Skip to main content
Image coming soon

Operational IT Risk: Assessment to Committee Report

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Operational IT Risk: Assessment to Committee Report

Turn your ICT risk register into a risk committee brief that satisfies DORA Article 6 without a separate bridging document.

Your ICT risk assessment tells IT what to fix. Your risk committee needs to know which finding threatens operational continuity. Those are two different documents, and most operational IT risk managers are building both under examination pressure with no documented methodology to show for it.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

An operational IT risk manager at a global bank sits between two worlds that speak different languages. The ICT team produces findings in technical severity terms. The risk committee wants residual risk scores, escalation thresholds, and a clear read on what changed since the last brief. DORA adds a third requirement: supervisory expectations for proportionality, third-party ICT risk management, and ICT incident classification that maps to operational risk event reporting. The methodology document that bridges all three rarely exists in written form. When it does not, the review cycle produces inconsistent outputs, committees lose confidence in the findings, and regulatory examinations surface the gap as a process deficiency rather than a one-off oversight.

What you walk away with

  • Build an ICT risk register that serves both technical teams and the risk committee from a single document structure.
  • Document a proportionality methodology that makes your DORA Article 6 approach defensible under examination.
  • Produce a DORA-compliant Register of Information for all ICT service providers, tiered by criticality.
  • Write a quarterly ICT risk committee brief using a repeatable template that converts technical findings into committee-actionable language.
  • Maintain audit-grade evidence files across all ten required ICT risk artefact categories.

The 12 modules

Module 1. The ICT Risk Register as a Risk Committee Artefact
Most ICT risk registers are built for IT teams, not for risk committees. This module builds the dual-purpose register template: a structure that captures technical finding detail for IT governance while automatically generating the escalation flags and residual risk language your risk committee needs. Output: a register schema that meets DORA Article 6 documentation requirements and produces board-escalation triggers on demand.
Module 2. DORA Articles 6-8: Proportionality in Practice
DORA requires proportionate ICT risk management but does not define proportionality for your specific institution profile. This module provides the calibration method: setting ICT risk thresholds tied to your institution's operational continuity commitments, so that proportionality is a documented, defensible position rather than a judgment call under examination pressure. Output: a proportionality statement and threshold-setting workbook for your methodology document.
Module 3. ICT Risk Taxonomy for Operational Risk Managers
ICT risk speaks in technical terms; operational risk speaks in business impact terms. This module builds the translation layer: a taxonomy mapping each ICT finding category, infrastructure failure, cyber incident, data integrity loss, and third-party dependency, to the corresponding operational risk event type in your risk appetite framework. Output: a crosswalk document your ICT team and your operational risk function can both endorse as the shared classification reference.
Module 4. Third-Party ICT Risk Under DORA Articles 28-44
DORA Articles 28-44 require a register of information on all ICT service providers, a concentration risk assessment, and exit strategy documentation. This module builds the register: mandatory fields, tiering methodology for critical versus non-critical providers, and the annual review cadence that satisfies your supervisory authority. The template maps directly to the DORA Register of Information regulatory technical standard format. Output: a complete third-party ICT risk register ready for supervisory submission.
Module 5. The ICT Risk Incident Lifecycle
Operational IT risk managers are caught between the technical incident timeline and the risk reporting timeline. This module builds a two-track process: the real-time severity classification that ICT teams complete during an incident, and the operational risk event write-up that feeds your risk committee brief. Output: an incident classification matrix mapping ICT severity levels to operational risk event categories, and the risk event write-up template your committee expects within five business days.
Module 6. ICT Risk Appetite: Setting Thresholds That Hold
Risk appetite statements for ICT are often written too abstractly to be operationally useful. This module translates a qualitative ICT risk appetite statement into specific, measurable tolerance levels: system availability targets, acceptable data integrity breach frequency, and third-party ICT incident thresholds. Output: a risk appetite translation workbook that auditors and regulators accept as the bridge between board-level appetite and operational-level control performance metrics.
Module 7. The ICT Risk Assessment Methodology Document
When a regulator asks how you assess ICT risk, the answer must be a documented methodology, not a verbal explanation. This module builds that document: scope definition, risk identification approach, inherent risk scoring, control effectiveness assessment, residual risk calculation, and escalation triggers. Output: a methodology document structured to satisfy EBA ICT risk guidance and DORA supervisory expectations, usable as the primary reference in your next examination.
Module 8. Stakeholder Communication for ICT Risk Findings
An ICT risk finding means different things to the CISO, the CIO, the CFO, and the Chief Risk Officer. This module maps the stakeholder communication matrix: what each person needs, in what format, at what cadence. Output: three brief templates (technical finding, management summary, committee-level brief) so that a single ICT finding produces three correctly targeted documents without rework, eliminating the post-committee clarification cycle.
Module 9. Audit-Ready ICT Risk Evidence Files
Internal audit and external regulators want evidence that your ICT risk process works, not just that it exists. This module identifies the ten evidence artefacts an ICT risk manager must maintain in permanent file form: finding records with dating and ownership, control testing results, management action plans with completion evidence, risk committee minutes referencing specific ICT items, and escalation trail documentation. Output: an evidence file index and a quarterly maintenance checklist.
Module 10. ICT Risk Reporting to the Risk Committee
The risk committee brief for ICT risk requires a specific structure: executive summary, top ICT risks by residual rating, material changes since the prior period, items requiring committee decision, and forward-looking horizon items. This module provides the brief template, the data-gathering process that populates it, and the narrative framing that converts technical detail into committee-actionable language. Output: a repeatable quarterly ICT risk committee brief template and supporting data pack.
Module 11. Concentration and Systemic Risk in the ICT Portfolio
When critical business systems depend on a single cloud provider or a shared network infrastructure supplier, concentration risk in the ICT portfolio becomes a systemic exposure. This module builds the concentration analysis: mapping critical system dependencies, scoring concentration risk against the DORA critical third-party provider framework, and producing the heat map the risk committee and supervisory authority need. Output: a concentration risk assessment workbook and a dependency heat map.
Module 12. The Continuous ICT Risk Management Cycle
ICT risk management is a continuous process, not a point-in-time exercise. This module builds the operating cadence: monthly control monitoring, quarterly risk register review, semi-annual methodology review, and the annual DORA self-assessment against EBA ICT guidelines. Output: a standing meeting agenda pack, a 12-month activity calendar, and the self-assessment scorecard that tracks your maturity trajectory and prepares the evidence base for the next regulatory examination cycle.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You submitted an ICT risk assessment that the risk committee returned with three bridging questions, and you spent the next two weeks answering them in separate documents that should have been part of the original assessment.
A regulator asked you to demonstrate the proportionality basis for your ICT risk thresholds, and the honest answer was that the thresholds were set by IT, not by a documented business-impact methodology.
Your DORA Register of Information had gaps in the third-party tiering section because no template existed for the format the supervisory authority was expecting.
An ICT incident was logged as a severity-2 IT event but was not picked up as an operational risk event until internal audit flagged the classification gap six weeks later.

