Countdown to DORA Compliance: Are Financial Firms Ready or Not?
An OpRes wake up call?
Over recent months, GreySpark Partners has underscored the importance of financial firms having robust operational resilience frameworks in place, with key regulatory deadlines, such as the implementation of the European Digital Operational Resilience Act (DORA) looming: 17 January 2025 for DORA is now less than a year away.
Regulators have also become concerned about financial firms’ increasing reliance on third-party technology providers, and DORA brings those providers into scope, to ensure that any data and cyber security risks associated with them can be properly addressed and ensure service continuity in the face of operational disaster.
Additionally, the prevalence of black swan events this decade, such as the COVID pandemic and the Silicon Valley Bank collapse, have served as a reminder of the inevitability, unpredictability and severity of disruption and have subsequently made operational resilience a top priority for regulators.
However, current market data shows that, worryingly, most firms are not entirely operational resilient. Data from BCG shows that only 10% of companies have developed the full range of resilience capabilities needed to thrive. This is even more of a concern when you consider that, according to PwC, 91% of organisations experienced at least one disruption over the last two years, with 76% revealing that their most serious disruption had a medium-to-high impact on operations. Nevertheless, it is not for want of trying: with 89% of respondents in PwC’s survey noting that operational resilience is one of their top ‘strategic priorities’.
Reasons as to why companies are not currently operationally resilient could be the lack of understanding of what operational resilience actually is, in terms of operational risks and possible disruptions. There is also a lack of best practice towards delivering an operational resilience framework. A robust operational resilience framework can typically involve stress testing of a system under bespoke scenarios, using accurate data that is centrally managed, using dynamic technology solutions such as a digital twin. You can find out more about digital twin models here.
As the figure below shows, a survey by technology provider Ansarada of its customer base found that only half have a common understanding of what operational resilience is, with almost a third saying they do not understand operational resilience at all. In the same survey, nearly two-thirds of organisations stated that operational resilience is managed by various teams across an organisation, with less than a quarter having a comprehensive operational resilience framework in place. This siloed nature of operational resilience management across different departments, such as IT disaster recovery, information security and enterprise risk can lead to misalignment in a firms’ operational resilience strategy and leave their Critical Important Functions vulnerable to risk.
(NB, this survey by Ansarada is based on Ansarada’s Governance, Risk and Compliance customer base across several industries, including financial services, technology and healthcare).
In terms of DORA, a survey from Acuiti of senior executives across 106 financial firms reflects similar shortcomings among European financial firms in terms of achieving operational resilience. In particular, only 6% of European financial firms are ready for the DORA implementation date next year, with 3% still yet to begin preparations.
More importantly, it can be inferred from the data above that although the urgency to improve operational resilience is evident, firms are generally uncertain and lacking expertise toward delivering a successful operational resilience framework. This is causing them to take a scattergun approach toward operational resilience, which may prove to be as good as a shot in the dark in their bid to reach regulatory compliance.
Firms are ultimately lacking a formalised and centralised operational resilience framework despite increasing regulatory pressures, which presents significant challenges in itself, including fragmented ownership and segregation of critical data, hindering the coherent management of operational risks and resilience.
More importantly, GreySpark Partners observes, this lack of best practice could mean that financial firms do not achieve regulatory compliance in time, and face the disastrous financial and reputational consequences of this, with financial firms facing the possibility of fines up to €10 million for not achieving compliance.
More to follow.