At a glance:
- 2023 is a crucial time for firms in scope of the EU’s Digital Operational Resilience Act (DORA) as implementation work will need to get underway in earnest.
- UK financial services firms have had a two-year head start in implementing their own operational resilience framework. EU firms should use this experience to their advantage in areas where the UK and EU regimes create similar demands or challenges.
- This blog outlines five key lessons learnt from the UK experience that could be instrumental in informing an initial approach to operational resilience by EU firms implementing the DORA:
- Finding the right level of granularity for mapping;
- Leveraging pre-existing structures and capabilities;
- Embedding resilience in daily operations;
- Setting clear governance and top management accountability; and
- Maintaining an ongoing dialogue with regulators and peers.
Relevant to: CROs, COOs, CISOs, Heads of operational resilience, ICT risk teams, third party risk management and outsourcing teams in financial services firms with EU operations.
The implementation of the EU’s DORA is getting underway this year. The Regulation entered into force in January, kicking-off a two-year implementation period that will end on 17 January 2025. During this time, the European Supervisory Authorities (ESAs) will develop a broad set of secondary technical standards that will be crucial for the implementation of the DORA.
The DORA will impact virtually all regulated firms within the financial services sector that operate legal entities in the EU. Many firms in scope, however, have still not established a well-defined implementation strategy for it.
Given that the DORA’s compliance deadline is now less than two years away, many firms face a great deal of work to complete in a short amount of time. The experience of implementing the operational resilience framework of their UK counterparts, who are two years ahead, can provide some helpful lessons. Building on this point of view, this blog outlines five key lessons learnt from the work done so far around the UK’s resilience framework.
Part I: Key differences and similarities between the UK operational resilience framework and the EU’s DORA
The UK and the EU’s operational resilience regimes do not overlap completely. Some of their most notable differences include:
- Top-down vs. bottom-up: the DORA adopts a more prescriptive stance, as it consists of a set of legally binding legislative requirements for firms. UK regulators instead created a more principles-based supervisory framework that leaves room for supervisors to use their judgement in assessing a broader set of resilience outcomes.
- Risk focus: the EU primarily focuses on the risks arising from ICT-related disruptions. The UK’s framework adopts a risk agnostic approach, as it is outcomes based.
- Additional provisions: the DORA includes additional requirements in some areas, including provisions on regulators’ oversight of critical third-parties and incident/threat classification and reporting for FS firms. These topics are currently not part of the UK’s operational resilience framework but will be consulted on by the Bank of England, the PRA and the FCA later this year.
Nevertheless, the differences between the EU and UK approaches do not preclude the application of the lessons learnt in the UK to the EU context, especially when considering the similarities between the two regimes:
- Internal visibility: both frameworks expect firms to improve mapping of underlying policies, processes, people, technology, data and suppliers that support their core business services. This represents a key prerequisite for understanding the knock-on impact of disruptions both internally (e.g., operational, financial, etc.) and externally (e.g., customers, markets, etc.).
- Regulatory consistency: both regimes are sufficiently in line with the Basel Committee’s 2021 Principles for Operational Resilience. In fact, there is considerably less international regulatory divergence in operational resilience principles than in many other areas of regulatory activity.
- Mindset shift: in a time of increasing geopolitical and geo-economic dislocation, both approaches introduce a "mindset shift" - both imply that firms should assume that disruption is inevitable and work towards building a level of resilience that enables them to recover their most important services in a relatively timely manner.
Part II: Five UK lessons for firms considering DORA’s implementation
- Finding the right level of granularity for mapping.
Under the DORA, EU firms will have to develop a risk management framework that is broadly in line with some of the UK regime’s key obligations. Despite playing different roles within their respective regimes, the requirements to map operations and identify third party dependencies are a key part of both jurisdictions’ approaches to operational resilience.
During the first year of implementation of the UK’s regime, it became apparent for many UK firms that an excess of detail in mapping Important Business Services (IBSs) – the rough equivalent to the DORA’s Critical or Important Functions (CIFs) – did not automatically simplify the process of building resilience. Equally, mapping at an extremely high level failed to detect the vulnerabilities that ultimately need to be remediated by the operational resilience programme.
Maintaining an ongoing engagement with IBS owners was also difficult for many firms, especially when trying to increase the granularity of their mapping activities. Operational resilience teams therefore had to identify extractable and reliable sources of information that could be updated on a regular basis.
From a more high-level perspective, firms that mapped IBSs well understood that they were doing it to focus on resilience rather than simply on risk management and structured it to gain a deeper understanding of how their normal operations work, including vulnerabilities (e.g. major points of failure) in how these are architected. Firms had to pay special attention to mapping their dependencies on third party and intra-group suppliers and understanding how their legal entity structure and the dependencies this gives rise to affect their service delivery.
This exercise became key in understanding how the firm could reorganise itself in case of disruption and in setting realistic Impact Tolerances (a concept close to the DORA’s Risk Tolerance Levels). Good quality mapping also became crucial in informing related investment spend and target operational model design in order to address vulnerabilities and build enough resilience to stay within the firm’s Impact Tolerances.
- Leverage pre-existing structures and capabilities.
UK operational resilience obligations frequently pushed firms to update existing processes and controls (e.g., business continuity, operational risk, IT disaster recovery, financial resilience, etc.) to enhance overall resilience. This challenged firms to go beyond a ‘siloed’ approach to compliance. Relevant teams had to cooperate with each other, align their processes and procedures and set up new communication channels.
