Prepare for DORA today and secure your digital operational resilience tomorrow

"Digital operational resilience starts with understanding existing vulnerabilities and mitigating those risks to the best of your abilities," says Benny. "This goes for both existing and foreseeable risks: organizations in the financial sector need to ensure that they can mitigate the impact of future disruptions. And when an incident does occur unexpectedly, they must be able to minimize its impact, protecting their customers and the integrity of the financial system."

“Financial markets have recently experienced challenges from various disruptive events, such as technology failures, cyber incidents, natural disasters, and pandemics”, says Benny. “This is partly due to companies advancing into the digital era at a fast pace, exposing themselves to the associated risks without the appropriate mitigation measures in place.”

“The first step in becoming operationally resilient is accepting that these types of disruptive events will occur. Although they won’t be 100% predictable – or even preventable – companies need to make sure they are managed effectively. So, preparation is key to be able to withstand disruptions that will inevitably occur.”

“The concept of DORA was launched by the European Commission to improve overall operational resilience in the financial sector. The legislation is expected to come into force by the end of 2022”, says Benny. “DORA will harmonize existing legislation and supplement current gaps. Thanks to this unified digital framework, companies have the tools and means to withstand all types of IT-related threats.”

“The objectives of DORA account for all domains relevant to operational resilience, such as ICT risk management, ICT incident reporting, digital operational resilience testing, management of ICT third-party risks and information-sharing agreements”, Benny says.

Of all the domains outlined in DORA, third-party risk management is the most challenging. Benny: “That’s because the risk landscape depends on the financial institutions’ ICT suppliers. As the products and services of these third-party suppliers evolve, so do their risks. If companies just stick to performing yearly assessments, they will lose control. Financial entities should move to continuously assessing their third-party ecosystem.”

Will DORA be fully embraced by companies? Benny is quite sure it will. “A couple of years ago, the General Data Protection Regulation disrupted the way companies managed their data and privacy. But it ultimately leads to better reputations for firms that comply. I assume it will be similar for DORA: financial entities will be pushed to rethink their processes, but in return they will improve their digital operational resilience, as well as their reputations.”

It is important that financial entities begin to evaluate the impact of this regulatory change on their ICT risk management framework and prepare to meet the specific requirements set out by DORA.

“Companies need to start exploring, build their business case and develop a unified strategy. Digital operational resilience is a shared responsibility, with the Chief Risk Officer, the Chief Information Officer, and the Chief Security Officer working closely together”, says Benny. “Undoubtedly most companies will have ample experience in these domains but they need to streamline what already exists. They should start by scoping out strategic priorities and determine the level of their organization’s maturity on operational resilience, including an assessment of their operational resilience program. After that, they can build an operating model design and an implementation roadmap, including scenario testing, impact tolerance, data and tooling.”

When companies embark on the road to compliance, they should be able to read and interpret legislation, apply it to their own ICT and Risk management strategy, identify gaps and implement the program.

“There are many areas of expertise involved,” Benny explains. “Companies face the challenge of pursuing the bigger picture while preventing themselves from overinvesting. A unified, dynamic approach and framework will lead to a synergy of all domains and will guarantee an advanced operational resilience in a fast-moving context where new risks arise every day.”

KPMG has supported clients in optimizing their operational resilience since 2017, with capabilities in ICT and cyber resilience, incident management, and business continuity, together with broad governance risk, as well as regulatory and compliance skills.

• ICT risk management – Adopt a comprehensive ICT risk management framework and governance so that companies can identify, prevent, and manage ICT risks.
• ICT incident reporting – Use a streamlined procedure to log and classify ICT incidents and report major incidents to authorities.
• Digital operational resilience testing program – Perform assessments on a regular basis, such as vulnerability assessments and network security assessment.
• Strategy for ICT third-party risk – Regularly assess the risks coming from ICT third-party service providers.
• Information and intelligence sharing – Ensure the exchange of cyber threat information and intelligence within the sector.