Digital Operational Resilience Act (DORA) – From Theory to Practice

The EU has set December 2024 as a critical milestone for organisations to establish the principles and practices to enhance ICT resilience across the financial sector.

The norm contains 6 critical components for managing ICT risks:

Source: The European Parliament and of The Council

This framework represents the expected standard that each financial institution must adhere to before 2025, to manage its ICT risk and comply with the regulatory mandate. Looking more closely at the detail, some of these requirements are already a component of current ICT security practices. So, what is new and what is this new request from the regulator?

Historically, organisations have done some of the work already, however many firms disconnected it from the overarching risk strategy promoting this as the main challenge that regulators are addressing: the practical link between business, operations, and control functions.

Establishing a proactive approach to managing risk is the essence of the standard, changing static siloed practices to a dynamic approach that will allow key stakeholders managing these critical business functions to make more informed decisions.

Considering the high reliance on third-party IT suppliers, financial institutions are more vulnerable and have increased exposure to operational events and the knock-on effects that can impact the supply chain. This concentration risk forces organisations to establish closer relationships with Critical Third-Party Suppliers (CTPs), in order to better understand the dependencies and potential vulnerabilities.

So, how do you enhance the firm’s resilience?

There are some practical steps we suggest the senior management adhere to:

  1. Connecting the existing ICT resilience and security practices with critical services:
    • Understanding the IT architecture that supports critical processes across the organisation, and identifying how the technology is managed and coordinated with key stakeholders
  2. Understanding your risks:
    • To test your resilience, it is necessary to identify the existing risk profile of the services and technology and link these elements to your Risk Appetite Statement
  3. Active Supply Management:
    • Your critical suppliers must become your partner on this journey. As part of the supplier lifecycle, it is necessary to evaluate all the ICT control points the firm takes into consideration when it comes to selecting a supplier. For critical services, it is highly recommended to perform an enhanced due diligence process, moving away from obsolete checklists to a risk-based approach. Your business security depends on how secure your suppliers are
  4. Testing, Testing and more Testing:
    • Practice is vital. Perform periodic testing exercises and evaluate how teams respond to different disruptions. Use this data to calibrate and control future responses. Invite your critical suppliers to be part of these testing exercises
  5. Governance & Reporting:
    • Continuous oversight and monitoring will provide the necessary information to allow you to make strategic business decisions. The goal of establishing a business resilience programme is to protect the business assets and minimise any potential impact on the market

Resilience is not just a word, it is a sum of actions. The question is not ‘if’ the organisation will have an operational disruption, it’s ‘when.’ Operational disruption will happen, and the organisation must be ready to identify, prepare, respond, adapt, recover and learn from those disruptions.

How TORI can Help

Operational Resilience – is the next significant regulatory pillar. Ultimately, Operational Resilience is a Board responsibility which needs to be driven top-down. These regulatory commitments dove-tail with other business commitments including Technology and Supply chain risk.

We can help you with:

  1. Maturity Assessment & Programme Assurance
  2. Developing a robust Operational Resilience Strategy: resilience by design
  3. Subject Matter Expertise for Roadmap definition and Programme Execution / Delivery
  4. Developing a Target Operating Model: What does good look like?
  5. Third-Party Risk Management & Outsourcing: expanding your resilience programme beyond your office doors.