [2018b] define principles that are intended to ensure sound internal capital and liquidity management. These two internal bank processes, ICAAP and ILAAP, are essential to ensure the resilience of a bank by systematically recording and managing capital and liquidity risks. The responsibility of the Executive Board, which is responsible for the implementation and integration of ICAAP and ILAAP into strategic and operational management, plays a central role.
Another focus is on the completeness of risk identification. All material risks, including operational and ICT risks, must be taken into account, with the ILAAP addressing liquidity outflows in critical scenarios in particular. The methods and models used to identify and assess risks must be tailored to the specific circumstances of the bank and also meet regulatory requirements.
The bank’s ability to cover risks with sufficient capital or liquidity is of crucial importance. This risk-bearing capacity must be analyzed and demonstrated in normative and economic perspectives. In addition, a robust management system requires comprehensive stress tests that highlight the potential impact of internal and external risk factors. The results and assumptions of these analyses must be documented in detail and communicated transparently to the supervisory authorities.
Figure 2: ICAAP and ILAAP as central internal bank processes, also for ICT risks
Finally, as can be seen in Fig. 2, the close linking of ICAAP and ILAAP with other central processes such as business planning, risk management and reporting is essential. By consistently applying these principles, banks can further strengthen their resilience.
Selected implications of the ICT-RM for ICAAP and ILAAP
Integrative governance of ICAAP and ILAAP is crucial for effective overall bank management, particularly with regard to the management of ICT risks. As these risks are becoming increasingly complex and far-reaching, risk management, business strategy and operational processes need to be closely interlinked. In the area of ICT risks in particular, the competence of the Executive Board is of central importance. Only with sufficient digital and data expertise can the reported risk situations be adequately assessed and well-founded decisions made. These skills make it possible to understand the specific impact of ICT risks on capital and liquidity reserves and to take effective control measures.
Measuring ICT risks poses a particular challenge, as they cannot (yet) be quantified directly in the same way as financial risks (e.g. expected loss for credit risks as the product of probability of default PD, loss given default LGD and exposure amount EAD). Nevertheless, it is essential to determine a specific risk amount, particularly with regard to capital and liquidity risks. In contrast to market or credit risks, there is often a lack of historical data and currently still no standardized models for ICT risks, which makes precise quantification difficult.
One practicable approach is to use scenarios for approximation. This involves simulating possible events, such as cyberattacks or system failures, in order to assess the potential impact on equity and the liquidity situation. Such scenarios make it possible to make assumptions about the extent of damage and recovery times, which are incorporated into the risk analysis. Of particular importance here is the analysis of liquidity outflow rates following (publicly known) incidents. In addition to “catch-up effects”, digitally managed customers could increasingly divert deposits to other institutions at short notice. Qualitative elements such as expert assessments also play an important role here in order to address uncertainties and create a comprehensive risk profile. This approach promotes an integrated view of ICT risks as part of the ICAAP and ILAAP.
Both the ICAAP and the ILAAP are subject to regular review, which takes place at least once a year in the form of a comprehensive validation. The aim of this validation is to check the appropriateness and effectiveness of the processes and ensure that they comply with current regulatory requirements and the bank’s specific risks. A similar approach applies to the ICT risk management framework in accordance with DORA, which also requires annual validation. The parallel requirements for these reviews open up opportunities for integrative and coordinated implementation.
It is particularly important to note that weaknesses or deficiencies in the ICT risk management framework can have a direct impact on the informative value of ICAAP and ILAAP. For example, inadequate identification or assessment of ICT risks could significantly impair the robustness of capital and liquidity forecasts. Coordinated validation allows synergies to be exploited and ensures that the systems are not viewed in isolation but as part of an integrated risk management approach. This not only strengthens the informative value of the respective systems, but also promotes the overall resilience of the bank.
Conclusion
ICT risk management has gained a solid foundation with the introduction of DORA, but similar to credit risk management 20 years ago, it is still at an early stage of development. Banks still have great potential to exploit in order to manage ICT risks systematically and comparably. To this end, the management body must first build up greater expertise in order to be able to assess and manage risks in a well-founded manner. At the same time, standard models for quantifying ICT risks need to be developed and established in order to increase their measurability and comparability. In addition to these risk management measures, it is essential to exploit the opportunities of the digital transformation (see ECB [2024b]) with at least the same level of commitment in order to promote innovation and competitiveness in the long term.
Literature
EBA [2017]: Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP), London 2017.
ECB [2018a]: Guide to the internal capital adequacy assessment process (ICAAP), Frankfurt 2018.
ECB [2018a]: Guide to the internal liquidity adequacy assessment process (ILAAP), Frankfurt 2018.
ECB [2024a]: Guide on effective risk data aggregation and risk reporting, Frankfurt 2024.
ECB [2024b]: Supervisory priorities 2025-27, Frankfurt 2024.
