OPERATIONAL RESILIENCE

Double Standards: Uncovering efficiencies to achieve DORA and Operational Resilience compliance

Financial institutions operating within the UK and EU are gearing up for two different critical regulatory deadlines in early 2025.  

The Digital Operational Resilience Act (DORA) and Operational Resilience regulations are effective from 17th January and 31st March 2025, respectively.  

Firms have been moving towards alignment with Operational Resilience since 2020, but progress on DORA has lagged, partly due to ongoing revisions.  

The good news is that firms can leverage the work already done on Operational Resilience to streamline the efforts needed for DORA compliance. 

In this article BeyondFS Operational Resilience expert Tom Wootton explains where to find the hidden opportunities that will save your organisation time and effort.

Double Standards: Uncovering efficiencies to achieve DORA and Operational Resilience compliance
Double Standards: Uncovering efficiencies to achieve DORA and Operational Resilience compliance
Opportunity 1.
Identify your critical or important functions

DORA expects firms to identify their critical or important functions. Much of the groundwork for this will have been done when identifying and mapping Important Business Services (IBS) and their processes under Operational Resilience.  

Though definitions may vary slightly, firms should be able to review their IBS Mappings and past Business Impact Analyses (BIAs) to ensure all critical functions are covered. 

DORA is not just focused on the IBSs so it’s important to understand which other functions should be in scope, noting the potential financial, operational, reputational and regulatory impact should there be a major disruption; the BIAs should help with this. 

Opportunity 2
Identify your critical technology, data and IT third party service providers

DORA expects financial entities to understand their critical technology, data and third party service providers. Luckily, this dovetails with the Operational Resilience Mapping requirements.  

Once again, firms can review their IBS mappings and BIAs to identify these dependencies from both an end-to-end service and a functional perspective to meet both regulations. 

Opportunity 3
Board accountability and governance

Both regulations emphasise senior-level accountability and oversight. The good news is that the SMF24 (Chief Operations Officer) role aligns well with DORA’s governance requirements.  

The SMF24 role is one of few roles that can be split; and often this is split between the COO and an IT role. 

The regulations are clear that IT and Operations should not operate in silos, so firms should also review and align the responsibilities of Chief Information Officers, Chief Information Security Officers and Chief Technology Officers alongside the COO role to ensure cohesive governance across both regulations.  

Opportunity 4
Scenario testing

Both regulations mandate scenario testing to identify vulnerabilities and ensure that organisations can respond and recover from major disruptions, within impact tolerances and/or recovery objectives.  

As part of the Operational Resilience capability, firms should have been developing a scenario library for severe but plausible disruptions which have the potential to breach their impact tolerances. These will be primarily IT-related, such as ransomware attacks, third party failures, cloud security, insider threats and data loss and will therefore fit nicely into the DORA requirements. 

An IT Disaster Recovery (ITDR) testing programme, focusing on critical technology and data, is also needed. Contracts with third parties should allow for an appropriate level of oversight of their ability to respond within agreed Service Level Agreements. 

Opportunity 5
Third party risk management

Both regulations expect appropriate third party risk management (TPRM) once critical service providers are identified through mapping or BIAs.  

Firms with existing TPRM programmes must ensure they cover the latest critical technology and data services from external and intragroup third parties. Looking at both regulations and previous Operational Resilience work, you can ensure that a robust TPRM framework extends to your organisation’s system, application, and data levels. 

Opportunity 6
Response and recovery planning

Firms must proactively prepare for, respond to, and be able to recover from major disruptions. It is likely that your existing business continuity, crisis management, IT disaster recovery and incident management plans already consider such events.  

These plans can now be updated to cover DORA’s focus on critical technology, data, and third parties. Make these accessible to DORA leads, so that they can assess the current response capability. 

Conclusion

DORA and the UK’s Operational Resilience regulations share similar goals, despite being tailored to different regulatory environments. 

For maximum cost and time efficiency, firms should integrate their programmes, recognising the overlaps, within an IT-focused approach. Operational Resilience has provided a head start for DORA, but specific validation against DORA is still necessary. 

If you are struggling to achieve compliance, BeyondFS can help streamline your efforts, minimise disruptions, and enable you achieve compliance with DORA and Operational Resilience, without disrupting your core business operations. 

Let's make change happen.

We help Financial Institutions accelerate digital transformation – delivering improved efficiencies, better risk controls and enhanced customer experiences.