For instance, it became necessary for different teams – such as change and incident response teams – to adopt the same lexicon of operational resilience terminology. A key part of this process often was the creation of ‘champion structures’, achieved by linking together operational resilience SMEs who could work as a point of reference for the rest of the firm.
Similarly, the DORA will likely require the development of new structures and capabilities as well, including through the expansion and potential re-arrangement of existing ones. For instance, firms will have to re-organise their ICT risk management, cyber risk management, business continuity and third party risk management (TPRM) functions in order to support the development of a new cross-functional operational resilience capacity. Firms therefore need to maximise the optimisation of their existing resources, teams, and skills.
Many firms that have already invested in their cybersecurity or TPRM functions might already possess the capabilities necessary to comply with several of the DORA’s requirements (e.g., carrying out advanced testing, negotiating TP contracts, etc.). They should, nevertheless, foresee that the developing expectations of supervisors for the implementation of the DORA are likely to put additional pressure on them to show how they have enhanced their operational resilience in practice, rather than only showing that they have complied with the letter of the requirements.
In order to fully leverage their capabilities, firms will have to find synergies between existing and developing workstreams, including business and regulatory-driven change, to support outcomes relevant to the DORA.
- Embed operational resilience in daily operations.
The UK experience has made clear that operational resilience is not intended to be a ‘box-ticking’ exercise. With an increasingly complex technological, geopolitical and economic operating environment for financial services firms, operational resilience is how regulators are pushing them towards embedding preventative and recovery practices as critical ongoing functions.
For the DORA, this means that resilience should become a driving consideration starting at the design phase of a firm’s ICT structure and grow into an ongoing commitment throughout implementation. Embedding resilience should therefore influence discussions on investments, organisational re-structuring, as well as decisions around M&A and the design of new operating models. In other words, operational resilience concerns should be given sufficient weight when considering any major ICT or business change programme.
This will require gaining an in-depth understanding of the operating model, intra-group dependencies, third party providers and how the firm delivers its most important services to customers and other external stakeholders. On this basis, firms should then evaluate how to deliver ongoing resilience in a way that is proportionate to their Impact Tolerances.
- Set clear governance and top management accountability.
Implementing effective operational resilience will require taking strategic risk-related decisions. While it is unrealistic to expect boards and senior management to be fully aware of all technical details, the DORA still places the ultimate accountability for ensuring resilience on them.
Top management involvement is fundamental in order to attach the authority and organisation-wide understanding to taking key strategic decisions (e.g., setting tolerances for operational impact). Boards and senior management will have to leverage their strategic perspective to adopt a broader view while reviewing and challenging the appropriateness of mapping, scenarios, testing and the overall operational resilience strategy being set.
Implementation teams will need to apply a different lens to their ICT risk management and reporting work to ensure that it stands up to executive and board-level scrutiny. In the UK, this differentiation of roles was made simpler by the pre-existing Senior Managers and Certification Regime, resulting in the allocation of accountability for operational resilience responsibilities to the SMF24 role.
In the EU, DORA has left the door open for national regulators to fine or sanction members of the management body for breach of the Regulation. Supervisors may therefore choose to apply a similar level (as the UK) of scrutiny around compliance with the DORA to specific office holders such as COOs, CIOs or CISOs. Top management should remain conscious of this throughout the implementation period, especially when engagement with implementation teams is required on an ongoing basis.
- Maintain an ongoing dialogue with regulators and peers.
A more comprehensive approach to operational resilience will be a learning curve for the whole financial services sector. In the UK, regulators and firms had to develop a deeper understanding of how resilience can be delivered in practice. It was clear that operational resilience couldn’t be forced into a ‘one-size-fits-all’ framework but came with unique challenges for each firm. In the UK experience, this has often meant that some firms have received less ongoing regulatory feedback and guidance than they initially expected.
For this reason, EU firms should not immediately expect regulators to have a completely clear view of what ‘good’ practices for the DORA look like. Rather, firms should act early to develop and maintain an ongoing dialogue with them to reach a consensus on what good looks like through the lifecycle of the DORA’s implementation and embedding. For instance, the ESAs are already planning to consult with the sector to inform their development of the DORA’s Level 2 technical standards. Starting the design phase now will help firms to provide relevant and practical feedback to the consultations.
Industry-wide initiatives may also play an instrumental role in suggesting potential approaches to compliance that suit firms well. This is especially valid for relatively new areas, such as the DORA’s introduction of a pooled testing option for third parties that support CIFs. Working closely with industry peers, through trade organisations and in other fora, will be an important part of developing a sector-wide approach to shared implementation challenges.
Firms in scope would benefit from reflecting on their UK counterparts’ experience with operational resilience rules so far. This will enable them to optimise their implementation strategies and facilitate their journey towards the DORA’s January 2025 implementation deadline. Embracing lessons from international peers may also play an important role in fostering more alignment between the practices of firms in key jurisdictions, which should not only support operational efficiency in the financial services sector, but also its security and resilience in times of crisis.
In the first instance, firms should undertake a detailed gap analysis, capturing both the new requirements arising from the DORA but also operational resilience requirements coming in from the branches and legal entities across a firm’s international footprint. As new technical standards are published, an iterative and flexible approach to design and implementation will be required to successfully meet the January 2025 deadline.