Guide

DORA controls mapping: from compliance artifacts to operational evidence

A BPMN-first approach to map DORA requirements to real processes, define evidence points at approvals and handoffs, and keep the mapping current during change.

No credit card required. Switch to a paid plan any time.

DORA controls mapping matrix

Filter a control domain, then inspect how controls attach to decision points and produce evidence trails.

Control statement

Decision point (BPMN)

Evidence artifact

Principle: controls are mapped to decision points so evidence is automatic.
Rows: 6
18 min read
Advanced

Definition

DORA controls mapping connects regulatory requirements to concrete process steps and decision points—so evidence is created during operations (approvals, exceptions, change logs) instead of being reconstructed during audits.

Key takeaways
  • Map controls to the **decision points** (approvals, gateways, handoffs)—not to entire processes.
  • Treat evidence as a by-product: approvals + exceptions + version changes should automatically create a trail.
  • Keep mapping current with a publish workflow (draft → review → approve → publish) and drift scorecards.
  • Use conformance checking to detect when reality diverges from the documented control path.

Why controls mapping breaks (and why audits get painful)

Controls mapping usually fails for one reason: it is not connected to change.

A typical pattern in regulated operations:

  1. A control statement is mapped to a process (often a high-level box).
  2. The process changes during a system upgrade, digitalization, or regional rollout.
  3. The mapping is not updated because nobody owns the lifecycle.
  4. During audit season, teams scramble to reconstruct evidence and explain exceptions.

The solution is not “more documentation.” The solution is evidence by design:

  • controls mapped to decision points
  • evidence points attached to approvals and handoffs
  • exceptions captured as structured events
  • version changes linked to a change request or incident

A control is not mapped until it produces evidence

If your controls mapping cannot produce an evidence trail during normal operations, it will fail under pressure. Design the trail first, then scale the mapping.

A practical pattern: Control statement → BPMN decision point → evidence

Use a repeatable 3-layer mapping pattern:

1) Control statement

Write the control in a way that can be tested and evidenced:

  • “Access to system X is granted only after approval by role Y, and reviewed every N days.”

2) BPMN decision point

Map the control to the exact place where it is enforced:

  • gateway/decision node
  • approval task
  • handoff between teams/systems

3) Evidence artifact

Define what proves the control happened:

  • approval record (who/when/why)
  • exception record (classification + resolution)
  • automated log event (immutable event id)

This makes audits repeatable: you can query the evidence trail instead of chasing documents.

Keep evidence lightweight but queryable

Prefer structured events (IDs + metadata) over screenshots and email threads. If humans must attach documents, use an evidence template with required fields.

Governance lifecycle that keeps mapping current

Controls mapping is a living asset. It needs a lifecycle similar to software:

  • Draft: process change proposed (new step, removed step, different owner)
  • Review: process owner + control owner validate control impact
  • Approve: publish with an evidence expectation
  • Run: operations creates evidence trails automatically
  • Monitor: scorecards highlight drift or decay

Define ownership explicitly:

  • Model owner (accountable for the BPMN lifecycle)
  • Control owner (accountable for the control’s design and evidence)
  • Data owner (accountable for logs / evidence sources)

Third-party and outsourcing: map dependencies like processes, not vendors

DORA increases focus on third-party dependencies and operational resilience.

In practice, vendors are not the unit of analysis. Dependencies are:

  • systems and interfaces
  • workflows that cross boundaries
  • approvals and oversight checkpoints
  • evidence that proves ongoing monitoring

A process view makes third-party oversight tangible:

  • where does a critical service depend on an external system?
  • what happens when it fails?
  • which control requires human approval vs automated detection?

Operational resilience testing: define the process *of testing*

Resilience is not a document—it's a repeatable process.

Model your testing workflows:

  • scenario definition
  • test execution steps and roles
  • evidence collection (logs, outcomes, remediations)
  • post-mortem and change requests

When testing becomes a process with ownership and evidence, you can scale it globally and keep it consistent across regions.

Conformance loop: detect divergence between documented controls and reality

A controls mapping becomes false when reality changes.

Add a conformance loop:

  • define the “should” path from the BPMN + control evidence points
  • map event logs to steps (systems, approvals, exceptions)
  • measure drift: missing approvals, bypasses, late handoffs, repeated rework
  • prioritize fixes based on impact (risk + volume + severity)

This is how controls mapping becomes a monitoring system—not a yearly project.

Related reading:

Avoid these

Common mistakes to avoid

Learn from others so you don't repeat the same pitfalls.

Mapping controls to high-level boxes

You lose traceability and evidence becomes ambiguous.

Map controls to decision points and evidence artifacts.

Evidence as screenshots and email threads

It is not queryable, not scalable, and breaks during change.

Use structured event evidence with IDs and required metadata.

No ownership for mapping health

Mapping decays silently until audit season.

Assign model/control/data owners and publish scorecards.

Expert insights

What the experts say

"The goal isn’t a perfect mapping spreadsheet. The goal is to make evidence creation automatic when the control-relevant decision happens."
O

Operational Risk Advisor

Regulated operations

Take action

Your action checklist

Apply what you've learned with this practical checklist.

  • Pick 10 control statements that create the most audit pain

  • Map each control to a BPMN decision point (approval/handoff/gateway)

  • Define a queryable evidence artifact for each control

  • Assign model owner, control owner, and data owner

  • Implement a publish workflow and a drift scorecard

  • Add a conformance loop for high-risk journeys

Q&A

Frequently asked questions

Learn more about how Process Designer works and how it can help your organization.

What is DORA in one sentence?+

DORA (Digital Operational Resilience Act) is an EU regulation that requires financial entities to manage ICT risk, resilience, and third-party dependencies with demonstrable governance, testing, and oversight.

Why does controls mapping fail in practice?+

Because it is treated as a spreadsheet activity. When the process changes, the mapping becomes outdated. The fix is mapping controls inside the process lifecycle: the model, the approvals, the exceptions, and the change log create the evidence trail.

Do we need BPMN to be DORA-compliant?+

BPMN is not mandated, but it is one of the best ways to create end-to-end transparency and control traceability across teams. The real requirement is provable governance and measurable outcomes—BPMN makes that practical.