Risk Horizon
Live

Intelligence generated by AI from public regulatory sources. Not investment or regulatory advice. Verify before relying on any output.

Governance
Monthlyv1Updated 9 May 2026

Monthly Technology Risk Committee Pack — Cyber, ICT & Operational Resilience

This monthly Technology Risk Committee (TRC) pack provides executive-level oversight of technology, cyber, and ICT third-party risks at a frequency commensurate with the velocity of the threat landscape and the operational tempo required by DORA Articles 5–16. The TRC is the primary forum below ExCo for reviewing ICT incident trends, control effectiveness, and remediation of audit and regulatory findings. The cadence supports timely escalation of material ICT-related incidents under DORA's classification criteria and ensures that operational resilience self-assessments under PRA/FCA PS6/21 are kept current. The pack covers cyber threat intelligence, vulnerability posture, change risk, third-party concentration, and important business service mapping. The committee is chaired by the CIO or CRO and includes the CISO, COO, Head of Procurement, and second-line technology risk leadership. Regulatory expectations under DORA, NIS2, and the PRA's outsourcing and third-party risk management framework (SS2/21) require firms to demonstrate active, documented governance of ICT risk, with clear linkages between operational risk events, control failures, and capital implications under Pillar 2.

CommitteeTechnology Risk Committee

7

Required Materials

6

Key Questions

2

Related Themes

Required Materials(7)
  • Cyber Threat Intelligence Briefing
  • ICT Incident Register & Classification Log
  • Critical Third-Party Concentration Heatmap
  • Vulnerability & Patch Compliance Dashboard
  • Important Business Services Impact Tolerance Tracker
  • DORA Gap Analysis
  • Penetration Test & Red Team Findings Summary
Key Questions(6)
  • Have any ICT-related incidents this month met DORA's major incident classification thresholds, and were regulatory notification timelines met?
  • Are we within impact tolerance for all important business services, and what does the latest scenario testing reveal about residual vulnerabilities?
  • Where is concentration risk increasing in our critical third-party portfolio, and what credible exit or substitution strategies exist?
  • Are remediation actions from prior cyber incidents and audit findings tracking to plan, and what is driving any slippage?
  • How does our threat intelligence picture compare to peer institutions and sector ISAC reporting, and are we adequately prepared for the threats most likely to materialise?
  • Do we have sufficient assurance over fourth-party (subcontractor) risk in our most critical ICT supply chains?
Related Themes(2)
crystallisingCyber Threat Intelligence & Incident Reporting
establishedOperational Resilience & Critical Third Parties
Related Signals(3)
criticalDORA Final RTS on ICT-Related Incident Classification Criteria
highPRA/FCA Policy Statement PS6/21 — Building Operational Resilience
highEBA Opinion on ICT Third-Party Concentration Risk Under DORA