Introduction

The Digital Operational Resilience Act (DORA) is in place to solve digital operational risk within the financial services.

The regulation focuses on the ‘protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring.’

With this digital lens, it is easy to overlook a larger problem with operational resilience that is the reliance on key individuals who maintain understanding of systems and processes.

If these individuals were to leave the organisation or move from their role, this knowledge may be lost along with the ability to run and support the system. This needs to be considered and solved as part of an organisation’s DORA compliance.

This POV will uncover the human aspect of digital operational resilience and how it can be addressed as a single point of failure.
PDF

DORA

The Digital Operational Resilience Act (DORA) is a package of legislation that seeks to strengthen companies operating in Financial Services by improving their operational resilience. The act has five pillars that combine to protect the ability of a financial organisation to operate, going beyond the focus of financial resilience.

One of these pillars dictates that organisations must document and implement measures, controls, frameworks, and processes to demonstrate oversight and control of their digital risk. Sounds great. Organisations can implement technology to generate reports on IT incidents and cyber breaches, with information such as the number of affected users, economic impact, severity, criticality, and magnitude, thus responding to this pillar’s requirements. Compliance is a sure thing, right?

But what else needs to be considered as part of this regulatory response?

The Human Aspect of Digital Resilience

You may have the most robust digital solution with the agility to adapt and scale with the business and, in theory, make you DORA compliant whilst overlooking the need for a human to support the system, creating a single point of failure.

This vulnerability seemingly falls below the radar for DORA despite the centrality to operational resilience.

Overcoming this vulnerability begins with understanding how operational processes and systems operate day to day and ensuring that single individuals are not critical to their operation. Infrastructure and those tasked with resolving support problems are similarly important.

DORA

Process Automation

Process automation is a great way of recording and consolidating crucial knowledge and understanding of a business process.

To automate a process, it must be defined and documented. This immediately brings value to an organisation, with improved understanding and consistent application of policy. It documents previously unrecorded activity that can be used by staff to maintain the process.

Documentation should include the process flow, relevant systems, and resources to create a holistic view of the process so it can be automated or manually run consistently.

Process automation will ensure that the right systems and resources are engaged at the right stage to streamline the flow and completion of the tasks and overall workflow.

Manual Process Oversight

Some processes consist of tasks that are complex and cannot be easily automated.

To address DORA, it is reasonable to automate a checklist with guard rails to guide “gifted armatures” through the process. It consists of tasks that say, “Do this like this and when you have finished upload the evidence”.

This is a very effective way to start addressing the risk of losing knowledge of what and how a process should be performed. It helps to capture the process and provides a foundation for iterative or agile refinement.

Derailment

Attempting to be 100% accurate and to deliver a “perfect” process, or to map all processes before starting automation is a mistake. Processes move naturally over time and when they have no anchors documenting them is a never-ending task that is subject to and at the mercy of opinion.

For the purposes of DORA, Responsiv recommend sketching the process and gathering information about each task, and then immediately building a “pilot” process. The pilot will drive out new information and objections as well as suggestions for improvement far more quickly than a conceptual investigation.

A Responsiv Outlook on DORA

Responsiv believe that addressing operational human vulnerability is a critical dimension to ensuring DORA compliance.

As explored above, Responsiv understand how organisations can successfully implement processes as a way to consolidate staff information of key business workflows and policies. Our experience of doing this across industries has provided a depth of insight into engaging stakeholders for successful contribution to and adoption of processes.

Our Responsiv Consultants are available to remove strain from your in-house teams, allowing them to focus on more value-add activity by removing the distraction of the regulator.

We help financial organisations drive process automation and integration projects, and to develop cost-effective ways to mitigate human and other digital and operational business risks. We take the time to understand your business environment to ensure we fully comprehend actions, tasks, systems, and implications of the process so our solution is resilient.

Contact Responsiv for more information and insight into responding to DORA

    Last Name*

    First Name

    E Mail*

    Company*

    Lead Status*


    *By pressing submit you agree to receiving communication from Responsiv. You may unsubscribe from communications at any time.
    Zoe Whyte

    Zoe Whyte

    Zoe is the Marketing Manager at Responsiv. She has a first-class degree in History and completed the miniMBA in Marketing.