DORA: Implementing Challenges for Financial Services Firms

The upcoming Digital Operational Resilience and Assurance (DORA) regulation presents a significant milestone for the asset and wealth management industry. DORA legislation aims to enhance the operational resilience of firms by focusing on the management of digital risks, ensuring the continuity of critical business functions, and safeguarding customer interests.

This article explores the key challenges that organisations are likely to face during the implementation phase of DORA.

Comprehensive Understanding of Digital Infrastructure:

One of the primary challenges for financial services firms in implementing DORA is gaining a comprehensive understanding of their digital infrastructure. Organisations often operate with complex and interconnected systems, making it crucial to identify all digital assets, dependencies, and potential vulnerabilities. Achieving this level of visibility requires collaboration between business units, IT departments, and third-party service providers. The lack of a centralised inventory of digital assets and interdependencies can hinder the formulation of effective operational resilience strategies and hamper compliance efforts.

Regulatory Compliance Integration:

Another significant challenge is integrating the requirements of DORA with existing regulatory compliance frameworks. Financial services firms already navigate a complex landscape of regulations, such as GDPR, MiFID II, and Basel III. DORA adds an additional layer of compliance obligations, which may require organisations to align and harmonise their existing practices. Firms must assess the synergies and overlaps between DORA and other regulations to optimise compliance efforts and avoid duplicative processes. This challenge necessitates a holistic approach to compliance management, involving cross-functional teams and coordination across various departments.

Vendor and Third-Party Risk Management:

DORA financial services firms increasingly rely on third-party vendors and service providers for critical functions. DORA places significant emphasis on managing the risks associated with these external dependencies, requiring organisations to ensure the operational resilience of their vendor ecosystems. Establishing effective vendor risk management frameworks, assessing third-party capabilities, and implementing necessary controls can be complex and resource-intensive. Challenges may arise from the lack of standardisation across vendors, varied contractual agreements, and difficulties in obtaining comprehensive information about vendors’ operational resilience practices.

Testing and Exercising Resilience Measures:

Testing and exercising operational resilience measures is a crucial aspect of DORA compliance. Organisations are expected to conduct regular simulations and scenario-based testing to evaluate their ability to withstand and recover from various disruptive events. However, implementing comprehensive and realistic testing programs can be challenging. It requires extensive coordination among different teams, infrastructure resources, and business units. Additionally, organisations must strike a balance between conducting thorough testing and maintaining day-to-day operations, avoiding undue disruption to critical services.

We’re here to help:

The implementation of the upcoming DORA regulation presents numerous challenges for firms. Addressing these challenges will require a proactive and strategic approach to operational resilience.

Our team can help you get a comprehensive understanding of your digital infrastructure, integrate DORA requirements with existing regulatory frameworks, strengthen vendor and third-party risk management, and establish effective testing and exercising protocols.

If you would like to discuss please contact Hugo Warner (hwarner@novatusadvisory.com).