Financial Services Technology Panel picks its next big issue for the sector and hosts a roundtable with ISITC on the “Digital Operational Resilience Act” (aka DORA) and its UK equivalent – 16 November 2021

The European Commission’s draft Digital Operational Resilience Act (DORA) was published on the 24th of September. Just before lockdown, the UK’s regulators, the FCA and PRA, published Consultation PS21/3 proposing measures to improve the resilience of the UK’s financial sector. The five pillars of DORA are ICT Risks, ICT Incident Risk Reporting, Digital Operational Resilience Testing, 3rd Party Risk Management, and Information & Intelligence Sharing. Each presents challenges that the Financial Services sector will have to tackle to minimise the impact of failures and embed learning from failures to prevent outages. Similar yet slightly different to DORA, the UK’s authorities aim to bolster operational resilience and the ability of firms and the financial sector more generally to prevent, adapt, respond to, recover, and learn from operational disruptions, so delivering much of what DORA is seeking to achieve.

Our Round Table, guided by our expert panel, concluded that DORA is likely to be different, bringing the technology vendors into the tent with an increased focus on risk specificity versus flexibility and the ability to match risk appetite with impact tolerance in practice.

Firms need to demonstrate actions by 31 March 2022, followed by a 3-year transitional period. Each industry must find its level and benchmark and ask what it means. And there will be some sort of enforcement.

The oversight framework critical to the ICT third-party services providers must demonstrate its ability to ensure the provision of financial services in case of a large-scale operational failure. Experts were clear –the ultimate responsibility lies with the business ownership of the firms. It cannot be handed on to 3rd party providers, meaning that financial services institutions must test every possible scenario to be agnostic and need to plan extensively. The conclusion – DORA requirements will result in businesses becoming less profitable. The role of 3rd party providers is critical; compliance to the regulatory frameworks will be a wake-up call in the industry.

Keeping DORA simple in navigating the regulations will be a success, though the industry is not precise is what it means to be “good at operational resilience”.