Prepare for DORA: Ensure digital resilience for EU financial services compliance.

Mark Young of MorganFranklin Consulting outlines the imperative for US companies to comply with DORA regulations. Learn the key steps and strategies for operational resilience.

As we approach the final quarter of 2023, the regulatory landscape for global organizations is growing increasingly complex, especially the outlook for 2024 and beyond.

The European Union’s recent approval of the Digital Operational Resilience Act (DORA) has significant implications for U.S. companies providing financial services within the EU or catering to EU customers. Compliance is required before January 17th, 2025, but forward-thinking companies have already taken proactive steps to meet the impending deadline.

While having over a year to prepare may seem like ample time, many requirements have proven to be multiple year-long projects to implement for some firms, and it may take longer to demonstrate confidence in a planning and recovery program. If a firm is not already compliant with essential operational resilience regulatory guidance in the U.S., it may already be behind. For instance, if the organization still needs to select, define, and map its critical business services, it may not be able to include end-to-end testing of those services in its 2024 testing calendar, which is required to show DORA compliance.

The new DORA requirements aim to promote digitization, growth, and innovation within the financial sector while introducing oversight over the technical aspects that underpin this growth. The objective of incorporating technical requirements into operational resilience is to maintain open markets and swiftly and systematically restore them to normal operation in the event of market disruption.

The EU has established a system of governance for operational resilience based on the UK’s Prudential Regulatory Authority framework for Operational Resilience. This framework and other requirements from the Bank of England were developed after a report was released from the Basel Committee on Banking Supervision in 2021. This report stated that banks must strengthen their ability to absorb operational risk-related events such as pandemics, cyber incidents, technology failures, and natural disasters.

The COVID-19 pandemic made us consider how disruptions in the financial markets could quickly and easily become catastrophic. This type of added regulatory scrutiny, along with the rapid expansion of natural disasters and cyber threats, is increasing the priority to drive resilience capabilities into core operations and create a culture of resilience in management teams.

What Must You Do to Prepare to Implement DORA?

Achieving Digital Operational Resilience, as defined in DORA, requires basic operational resilience capabilities to be in place and tested. A summary of basic operational resilience requirements include:

1. Identify and map your most critical business services 

Critical business services are the most essential end-to-end transactions your company performs. This list should only include the highest-priority services. It’s helpful to consider only those services that could cause irreparable harm to consumers, your firm, or the financial market you operate. This typically includes 10-12 critical services, such as “wire transfers” or “bank funding.”

Each critical service can be mapped as a compelling and easily recognizable, single-page visual representation of the service with major inputs, core systems, and outputs defined. You will want to include a data sheet to accompany each map that records the technical details of people, processes, technology, and data associated with each end-to-end transaction. This helps your risk, audit, and disaster recovery technical teams adopt critical business services. It also provides specificity, supporting actual recovery processes and increasing confidence in your recovery program.

2. Set impact tolerances

Impact tolerances should be set to identify and define the maximum tolerable disruption for selected critical business services. Most U.S. businesses conduct a business impact analysis (BIA) annually to estimate impact over time and establish recovery priorities. Unfortunately, most BIAs are conducted at a single process level or, in some cases, at an application level. The requirement is to estimate the impact of disrupting a full end-to-end business service to be operationally resilient. To estimate impacts within the operational resilience framework, you must establish tolerances for those impacts, which define the degree and duration of the impact, and document when the impact is intolerable for your firm.

3. Conduct exercise and testing, with lessons learned

Using tabletop exercises, wargaming, and technical testing, you must demonstrate your critical business services are tested and meet stated recovery objectives. This should include documented lessons learned with actionable follow-ups to address open issues.

See More: PCI DSS 4.0: Navigating New Compliance Requirements

How Do You Implement DORA Requirements?

As aforementioned, DORA adds information and communications technology oversight to basic operational resilience requirements. To provide evidence of the inclusion of digital assets in your operational resilience framework, you should assess existing policies and procedures for DORA requirements. This must also include reviewing critical business services with third-party dependencies. If you are a third-party provider, you must also determine if the services you provide depend on one of your client’s critical business services. This information will focus your assessment and help you prioritize your work.

If you don’t already have a dedicated management and resource pool to allocate to this work, or if your team lacks expertise or availability, you can consider contacting vendors who can supplement your existing capabilities. Once resources are established, and the team understands operational resilience and DORA, you are ready to begin DORA implementation.

1. Assessing policy, procedures, and controls against DORA requirements

To begin this work, develop criteria for digital and operational resilience that you will use to compare against current capabilities. Have your team speak with executive leadership and business management and perform the documentation reviews. You may find the process provides significant benefits if you are inclusive in your effort. Having broader organizational awareness of basic requirements and required outcomes supports enterprise-wide adoption and changing your culture to be more resilient instead of just implementing the next regulatory directive.

Including all three lines of defense – business, risk, and compliance – will also help you ensure alignment between your operational resilience capabilities, risk, and audit functions.

2. Assessing third-party contracts to ensure alignment with risk and resilience impact data 

The use of third-party service providers or third-party services has been overlooked while planning and testing for recovery. Third-party services must now be included in resilience planning based on regulatory direction and industry best practices. The development of third-party relationships can be costly, and including third-party providers in resilience planning and testing can be tedious at best. You should take a proportional and risk-aligned approach to determine the required level of inclusion. Is a third party a critical dependency for one of your critical business services? Do you provide third-party services that impact a critical business service for the contracted firm? The greater their impact, the greater their requirement to align with your digital operational resilience program.

Standard contractual clauses should be developed that address varying levels of legal commitment and support regarding service levels, planned recovery times, collaborative testing, and information sharing. Existing contracts should be reviewed based on the impact third-party providers have on critical business services. Once third-party provider contracts are assessed, contracts must be modified, and procedures implemented, to ensure DORA compliance. Your policy, procedure, and test objectives should also align with this third-party risk alignment process.

Demonstrating Digital Operational Resilience

You will be assessed on your ability to define what level of support you provide for digital operational resilience and how well you can defend that level of support. Your proof, or evidence of adoption for DORA, will largely be a product of the documentation you provide. At the highest level, you will demonstrate that programmatic elements are in place through policy. You will also demonstrate that overall operational and digital resilience capabilities are adequate based on exercise, testing, and reporting. Additionally, you will demonstrate that you have actually adopted DORA, by showing consistent application of critical services, impact tolerances, and end-to-end testing, across resilience, technical recovery, risk and audit functions in your organization.

Read the full article here: