The European Union (EU) is implementing the Digital Operational Resilience Act (DORA) as part of its drive to reduce vulnerabilities and strengthen the resilience of financial services firms. DORA is primarily designed to consolidate and upgrade IT risk requirements whilst aligning with the concepts of operational resilience.
DORA addresses areas of cyber, resilience testing, third-party outsourcing, incident reporting and ICT risk management. DORA also introduces an oversight framework to aid financial services firms in their oversight and assurance of critical third parties, which includes Cloud Service Providers (CSPs).
With DORA now approved by The European Council, it is expected to enter into force in early 2023, giving firms a two-year window to implement the requirements.
Given the relatively long implementation window, firms might prioritise implementing the CBI guidance for Operational Resilience and Outsourcing, with both regulations live in December 2023.
However, given the interlinkage between DORA, Outsourcing and Operational Resilience guidance, firms should consider consolidating their programmes.
We outline three areas where implementation in a silo would represent a missed opportunity.
1. Strategy
All three regulations place a significant onus on Board oversight and engagement.
DORA asks for "full and ultimate accountability” for the management of ICT risks, whilst the CBI expects; "that the boards and senior management of regulated firms take appropriate action to ensure that their outsourcing frameworks are well designed" and firms should "emphasise board and senior management responsibilities when considering operational resilience as part of their risk management and investment decisions".
The Board’s first responsibility should be to set a unified resilience strategy. The strategic aims and priorities of each programme need to be joined up and overseen by an aligned Board and Senior Management stakeholder group. This group should set the tone for a holistic resilience state and drive the creation of a 2 to 3-year combined roadmap and strategy, incorporating Operational Resilience, Outsourcing and DORA.
Secondly, an important element of both Operational Resilience and DORA is to establish a strategy which documents a target level of resilience to support risk management and resilience decision making and important strategic decisions should be taken collectively to determine and document a target state, including when and how will it be measured. The strategy should also include how much investment is required to achieve the strategic objectives.
If firms can incorporate Operational Resilience, DORA and Outsourcing in a unified resilience strategy, and approach to governance and Board oversight, then we feel that regulators will view this positively.
2. Important Business Services and Critical or Important Functions
DORA requires firms to identify Critical or Important Functions (CIFs) to place a functional lens on developing resilience. CBI guidance on Operational Resilience requires the identification of Critical or Important Business Services, placing a service lens on developing resilience.
The identification of Critical or Important Functions is a way that financial service firms are choosing to mature resilience, a second iteration of Important Business Services if you like. This maturity strategy links each function and that function’s role in delivering end-to-end business services and supporting critical resources. These CIFs are then treated in the same way as Important Business Services to ensure firm-wide resilience. By tackling DORA and Operational Resilience in combination, firms may quickly be able to reach this more mature state of resilience.
3. Third-Party Oversight
DORA’s Critical Third Party (CTP) oversight framework gives European regulators greater authority to oversee and address resilience in Critical Third Parties. However, firms should be aware that there is now an even greater emphasis on each firm to execute their responsibilities to third-party oversight and in fact, under DORA those responsibilities grow in scope if third parties underpin the delivery of any CIFs.
This interplays nicely with the CBI Outsourcing guidance, which requires firms to identify, segment and oversight third-party suppliers according to materiality or criticality. By approaching both projects in tandem, firms may gain greater control over supplier oversight.
Mapping both operational and technology third parties and identifying vulnerabilities in the supply chain is key to informing resilience management. DORA requires firms to consider concentration risk via regular assessments. By using robust mapping and vulnerability assessments, potentially supported by a tool, firms should have a much clearer picture of risks across their supply chain, both third-party and fourth-party.
Free benchmarking and assurance review
Do you need expert assurance and benchmarking on your firm's CBI compliance plans for Resilience, DORA and TPRM compliance?
Enquire about our free review here, or book a time with one of our consultants here now.
