As the financial services sector prepares for 2023, operational and digital resilience are key policy objectives on the international regulatory horizon organizations must prepare for (see Figure 1). While these priorities were already on the horizon prior to Covid-19, the last two years have made mitigating operational risk and increasing banks’ capacity to withstand disruptions even more critical. As a result, we’re increasingly seeing new frameworks to help achieve these objectives and reduce risk, such as DORA in the European Union (EU) which was adopted last week.

 

The DORA framework focuses on very particular aspects of the financial ecosystem and targets specific outcomes related to the resilience of the financial services sector to information and communications technology (ICT)-related incidents[1]. DORA, and the global policy move toward greater operational resilience in financial services, will ultimately benefit customers by making service dependability a codified obligation. Like any endeavour designed to deliver transformative change at pace and scale, implementing DORA will require consistent focus and engagement, particularly at the Board and executive levels.

 

Achieving this regulatory outcome will require strong leadership, enterprise-wide clarity, alignment, and disciplined execution in firms.

 

 

D is for Doubling Down on Digital and Data

 

Digital transformation in financial services firms can no longer be a side-act labelled ‘innovation’ while the core of the organization maintains its traditional ways of working.

 

Yet, digital can only really shift the dial on delivering strategic outcomes when leadership embrace the challenge holistically and invest in the long game. This means having the courage to address the many organizational, process, and data ‘hygiene’ issues and enterprise technical debt that have accumulated over the years.

 

The scope and structure of DORA, the intended outcomes and the associated supervisory mechanisms mean that every part of the organization relies on technology to deliver business-critical value. DORA is not only an IT or a cybersecurity issue – it cannot sit in isolation in a siloed corner of the risk function. The reality is that DORA needs to be a whole-of-enterprise initiative, mirroring what digital transformation should be.

 

The regulatory push coming from DORA is a chance for firms to get clarity on the digital technology and services – including cloud – that drive the economic engine of their business re-establish priorities and create alignment across the entire organization to drive digital operational resiliency in the name of sustained business success.

 

O is for Operations and Orchestration

 

“DORA shifts the axis of responsibility so that the management body and the business take on a more active role in driving the organization towards the target outcome of greater digital resilience.”

 

The task at hand is to understand with absolute clarity what digital operational capabilities matter most by identifying the value delivered to the business, customers, and the wider financial system when things are going well and the impact when the normal course of operations is disrupted.

 

Not many organizations are well endowed when it comes to visual representations of their enterprise architecture, but it is an immensely valuable, foundational investment because suddenly people can see the operational and strategic dependencies they have on each other.

 

While DORA is everybody’s challenge, accountability for the outcome needs to be clear and that means executive leadership bestowing a mandate to an identified team whose remit is to make things happen.

 

R is for Rising to the Resilience Challenge

 

To get ahead as customers demand to access financial services from digital channels, financial institutions are embracing technologies such as automation, hybrid cloud, and AI to drive digitization across internal business units and their ecosystem of external partners.

 

This increased reliance on digital technologies with interconnected dependencies on external service providers to deliver business functions that are directly and indirectly critical to the financial system and important to customers is precisely why DORA is opportune.

 

Done well, digital is where financial services can delight customers. Industry leaders should view DORA not as a regulatory burden but as a key enabler of the resilience and dependability that drives customer satisfaction and loyalty and underpins the sustainability of their future business models.

 

“Industry leaders should view DORA not as a regulatory burden but as a key enabler of the resilience and dependability that drives customer satisfaction and loyalty and underpins the sustainability of their future business models.”

 

A is for Acting…Now!

 

The requirements of DORA are pervasive and encompassing across the entire enterprise. In the face of a challenge of this scale, leadership, mindset, and culture are key to cross-functional collaboration and engagement across organizational divides.

 

Some firms may cede to the temptation of a minimum-viable-compliance approach, but this is arguably a wasted opportunity. Leaning into the spirit and intent of DORA will bring the organization’s strategy, operating model, governance, risk appetite and tolerance, planning, and testing into alignment with both supervisory and customer expectations and the new digital ‘normal’.

 

For this reason, any DORA program needs to be led assertively by senior leaders who set the tone at the top with a compelling vision and a clear steer to managers on where the organization needs to go and why.

 

Looking forward

 

Done right, DORA can help enterprises in the financial services sector become digitally resilient and is a chance for the industry to bring siloed digital initiatives into a cohesive transformational motion that is strategically impactful from a business perspective (see Figure 2). If ever there was an opportunity to drive a sector-wide policy outcome and materialize strategic business benefits at the level of the firms who embrace the spirit of the regulation by infusing their entire organizations with it, this is that opportunity.

 

 

 

Authored by:

Anne Leslie, Cloud Risk & Controls Leader, IBM Europe

 

 

Gabriela Doina, Government and Regulatory Affairs, IBM Europe

 

 

[1] Digital operational resilience refers to the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly, through the use of services of ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality throughout disruptions.

 

 

 

 

 

Share this post: