DORA: Table Stakes or Strategic Investment?

By the second half of last year, more than 50% of European banks had fallen victim to at least one successful cyberattack, while 84% of critical service downtime was linked to change and software issues (ECB - IT and cyber risk –key observations 2023). Whether you are the head of a retail bank, a CFO, CTO, CIO, CISO or a platform engineer within a financial institution, these complex challenges are likely familiar.

‍

Set against the backdrop of an intensifying threat landscape, the Digital Operational Resilience Act (DORA) came into force on 16 January 2023, and will apply as of 17 January 2025. DORA is a European regulation designed to address the need for a robust operational resilience strategy, consolidating key features like governance, ICT risk management, digital resilience testing, incident management and third-party risk management.

‍

While some financial industry players may see DORA simply as a license to operate, others are recognizing the strategic advantages of a comprehensive, structured approach to limit system disruptions. Crucially, the true benefits of DORA can only be unlocked when the right approach to resilience is taken, and key challenges are overcome.

Why many face DORA failure

‍

‍

Operational disruptions, reputational damage, financial losses, and increased exposure to cybersecurity threats are key risks associated with hasty, one-off compliance efforts. For those that take a comprehensive approach, the benefits include enhanced resilience planning, better communication, faster incident response and optimized tech infrastructure.

A variety of challenges must be addressed thoroughly by organizations if they are to successfully adopt DORA, including:

‍

1. Treating DORA as a one-off compliance exercise. By failing to integrate operational resilience in your overall business strategy, you are neglecting an indispensable strategy and missing out on the benefits that DORA has to offer. Too often we see organizations treating compliance with these regulations as a “must do”, without properly thinking through how the underlying principles of these regulations could contribute to the overall achievement of their strategic goals such as e.g. improved customer experience.

‍

2. Unclear roles and responsibilities across departments. If DORA is treated like an IT regulation rather than an enterprise-wide regulation, communication between various departments cannot be adequate. Non-IT board members need to be aware of what is at stake to set the right tone from the top down, especially with technology being at the heart of banking operations today. While we have observed an increase in IT expertise at board level, the current representation is still not sufficient to drive organization-wide alignment. This was also recognized by the 2020 ECB’s SREP results, which indicated a higher success rate of cyber-attacks and system downtime in cases where less than two board members have appropriate IT expertise.

‍

3. Difficulty when integrating DORA requirements within existing systems. Tightly interwoven legacy systems often require extensive and costly change to accommodate for DORA requirements. Accelerating the modernization of legacy environments will be key. We see many organizations, and – especially banks, still reluctant to modernize due to the risks and costs involved. This remains the case in spite of the potential to achieve a more flexible, modular and resilient architecture. Players can achieve this by sharing risk across different systems and components, as opposed to relying on single monolithic systems.

‍

4. Inappropriate scoping of entities and critical business functions. Lacking a thorough understanding of regulatory requirements, combined with poor collaboration among the different entities involved, is a major stumbling block and may eventually expose you to risks you are not aware of. For example, a leading European insurance player was initially not including smaller subsidiaries in the scope of its risk management and resilience efforts. This was being done to limit the efforts of the largest group entities, without realizing that this could jeopardize overall security.

‍

To tackle challenges like these holistically, a dedicated approach is needed that views digital operational resilience as more than just compliance. Resilience is also about building competitive advantage that can withstand the challenges of tomorrow’s financial services landscape, and should incorporate financial and organizational resilience matters as well.

‍

Unlocking business value through foundational capabilities

‍

‍

At a minimum, robust digital resilience capabilities must be implemented in the following areas to achieve enhanced business value:

‍

A. Governance & Organization: Business and IT functions need to collaborate, be educated, and ensure proper strategy setting.

‍

B. Risk & Control: Existing risk and control functions need to be strengthened, especially with regards to critical business functions determination and tolerance setting.

‍

C. Technology: Resilience should be woven into IT systems, data, and infrastructure.

‍

All financial organizations need to develop these foundational capabilities within while working towards integrating industry best practices. Doing this will help with the identification of commonalities across different regulations, enabling you to leverage the right best practices and become an operational resilience leader.

‍

The exhibit below represents an overview of digital resilience capabilities that are well aligned with the DORA requirements. This example features a detailed list of capabilities that can be used to self-assess your organization’s level of digital operational resilience.

‍

‍

To support the building of these foundational capabilities, there are key levers to consider in each critical area. When it comes to technology, two key levers are considered critical for success to further embed resilience within your organization:

‍

The first lever is the implementation of Site Reliability Engineering (SRE), which elevates both system resilience and performance while embedding key principles that surpass basic compliance. This is particularly relevant when embedding IT resilience at the core of your organization, making it an indispensable part of your wider IT strategy. SRE involves a number of key principles that align well with the DORA requirements at a high level, while also equipping you to look beyond mere compliance.

‍

‍

When working with clients, we have seen this lever significantly boost resilience, efficiency, and the speed of digitization efforts:

‍

‍

As second key technology lever we see our clients using frequently is the decoupling of data layers from existing legacy systems. This enables them to significantly enhance their monitoring and reporting capabilities and become better equipped to properly identify where resilience challenges occur. This lever is also beneficial for reporting on resilience levels to senior management and regulatory bodies.

‍

Decoupling is especially beneficial when it comes to the integration of new regulatory requirements, as you are able to apply them on a more modular, flexible architecture. BCG’s own methodology on decoupling data from core platforms has helped our clients to accelerate lead-times, generate savings and become more agile.

‍

The accelerated pace unlocked by these levers empowers teams to deploy resilience capabilities more effectively, while tapping into greater capacity to develop differentiating engineering capabilities in-house. As a result, time to value and overall competitiveness are significantly enhanced:

‍

‍

‍