This blog is adapted from an article written by Apromore Senior Advisor Nigel Adams for Startups Magazine about DORA and how to transform compliance management from a reactive to a proactive function. The Digital Operational Resilience Act, commonly known as DORA, is scheduled to come into force on 17 January 2025. It aims to both harmonize EU Information and Communication Technology (ICT) regulation across EU member states and, more importantly, address a critical gap in how financial institutions manage ICT operational resiliency risks. DORA introduces clear rules and stringent guidelines for ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks, as well as encouraging regulated entities to share intelligence on cyber threats.
DORA’s scope is broad and its requirements complex. The task of implementing DORA is made more challenging given the legacy IT systems still in place, the inclusion of critical third parties in its scope, evolving ICT threats such as cybercrime and, last but not least, resource constraints. It’s easy to understand why licensees may see it as a real bugbear.
Where’s the Focus?
While the legislation is intended to bolster the resilience of the financial system and continuity of service in the event of an incident, the focus is not just on ensuring customers can continue to open accounts, make and receive payments, make insurance claims, apply for credit etc., it also emphasizes how important ICT’s support processes are.
For example, under DORA there is an expectation that if an outage occurs there is a plan to not only manage the incident as it unfolds but also that operations continue uninterrupted. Furthermore, it is not enough to have a plan, the plan must be tested, monitored and updated regularly under a range of scenarios and the plan must include critical third-party dependencies, an ability to get to root cause quickly, provide detailed incident reporting, remediate the cause(s) such that the incident never happens again, and lessons learned from the incident are carried forward into future plans.
Navigating the Complexity
Financial services ecosystems are complex and core processes, such as issuing an insurance policy or approving credit, are fragmented. If, for example, your organization has had a recent history of payment outages affecting corporate clients, this may have led the various cross-functional payment teams to build a world-class, incident management approach for corporate payment clients. But to what extent has this process been replicated across the enterprise? A series of KYC incidents may have led to a data consolidation and cleansing exercise for home insurance customers, which will make continuity of service for migrating these customers to a new platform easier, but what about car insurance customers? An outage at a third-party may have impacted government clients, but why didn’t it impact other corporate clients?
The key here is that, given the underlying core process fragmentation, the ICT support processes, at the heart of implementing DORA effectively, are unlikely to be standardized across the enterprise. Fortunately, the regulatory technical standards that will be introduced with DORA are intended to be relatively prescriptive, i.e., specifying what needs to happen when, what information is required to be shared, who is accountable and what their obligations are. This should make interpreting the DORA requirements, i.e., the “What”, easier than principle-based regulatory requirements. It’s then just a question of configuring the processes to satisfy these requirements, i.e., the “How”.
Pulling It All Together
Implementing a solution like Apromore Compliance Center connects the pieces - the “What”, the “How”, the crucial step of monitoring for incidents and violations, and many of the incident management tasks, all in a single platform. Of course, the Compliance Center will provide detailed documentary evidence essential for real-time tracking, root-causing and reporting of ICT incidents that impact core processes. But it will also provide analysis, re-design and continuous monitoring of the support processes that are critical to ensuring that your organization stays within both the letter and spirit of DORA.
How does it work? The technical regulatory standards specify the compliance requirements, which can be imported easily into the Compliance Center along with their associated controls. A template-based approach helps translate the controls into standardized compliance rules, which are then mapped to the relevant support process, e.g., incident management, BCP testing. The event data from the support processes can be uploaded in real time and operational risk incidents are identified and alerted to accountable owners immediately. The solution captures the relevant incident data and simplifies root cause analysis, all of which can be exported/connected back to the enterprise’s risk management system to satisfy reporting obligations.
And, as a process intelligence platform, Apromore will highlight the inherent variation in the support processes driven by the complexity of the ecosystem. It will highlight opportunities for improving the incident management process like removing loops and bottlenecks and allow users from across the enterprise to analyze what-if scenarios for business continuity and disaster recovery planning. It can even predict potential future incidents.
It is tempting to view compliance as a bureaucratic bugbear, but seen through the right lens, it can be a real opportunity.
Contact us today for a demo of Apromore Compliance Center.
Nigel Adams