This summer, EU regulators delivered final Digital Operational Resilience Act (DORA) standards and the FS sector now has a little under 100 days for a ‘great repapering’ of policies, contracts, procedures, control logs, regulatory reports and supplier databases.
Billions are being spent as lawyers and consultants prepare for board room panics in September over this summer’s issues and what regulators expect them to do about them in Q125.
Yet, amidst this urgency, many miss the point that checking boxes will not secure victory in the operational resilience marathon. To truly win this race, leaders must build new muscles that will ready them as AI, Cyber and a plethora of other technology rules raise the bar quickly.
Summer OpRes sprints
Broad sheet newspapers have helped remind us of how fragile the technology upon which our interconnected global infrastructure can be this summer.
The good news is that Global regulators are on the case. Final standards were delivered with minor updates in July, leaving 133 days for a ‘great repapering’ of policies, contracts, procedures, control logs, regulatory reports and supplier databases.
The bad news is that fragmented programmes, and board room panics can leave financial entities even more exposed to regulatory interrogation in the face of systems failure. With 22,000 financial entities in scope, regulators are going to gravitate to the material incidents in the industry and any ‘papering over the cracks’ will quickly be exposed.
Marathon milestones
The key to the next phase of the OpRes is to map the full course ahead and think through your race strategy. Global regulators have been busy on far more than just one resilience rule. This means you need to run this first sprint carefully and define ‘done’ in the context of the longer term objectives.
Like any race, it also gives runners a chance to find safety in their packs. Business led perspectives on which services are critical and important and how to best get certainty on DORA standards are needed before running off to speak to each technology behemoth about things they are unlikely to share.
The UK regulators, first movers in this policy space are already deep into discussion with firms on how they will comply with their principles at the end of Q125 and watching global implementation carefully:
- EU. From 17 January 2025, the EU’s Digital Operational Resilience Act (DORA) requires extensive updates to policies, contracts, procedures, and compliance documentation
- UK. From 31 March 2025 firms must ensure they’re ready to comply with PS21/3: ‘Building operational resilience’
- Australia. From 1 July 2025 the Prudential Standard CPS 230 commences
- US. CFTC has consulted on a new CFR rule Operational Resilience Framework for Futures Commission Merchants, Swap Dealers, and Major Swap Participants
- International. In December 2023, the FSB published a toolkit for Enhancing Third-Party Risk Management and Oversight
But it doesn’t end there. There are many other operational resilience regimes in place and other technology rules following quickly. The EU AI Act starts to come into force from 2 February 2025 and the NIS2 cyber will have to be transposed into national legislation by October 2024.
JWG has found in its 2022 Managing Digital Infrastructure report that the entire back office needs to be aligned on resilience (i.e., OpRes), supply chain risk mitigation (e.g., OpRisk, TPRM, Cyber) and technology governance (e.g., AI, Cyber, Cloud). New JWG research has updated Exhibit 4 (below) from that report to provide context.
Updated JWG 2007-2025 Non-Financial Risk Horizon
Source: Managing Digital Infrastructure Risk, JWG 2022, updated in 08/24
JWG’s DORA capabilities
IT Risk policy is being upgraded in the most significant way since settlement risk was tackled 50 years ago.
The impact on firms has cost tens of millions already and the pressure for a smooth transition to Europe’s DORA go-live drops under 100 days.
The great news is that DORA has set the standards for the Cyber, AI, Quantum sprints ahead.
As we have described in Taming the Dora Dragon here, it has taken a far deeper, broader and more prescriptive approach to derisking the ‘end to end’ Information Communication and Technology (ICT) risk.
To tackle these risks, financial entities need to build new muscles: Agreed business and vendor strategies, management oversight, ICT risk controls and regulatory transparency.
- Business strategy. DORA requires business governance for an agreed ICT risk strategy which defines procedures and methods for mitigating risks. This means that operational resilience strategy – and consequently vendor strategy – need to be agreed and tested at a business level. This includes interaction with critical supply chain dependencies like central counterparties, custodians, payments providers and trading venues. Ownership: Manco
- Management oversight. As illustrated in the BaFIN diagram below, DORA prescribes a broad set of internal and 3rd party processes and tools by which the management body oversees the strategy. Quite a lot of emphasis is placed on the Business Continuity Plan and the Incident Management framework. However, IT operations is called upon to oversee controls across the asset lifecycle including named ‘information assets.’ An extensive set of 3rd party contractual obligations are also specified. Owner: CIO, Procurement
- ICT risk controls. Cross-functional IT capabilities which are appropriate to the magnitude of operations are prescribed including: systems development lifecycle; protection and prevention; incident management; audit; and human resource policies including communication, & ‘learning and evolving’. A detailed list of functional IT controls is required including access management; cyber; security; infosec and storage. Owners: IT leadership team, Compliance
- Regulatory transparency. New regulatory reports have been defined for Incidents, threat intelligence, and the all-encompassing 118-field information register. Critically, the regulators are asked to oversee the critical ICT third parties directly. Owners: CIO, NCAs, ESA
Management needs to build these muscles now and deploy them on old technology risks. The inspection of the dependencies, concentration risks and points of failure across an infrastructure which has become massively complex and digital over the last 40 years.
Our Mutually Exclusive and Collectively Exhaustive (MECE) framework assigns obligations to their owners in your organisation across all the 13,000+ DORA paragraphs. This means it can be quickly tailored to suit and extended to incorporate other operational resilience and other regulation which affects your digital infrastructure.
Source: DORA: the countdown has begun, BaFIN 04/24 here
You may have much of the documentation required already, but the standards introduce new requirements that are best flushed out quickly. Many of the devils are buried in the detail and you may miss the fact that innocuous ‘ICT change management’ requirement has a verification requirement for whether ICT security requirements have been met until it’s too late.
Sitting it out is costly
McKinsey analysis finds firms’ implementation costs coming in 5-10 times the €5 million to €15 million earmarked for DORA program strategy, planning, design, and orchestration. This means that, were the whole industry taking implementation seriously, we would find billions being spent on operational resilience readiness right now.
With the EU AI act costs estimates coming in at billions as well, it won’t be long before the implementation of non-financial risk regulation dwarfs the billions spent to implement MiFID.
Failing to address your organization’s digital resilience before the deadline could result in serious regulatory fines, reputational risk, supplier conflicts and even criminal liability.
Early reports from financial entities reveal some regulators taking quite an aggressive approach to reviewing plans and gaps with other happy to increase capital buffers for those that can’t show plans and demonstrate progress.
Conclusion
DORA is just one leg of a marathon and your approach matters far beyond 17 January 2025. As global regulators continue to push for increased resilience and transparency in the financial sector, it is up to each entity to map out their race strategy and define what “done” truly means for each stakeholder.
The race ahead includes Cyber, AI, and Quantum sprints that require financial entities to step up their game with assistance from our team of experts.
So don’t wait any longer – talk to us today about how we can help you cross your finish line with confidence knowing that you have ticked all the boxes on your journey towards resilience excellence.
Next steps
JWG and First Derivative are hosting Technology, Data, and Operations executives to an exclusive Chatham House rule dinner on Winning the OpRes marathon on 8 October in London.
This event is capped at 18 stakeholders so seats are limited.
Please contact Corrina.Stokes@jwg-it.eu ASAP if you would like to engage in critical discourse, share industry approaches, and chart out effective strategies with us!