What you get with this course

  • 12 written modules covering the full ICT risk management lifecycle, from the initial register build through to the quarterly committee reporting cycle.
  • Downloadable templates for every key deliverable: ICT risk register schema, DORA Register of Information template, incident classification matrix, risk committee brief, and audit evidence file index.
  • The hand-built implementation playbook tailored to your specific ICT risk environment and regulatory obligations, delivered alongside course access.
  • Unlimited access to the Art of Service learning environment with no time limit on module completion.

What you will have in hand by Day 1, Week 1, Month 1

Purchase and within 24 hours: your Art of Service learning environment account is provisioned and the hand-built implementation playbook is delivered to your inbox.

Access the 12 written modules at your own pace, starting from the ICT risk register build and working through to the quarterly reporting cycle.

Apply each module's templates and worked examples to your current ICT risk environment as you progress through the course.

Before and after

Before

ICT risk assessments that satisfy the IT team but leave the risk committee asking bridging questions, a proportionality methodology that is defensible in conversation but not in documentation, and an audit evidence trail assembled from scratch before each review.

After

A fully documented ICT risk assessment methodology, a committee-ready quarterly reporting cadence, and audit-grade evidence files that satisfy the next examination cycle without a build sprint in the weeks before each review.

What happens if you do not address this

Without a documented ICT risk methodology, each examination or internal audit produces a fresh gap list rather than a maturity trajectory. Your committee reporting stays reactive. Your DORA self-assessment becomes a narrative document rather than a scored framework with evidence. The next regulator walkthrough asks questions your current process cannot answer in written form.

Who it is for

Operational IT risk managers and technology risk specialists at banks and financial institutions who are accountable for ICT risk assessments, DORA compliance delivery, and risk committee reporting. You understand how IT systems fail, you know the regulatory landscape, and you are building the methodology layer that connects technical findings to the risk appetite framework and the supervisory authority's expectations.

Who this is NOT for. Technology architects focused purely on system builds with no risk reporting accountability, or risk managers whose ICT risk work is entirely handled by a central function with no local methodology ownership required.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately 30 to 45 minutes per module across 12 modules, plus the implementation playbook working sessions applied at your own pace. Most practitioners complete the core methodology build in four to six weeks working alongside their existing role.

Why $199 is the right number

Free regulatory guidance (EBA ICT guidelines, DORA regulatory technical standards) gives you the requirements but not the working methodology. Internal templates from a central risk function give you the structure but not the judgment layer for your specific risk profile. This course gives you the working methodology, the documented proportionality approach, and the committee-ready templates that turn regulatory requirements into operational practice.

FAQ

Does this course require DORA familiarity or is it introductory?
The course is written for practitioners who already understand the regulatory environment they work in. Module 2 covers DORA proportionality for implementation, not for background introduction. If you are already managing ICT risk at a regulated institution, you will be working at the right level.
How is the implementation playbook tailored to my situation?
The playbook is hand-built by Gerard after your purchase, specific to your institution type, your current ICT risk maturity level, and the regulatory regime you report under. It is not a generic template; it is a working document built for your specific situation and obligations.
What if my ICT risk framework is already partially built?
Most practitioners start with an existing register or assessment approach that has grown organically. The course methodology works with what you have; the implementation playbook will specifically address the gaps in your current approach rather than recommending a rebuild from scratch.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.