DIGITAL OPERATIONAL RESILIENCE ACT (DORA)

DORA dilemmas: A spot check with industry leaders

We recently sat down with leaders from several large financial institutions to discuss progress and challenges in preparing for the Digital Operational Resilience Act (DORA) and in particular on the Third Party Risk Management (TPRM) requirements.

Read on for our outline of the key challenges discussed in the session and how different firms are addressing these.

Office workers sitting round a table
Office workers sitting round a table
DORA Concerns
Scope confusion

One of the biggest issues firms are grappling with is figuring out which suppliers truly matter under DORA. Some are narrowing their focus using their own definitions of Tier 1 and Tier 2 suppliers, while others are casting a wide net, mapping every technology provider. 

Some firms are focusing on operational resilience frameworks, using the Important Business Services as a starter, then scoping DORA through identifying the 'critical' IT providers for those services.

Other firms are also factoring in their latest assessment of Critical or Important Functions (CIFs), adding another layer of complexity.

There was no single, consistent approach being used. With institutions struggling to align, this is likely to lead to mixed messages and inconsistent expectations of suppliers further down the chain. In turn, this may expose inconsistencies in the required Registers of Information.

We expect regulators to ask for copies of the Registers of Information in 2025 in order to understand the critical supplier landscape to a greater extent. Inconsistent scoping and definitions of critical ICT providers may set off alarm bells once their analysis is completed.  

Suppliers
Suppliers are keeping quiet... and that’s a problem

Another major issue is that suppliers aren’t engaging. Most firms haven’t heard from their suppliers about DORA compliance. In fact, one institution even had a supplier ask for money to ensure compliance (which was thankfully a one-off). 

Worse still, firms are finding themselves in a passive position. The feeling is that large suppliers are going to implement their own compliance plans, and the firms will just have to adapt, without much say in how it all plays out. They’ll simply be on the receiving end of whatever changes their suppliers make. 

What's Critical?
Who decides what’s 'critical'?

Another contentious issue that came up is the disconnect between firms and their suppliers over what’s considered 'critical'. Firms have experienced pushback as they have told suppliers they’re essential to a business service, only to have suppliers shrug it off. It’s shaping up to be a difficult negotiation, with neither side agreeing on who or what is critical. 

Exit planning
Exit planning is currently a tick-box exercise

When it comes to exit planning, most firms admit it’s still being seen as a tick-box exercise. While contingency plans exist, they’re not always used when things go wrong. In reality, many institutions deal with issues as they arise, rather than relying on detailed business continuity plans. Scenario testing, if it happens at all, tends to be reactive rather than proactive. 

In the scenario where suppliers are deeply embedded into the business, finding an exit strategy becomes even harder. Firms can’t just pull the plug on them without risking major disruption. Firms are left either trying to build in-house alternatives or simply accepting the risk and moving on. 

The Data Problem
Tools won’t fix the data problem

Many firms are keen to automate their supplier management systems, but the challenge is making sure the information going into these systems is accurate. Until firms fully map their suppliers and understand what’s 'critical', automation won’t solve the underlying issues.

Tools are only as good as the data they’re built on. 

Resource Issues
No dedicated teams
While some firms are assigning responsibility for specific suppliers to BAU teams, it’s clear that maintaining compliance will be a significant resource consideration going forwards. With so much else going on, there’s always a risk that something vital will be overlooked. 
Road to Compliance
DORA isn’t going away

DORA is coming, and financial institutions are still trying to get to grips with it. Although the looming deadline is January 2025, firms are likely to be grappling with these challenges well into 2025 (and possibly even beyond that).  

From confusion over which suppliers are 'critical', to a lack of engagement from suppliers themselves, and the logistical challenge of exit planning – it’s clear that, for most, the road to compliance will be rocky. 

Reach out
How we can help

BeyondFS has helped many organisations to set up and manage regulatory-driven change programmes, including preparing firms for DORA requirements.

We can help you with the end-to-end process of initiating, coordinating and delivering the required programme to ensure that you are able to manage your suppliers, the regulator, and internal stakeholders with confidence and clarity. Do reach out to us if you would like to discuss your challenges.

Let's make change happen.

We help Financial Institutions accelerate digital transformation – delivering improved efficiencies, better risk controls and enhanced customer experiences.