The implementation of DORA signifies a significant international effort in the area of operational resilience.

The attention from international competitive authorities and other regulators on the EU’s approach to operational resilience is noteworthy. As we move into an increasingly digital and connected world, regulations like DORA are crucial to ensure the operational resilience of the financial sector.

DORA is a response to this need. It provides a common set of rules on ICT risk management and resilience across the entire EU financial sector. DORA applies to a broad range of financial entities, from banks and payment institutions to insurance companies and investment firms. It mandates yearly testing of ICT systems for all financial entities, with significant entities required to perform thorough penetration testing every three years. DORA also aims to harmonise the rules on incident reporting, creating a single reporting regime for the financial sector.

However, the introduction of DORA has sparked a debate on whether it is necessary and beneficial. Some argue that the regulation is needed to create a level playing field in the single market of Europe, where previously each country could set their own requirements for resilience. Others question whether there is a real problem with resilience in the banking sector that needs to be addressed. They argue that the move to cloud and third-party services has actually increased resilience, and question the need for regulation in the first place.

Kumar mentioned that “it’s very early stages in terms of what needs to be done.” He continued to say that “the bigger banks, rather than the smaller financial services firms, are at the early stages, because UK regulators have done a systemic review of operational resilience, have found that it is systemically important and can have a massive impact on the local financial market. However, more smaller institutions are starting to look into third party risk alignment.”

“Break the problem down into smaller, more manageable chunks, rather than attempting to tackle an entire portfolio of services at once.”
Sumant Kumar, CTO – Banking and Financial Markets & Head of Innovation, NTT DATA

Operational Resilience: A Key to Business Continuity in Banking

The criticality of payments infrastructure is another area of concern. Banks are at the core of a country’s business continuity, and their operations are closely tied to the operation of the country’s critical infrastructure. The question arises as to how to regulate and control the dependencies of these operations, especially when they are outsourced to external organisations like cloud providers. There have been instances where major cloud providers have experienced downtime, raising concerns about the resilience of the services they provide.

The key to addressing these challenges lies in the adoption of a comprehensive strategy for operational resilience. This strategy should encompass all aspects of the business, from cybersecurity risk management to third-party risk alignment. It is crucial to identify and assess the critical services within the organisation and prioritise them accordingly. This approach allows businesses to break down the problem into smaller, more manageable chunks, rather than attempting to tackle the entire portfolio of services at once.

However, the implementation of such a strategy is not without its challenges. The level of preparedness varies greatly among businesses, with larger, more established entities typically being better equipped to manage operational resilience. Smaller businesses, on the other hand, often struggle with understanding and implementing the necessary measures. This disparity can lead to a significant gap in operational resilience across different sectors and industries.

Despite these challenges, the implementation of a robust operational resilience strategy can yield significant benefits. Beyond mere compliance with regulations, it can serve as a platform for innovation and business development. By leveraging the capabilities generated through operational resilience, businesses can enhance their service offerings and provide added value to their customers. This shift in perspective, from viewing operational resilience as a regulatory requirement to seeing it as a business enabler, can significantly accelerate its adoption.

“It is now necessary to “accelerate the utilisation of the applicability of DORA – looking into innovation, the long term benefits, what we can bring to the customer, and the potential security benefits.”
Ramon Villarreal, payments sector global lead, Red Hat

Villarreal said that “there is big potential in terms of innovation. I think that is the shift that is necessary to accelerate the utilisation of the applicability of DORA – looking into innovation, the long term benefits, what we can bring to the customer, and the potential security benefits.

The concept of uptime, or the amount of time a system is operational and available, is a crucial metric in this new landscape. In the world of instant payments, any downtime can have significant consequences. It’s clear that there is a correlation between the age of a bank and its likelihood of experiencing downtime, often due to system upgrades or legacy systems. This highlights the need for financial institutions to invest in modern, reliable systems that can handle the demands of real-time payments.

However, it’s not enough to simply invest in new systems. Financial institutions must also be proactive in monitoring and improving their uptime. This requires a commitment to data collection and analysis, allowing institutions to identify and address any potential issues before they become major problems. By being data-driven, institutions can make informed decisions that enhance their resilience and ensure they are providing the best possible service to their customers.

In addition to uptime, financial institutions must also consider the threat of external cyber-attacks. The rise of new players in the financial technology space has brought with it an increase in potential threats. To combat this, institutions must be proactive in their approach to cybersecurity. This includes regular testing and practical trials to identify and address any potential vulnerabilities. By taking a proactive approach, institutions can ensure they are prepared for any potential threats and can respond quickly and effectively if an attack does occur.

“There’s nothing new there, nothing from a practical perspective that a financial institution shouldn’t be already doing in my opinion.”
Kaspar Loog, director of product management, LHV Bank.