Report

Preparing for the New Digital Operational Resilience Rules

This article was first published by Oliver Wyman here.

 

Rapid digitization of the European financial services sector in the last two decades has
put technology at the center of all financial activities, exposing institutions to a broad
set of new and emerging risks. In response, institutions have built out controls aimed at
mitigating these risks and have developed back-up protocols to “keep the lights on” in the event that critical digital infrastructure fails.

But maintaining robust defenses against information and communications technology (ICT) risks has not come naturally to many financial institutions. Efforts to establish operational resilience often have been haphazard and poorly coordinated, resulting in deficient control environments or poor backup plans for critical activities. Making matters worse, board members and senior managers are often unaware that the institution is running unacceptably high levels of ICT risk because management information is poor or non-existent. A series of high-profile outages and business disruptions at European banks over the last few years has underscored the threat that the lack of operational resilience poses for the industry.

In response, the European Council has turned its attention to instilling more robust
operational resilience across the financial services sector, while consolidating and
harmonizing existing national regulation.

The Digital Operational Resilience Act (DORA) sets out a detailed and comprehensive
framework for the management of ICT risks for European financial institutions.
DORA consists of five pillars that lay out requirements and expectations for different
aspects of operational resilience: ICT risk management and governance, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk, and information sharing.

While DORA is still an evolving standard, the direction of travel from the regulator is clear and requires a fundamental mindset shift across institutions.

Complying with DORA will not be easy — it requires a purposeful and deliberate business-led technology strategy, and an integrated risk management approach aligned to critical business services.

The size of the prize from better operational resilience is potentially enormous: reduced
financial losses from operational incidents, faster and more trouble-free implementation of new systems, maintenance of good customer service levels, increased brand value, lower risk management costs, as well as lower regulatory risk. Building digital operational resilience is not optional and no longer a topic that is confined to specialists in IT and risk; it needs widespread engagement from across the organization, including from individual business lines, senior management, and boards.