FX & Trading
The team assumed DORA meant a compliance department it could not afford, and froze. The real task was proportionate: a simple ICT risk framework the board actually owns.
DORA applies proportionately. Smaller and less complex entities can use a simplified ICT risk management framework, and much of the weight is governance rather than tooling. The firm's problem was not capacity - it was that nobody had translated DORA into the proportionate set of things a 35-person broker actually has to do, starting with the management body owning ICT risk.
Finding 01
No member of the management body was accountable for the ICT risk framework, which DORA does not allow at any size.
Finding 02
The firm had not taken up the proportionate, simplified ICT risk management framework available to smaller entities.
Finding 03
Even a short list of the few critical providers, with contract terms and an exit thought, did not exist.
Finding 04
There was no incident-classification test and no testing cadence, despite a small and manageable estate.
Finding 05
Energy was going into long documents rather than the governance and third-party basics a supervisor checks first.
The broker had a proportionate, board-owned ICT risk framework and the third-party and incident basics in place - a defensible DORA position sized to a 35-person firm, without a compliance department it could not staff. Proportionality is a judgement the supervisor ultimately tests; the firm was no longer frozen.
For a small broker, DORA is mostly governance, not tooling. Proportionality is real: own ICT risk at board level, know your few critical providers, and get the incident basics right - that is a defensible start, not a compliance department.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.