In today’s regulatory landscape, navigating various regulations related to risk management can be a daunting challenge for financial institutions. However, the Digital Operational Resilience Act (DORA) offers a unique perspective. DORA not only aligns with existing best practices and regulations but also presents opportunities for financial organizations to elevate their operational resilience.

In this article, we will explore how DORA intersects with other resilience-related regulations, specifically focusing on operational resilience and continuity requirements, shedding light on the need for coordination with existing continuity and resilience efforts.


Empowering Business Continuity Policy

DORA introduces a crucial requirement for organizations to establish a comprehensive ICT business continuity policy. This policy extends beyond mere compliance and is designed to enable organizations to build upon their existing best practices.

In doing so, DORA underscores the importance of business continuity and IT disaster recovery, particularly in response to cyberattacks. As a result, practitioners must adapt their technology loss scenarios to incorporate the potential impacts of cyberattacks, thus preparing for cyber events in a more holistic manner. This approach ensures that your organization remains resilient in the face of emerging threats.


Managing Third-Party Risks Effectively

A distinctive aspect of DORA is its detailed guidance on managing relationships with ICT providers. Prior to engaging with an ICT third-party, organizations must take specific steps. These steps involve assessing whether the provider will support critical or important functions and evaluating potential concentration risks. This presents an opportunity for collaboration with continuity and resilience teams. By leveraging the results of business impact analyses and end-to-end mapping, you can determine the criticality of third-party relationships.

Moreover, DORA places pressure on ICT providers to maintain a consistent level of security for financial institutions. These requirements empower risk practitioners to effectively identify and manage third-party or concentration risks, ensuring a more robust risk management approach.


Strategizing Technology Recovery

Article 11 of DORA delves into the specifics of technology recovery. Financial entities and their ICT providers are required to maintain at least one secondary processing site. This secondary site should not be merely a backup; it should be strategically positioned to ensure the continuity of critical services in line with recovery time objectives (RTO) and recovery point objectives (RPO). Furthermore, it must be accessible to staff. DORA’s focus on these aspects ensures that organizations are well-prepared for any disruptions, whether they stem from technology risks or unforeseen events.


Testing and Strengthening Resilience

DORA provides a comprehensive list of recommended testing types applicable to ICT, including vulnerability assessments, open-source analyses, and penetration testing, among others. What’s noteworthy is that many of these testing methodologies can also be applied to operational resilience requirements. These tests serve as a critical tool in substantiating an organization’s ability to remain within stated impact tolerances. By incorporating these tests into resilience stress testing plans, you can strengthen your organization’s overall resilience.


Mastering Crisis Management and Communications

DORA’s provisions around crisis management and communications planning align closely with best practices recommended by regulatory bodies. DORA mandates that organizations maintain the capability to perform crisis communications in the face of significant disruptions. These plans encompass both technical and non-technical staff and require the identification of public spokespersons. Additionally, Article 10 of DORA stipulates that entities must have a dedicated crisis management function, ensuring that there is a structured command-and-control framework during disruptions that extends beyond technical expertise.


Leveraging Lessons for Improvement

Last but not least, DORA emphasizes the importance of knowledge sharing. Results and lessons learned from ICT tests, disruptions, and cyber events are to be made available to counterparts and regulators. This feedback loop extends beyond compliance, offering an invaluable opportunity to enhance your overall risk management framework. It enables practitioners to identify plausible scenarios, evaluate worst-case situations (to establish impact tolerances), and align with RTO/RPO requirements. Leveraging these insights, continuity and resilience practitioners can create a more holistic approach to risk management.


CONCLUSION

While DORA may initially appear to be just another cyber regulation, it offers a unique and multifaceted perspective that benefits business continuity and resilience practitioners. This perspective is especially valuable for organizations that have historically struggled with siloed approaches to technology risk. DORA compels organizations to reevaluate technology risk by leveraging and integrating other risk disciplines, including business continuity, operational resilience, and third-party risk management. By adopting a comprehensive and holistic approach to risk management, organizations can significantly enhance their overall resilience, fortifying both their internal operations and the broader financial sector.


Gilles CHEVILLON