DORA expects firms to identify their critical or important functions. Much of the groundwork for this will have been done when identifying and mapping Important Business Services (IBS) and their processes under Operational Resilience.  

Though definitions may vary slightly, firms should be able to review their IBS Mappings and past Business Impact Analyses (BIAs) to ensure all critical functions are covered. 

DORA is not just focused on the IBSs so it’s important to understand which other functions should be in scope, noting the potential financial, operational, reputational and regulatory impact should there be a major disruption; the BIAs should help with this. 

DORA expects financial entities to understand their critical technology, data and third party service providers. Luckily, this dovetails with the Operational Resilience Mapping requirements.  

Once again, firms can review their IBS mappings and BIAs to identify these dependencies from both an end-to-end service and a functional perspective to meet both regulations. 

Both regulations emphasise senior-level accountability and oversight. The good news is that the SMF24 (Chief Operations Officer) role aligns well with DORA’s governance requirements.  

The SMF24 role is one of few roles that can be split; and often this is split between the COO and an IT role. 

The regulations are clear that IT and Operations should not operate in silos, so firms should also review and align the responsibilities of Chief Information Officers, Chief Information Security Officers and Chief Technology Officers alongside the COO role to ensure cohesive governance across both regulations.  

Both regulations mandate scenario testing to identify vulnerabilities and ensure that organisations can respond and recover from major disruptions, within impact tolerances and/or recovery objectives.  

As part of the Operational Resilience capability, firms should have been developing a scenario library for severe but plausible disruptions which have the potential to breach their impact tolerances. These will be primarily IT-related, such as ransomware attacks, third party failures, cloud security, insider threats and data loss and will therefore fit nicely into the DORA requirements. 

An IT Disaster Recovery (ITDR) testing programme, focusing on critical technology and data, is also needed. Contracts with third parties should allow for an appropriate level of oversight of their ability to respond within agreed Service Level Agreements. 

Both regulations expect appropriate third party risk management (TPRM) once critical service providers are identified through mapping or BIAs.  

Firms with existing TPRM programmes must ensure they cover the latest critical technology and data services from external and intragroup third parties. Looking at both regulations and previous Operational Resilience work, you can ensure that a robust TPRM framework extends to your organisation’s system, application, and data levels. 

Firms must proactively prepare for, respond to, and be able to recover from major disruptions. It is likely that your existing business continuity, crisis management, IT disaster recovery and incident management plans already consider such events.  

These plans can now be updated to cover DORA’s focus on critical technology, data, and third parties. Make these accessible to DORA leads, so that they can assess the current response capability.