January 17th, 2025 is when your ability to serve clients without interruption is legislated. At least when you are in the financial services sector, or when you supply such firms. If you are not active in the financial arena, don’t click away. Many of these requirements can just give you an edge over your competition.
Many firms underestimated the impact of the legislation, but let’s be honest, so did the European Union. The last pieces of the puzzle are still not delivered only two days before the law comes into effect.
What is DORA all about again? It is the Digital Operational Resilience Act. In essence, it is about your ability to withstand adverse events that may impact your clients or the financial system.
Aside from some nasty details, this really is just common sense. You need to be organized so that the right people know what is expected of them, from the accountable top to the staff executing the day to day operations. You need to know what to do when things go wrong. You need to know your suppliers, especially those who supply services to your critical business services. You need to test your defenses and your IT. You may want to share intelligence around cyber-attacks.
There, all of the 45 business-relevant DORA articles and technical standards in a single paragraph. The remaining articles deal with the competent authorities and make for good reading as they provide some insights into the workings of the regulatory body. The same goes for the preamble of the law. No less than 104 “musings” that elaborate on the operating environment and intent of the law.
If you’re firm is still in the thick of things trying to become compliant, you are not alone. I have seen at least one regulator indicating that they will be understanding of that situation, but you must have a clear roadmap to compliance in the near future. Your regulator may or may not be in line with that position. In the eastern-most countries of the EU, signals are that the regulator will take a much tougher stance.
(This kind of negates one of the musings of the law; the need for a single view on what financial services firms must adhere to to be considered compliant and resilient. But I think this is an unavoidable byproduct of having culturally diverse member states.)
I dare to say that firms typically have the governance in place as well as the IM processes and testing requirements. The biggest open items seem to be in the actual IT hard operational resilience, monitoring and BCM.
Take a look at your own firm and make an honest assessment in those areas. They key resilience (DORA-related or not) is knowing how your service works and is performing from a client perspective.
You need to know how a client achieves all their interaction goals with your company. Typically this is mapped in the client journey. Unfortunately, this usually only maps the business flow, not the technical flow. And usually you look at it from the client UX perspective. This is obviously very important, but it does not help you to understand the elements that ensure you that your clients can always complete that journey.
The other day, I had a customer journey with an online ski-shop. I had bought two ski helmets in size M, the same size my adult son and I had. When the helmets arrived it turned out they were too small. So, ok, no worries, I start the return process online. Once we complete the initial steps, after a few days I notice that the price for only one helmet is shown on the site. This, despite the indicators that both helmets are approved to be returned. Later both helmets are shown as effectively returned. Refund still shows one helmet’s price. What gives? I give it some more time, but after ten days, I decide to enquire. The site still shows refund for one helmet.
Then I receive an email that both helmets will be refunded as they accepted the state of the helmets (unused) and amount of the refund is now correct. Site still shows the wrong amount.
This is obviously a small inconvenience, but it does show that the IT team does not have a full view of the entire customer journey and systems interactions. You need to fix this.
Suppose this is not about two ski helmets, but about ski or home insurance. Or about the sale of a car or a B2B transaction involving tens or hundreds of thousands of dollars or euro, or any other currency? Does your system show the real-time correct status of the transaction? If not, I would, as a consumer, decide to change provider. Why? Because the trust is gone.
Resilience is about withstanding events that threaten your service to your clients. Events are nit just earthquakes or floods. Events are also wrong or missing information. To protect against that, you need to know what the (value) chain is that leads to you providing that service. Additionally, you need to know if that service chain has any impediments at any moment in time. Aka, you need to know that any service request can be fulfilled at any given time. And to have the right processes and resources in place to fix whatever is not working at that time.
And that is in my opinion the biggest task still outstanding with many companies to ensure true resilience and customer service.