DORA benchmark: How financial institutions strengthen digital resilience

The digitalisation of the financial sector is progressing, and with it the demands on digital resilience are increasing. Our benchmark highlights the impact of the Digital Operational Resilience Act (DORA) regulation, which came into force in January 2023, and shows how financial institutions can strengthen their competitiveness and innovative power.

Existing IT governance, frameworks, controls and policies should provide a solid foundation for achieving DORA compliance. However, an integrated approach across all DORA disciplines is essential. Particularly in the area of ICT-related incidents, digital operational resilience (DOR) testing and the management of ICT third party risk, there is a significant need for improvement to achieve DORA compliance.

Comprehensive documentation of the information network, including processes and guidelines, is crucial for the forward-looking handling of ICT risks. The survey shows how employees and management can be enabled to successfully implement and maintain the processes within the ICT risk management framework.

The aim of emergency management is to continuously ensure resilient processes - even in an emergency situation. Key measures for this include continuously adapting existing templates for ICT business continuity plans and ICT response and recovery plans and carrying out regular tests. Our experts emphasise the need to critically review and improve the existing infrastructure in order to meet the requirements for availability, continuity and backup

A tool-based database enables the rapid classification of ICT-related incidents, the initiation of response measures and the proper reporting of incidents. It is also important to implement sufficient early warning indicators (e.g. anomaly detection) in the holistic ICT-related incident management processes to enable sufficient security monitoring, early warning and notification of relevant functions within the organisation.  In addition to the comprehensive process implementation, the necessary resources described in our survey must also be established.

A threat-orientated, multi-year test plan that covers all ICT assets forms the basis for comprehensive testing of digital operational resilience. The survey shows how required test methods can be integrated into the software development lifecycle and how test personnel can contribute to operationalising the test plan with sufficient capacity.

To manage the ICT third party risk, all contracts must be recorded, evaluated and documented as part of the information register and the contracts must be adapted with regard to standard clauses. Our experts explain how you can support ongoing third-party management with the right processes and governance and set it up in compliance with DORA.

Our benchmark recommends a risk-based prioritisation along the critical or important functions of the company. This focuses the digital operational resilience of these "crown jewels" of the organisation in the DORA implementation and creates a solid basis for DORA compliance.