In tandem with the publication of policy documents relating to Operational Resilience, the EC (European Commission) released its Policy articles DORA (Digital Operational Resilience) and General Publications Digital Operational Resilience: a challenge for the supervisory community on September 7, 2022.
Giving in-scope firms an implementation period to 17 January 2025, the EC set out articles across a number of areas including:
- Reporting ICT-related incidents
- Requirements in relation to contractual agreements between concluded between ICT third-party service and financial entities
- Information and intelligence sharing in relation to cyber threats and vulnerabilities,
- Digital operational resilience testing and rules on cooperation among competent authorities
- Rules on supervision and enforcement by competent authorities in relation to all matters covered by DORA
Planning the DORA programme
Mobilising a large scale regulatory driven delivery programme can present several challenges that require careful consideration and planning. These challenges typically revolve around co-ordination, compliance, stakeholder management, and resource allocation.
Scoping
The first step is to confirm DORA programme scope through creation of a requirements traceability matrix (RTM) which demands a comprehensive understanding of the rules. The DORA RTM will articulate DORA requirements and align them to programme deliverables such as frameworks, processes or solutions that need to be created, designed, and implemented. The DORA RTM then acts as the programme’s ‘check and balance’ to ensure that programme outputs meet the required regulatory technical standards. A view of potential workstream structure will be identifiable following the creation of the RTM.
Stakeholder impact
Where should the DORA programme sit?
Whilst some programmes sit comfortably within a silo, achieving digital resilience requires co-ordination across various capabilities, frameworks, processes, teams, resources, and business model components. In our view, a top-down cross-functional approach is essential. Staging stakeholder impact sessions during programme initiation serves to communicate requirements, provide stakeholders with an understanding of what the requirements mean for their function, and engage the stakeholders for the journey ahead.
A working example from DORA is the requirement to implement an ICT Risk Framework. This requires cross representation from 1st line to work with 2nd line to identify ICT related risks via mapping and workshop-based interactions, the risk team in the 2nd line are required to establish ICT risk methodologies, the Senior Leadership Team are required to support tolerance setting, and the nominated governing body for ICT risk is required to direct, review and approve the overall risk framework.
Resource Allocation
Mobilising a large-scale programme like DORA requires substantial resources, including financial, human and technological assets.
The size and scale of the delivery plan is heavily linked to the existing maturity of ICT risk management, resilience, standards, and protocols. Firms who need to mature to meet the DORA requirements are realising that their delivery plan will require significant logistical co-ordination across workstreams to ensure that sizeable deliverables can be achieved in parallel within the 18-month compliance period.
Achieving digital resilience requires a combined effort by a broad range of resources including ICT Risk management, ICT Governance & Controls, Technical ICT specialists, Business Continuity, Disaster Recovery, Supplier management, Crisis & Incident Management, and overall programme management skills to ensure effective co-ordination, quality management, and compliance with programme requirements.
Careful planning should also consider the need for financial and technology resources ahead of time. If the DORA traceability assessment diagnoses a lack of investment in ICT tools to meet the required standard (for example, threat detection and automated alerts) these will require budget allocation.
Planning for on time quality delivery
DORA has a strict timeline for implementation, and all in-scope entities need to be compliant by January 2025.
Meeting this deadline will be challenging for many firms.
It is advisable to plan realistic timelines for workstream-led outputs to be completed, factor in potential delays, and proactively manage DORA programme risks throughout, to ensure the programme stays on track.
Ensure the programme receives sufficient check and challenge from compliance and internal audit teams at regular intervals to ensure there are no surprises at critical late stages in the programme. In addition, a strong focus on quality throughout the DORA programme lifecycle will avoid compliance issues and maintain stakeholder trust throughout.
If you would like to discuss any aspect of your digital resilience agenda, please book a time with Kieran Maplesden who leads our go to market for Digital Resilience or request further information here
