As financial entities evolve to meet the needs of customers in the digital realm, digital operational resilience is becoming increasingly essential for securing business continuity in the financial sector. At the end of 2022, the European Commission will release a legal framework for digital resilience of the financial sector in all EU countries, known as the Digital Operational Resilience Act (DORA). DORA will harmonize the current national legislations of member states and focus on the ability to build and maintain operational integrity. "The best thing companies can do right now is to prepare themselves," says Benny Bogaerts, Head of Digital Risk Management & Assurance at KPMG Advisory.

"Digital operational resilience starts with understanding existing vulnerabilities and mitigating those risks to the best of your abilities," says Benny. "This goes for both existing and foreseeable risks: organizations in the financial sector need to ensure that they can mitigate the impact of future disruptions. And when an incident does occur unexpectedly, they must be able to minimize its impact, protecting their customers and the integrity of the financial system."

Brace yourself for disruption

“Financial markets have recently experienced challenges from various disruptive events, such as technology failures, cyber incidents, natural disasters, and pandemics”, says Benny. “This is partly due to companies advancing into the digital era at a fast pace, exposing themselves to the associated risks without the appropriate mitigation measures in place.”

“The first step in becoming operationally resilient is accepting that these types of disruptive events will occur. Although they won’t be 100% predictable – or even preventable – companies need to make sure they are managed effectively. So, preparation is key to be able to withstand disruptions that will inevitably occur.”

Harmonized legal framework

“The concept of DORA was launched by the European Commission to improve overall operational resilience in the financial sector. The legislation is expected to come into force by the end of 2022”, says Benny. “DORA will harmonize existing legislation and supplement current gaps. Thanks to this unified digital framework, companies have the tools and means to withstand all types of IT-related threats.”

“The objectives of DORA account for all domains relevant to operational resilience, such as ICT risk management, ICT incident reporting, digital operational resilience testing, management of ICT third-party risks and information-sharing agreements”, Benny says.

Coping with third-party risks

Of all the domains outlined in DORA, third-party risk management is the most challenging. Benny: “That’s because the risk landscape depends on the financial institutions’ ICT suppliers. As the products and services of these third-party suppliers evolve, so do their risks. If companies just stick to performing yearly assessments, they will lose control. Financial entities should move to continuously assessing their third-party ecosystem.”

Compliance leads to trust

Will DORA be fully embraced by companies? Benny is quite sure it will. “A couple of years ago, the General Data Protection Regulation disrupted the way companies managed their data and privacy. But it ultimately leads to better reputations for firms that comply. I assume it will be similar for DORA: financial entities will be pushed to rethink their processes, but in return they will improve their digital operational resilience, as well as their reputations.”

It is important that financial entities begin to evaluate the impact of this regulatory change on their ICT risk management framework and prepare to meet the specific requirements set out by DORA.

“Companies need to start exploring, build their business case and develop a unified strategy. Digital operational resilience is a shared responsibility, with the Chief Risk Officer, the Chief Information Officer, and the Chief Security Officer working closely together”, says Benny. “Undoubtedly most companies will have ample experience in these domains but they need to streamline what already exists. They should start by scoping out strategic priorities and determine the level of their organization’s maturity on operational resilience, including an assessment of their operational resilience program. After that, they can build an operating model design and an implementation roadmap, including scenario testing, impact tolerance, data and tooling.”

A multidisciplinary approach

When companies embark on the road to compliance, they should be able to read and interpret legislation, apply it to their own ICT and Risk management strategy, identify gaps and implement the program.

“There are many areas of expertise involved,” Benny explains. “Companies face the challenge of pursuing the bigger picture while preventing themselves from overinvesting. A unified, dynamic approach and framework will lead to a synergy of all domains and will guarantee an advanced operational resilience in a fast-moving context where new risks arise every day.”

KPMG has supported clients in optimizing their operational resilience since 2017, with capabilities in ICT and cyber resilience, incident management, and business continuity, together with broad governance risk, as well as regulatory and compliance skills.

What are the key obligations for financial entities under DORA?

  • ICT risk management – Adopt a comprehensive ICT risk management framework and governance so that companies can identify, prevent, and manage ICT risks.
  • ICT incident reporting – Use a streamlined procedure to log and classify ICT incidents and report major incidents to authorities.
  • Digital operational resilience testing program – Perform assessments on a regular basis, such as vulnerability assessments and network security assessment.
  • Strategy for ICT third-party risk – Regularly assess the risks coming from ICT third-party service providers.
  • Information and intelligence sharing – Ensure the exchange of cyber threat information and intelligence within the sector.