DORA: Consolidation Activities
Now that the DORA (Digital Operational Resilience Act) has gone-live, many firms are in the process of fine-tuning their implementations. Frameworks that were assembled (in the lead-up to January 17th) are now potentially being run through real-life scenarios. Firms are defining enhancements and tweaking solutions that, until now, may only have been evaluated in test-scenarios.
Some firms took a phased-approach to deliver DORA and, with the bulk of their programme now in place, are now turning their attention to the lower-priority tasks ear-marked for the 2nd or 3rd phases of their programme.
Even firms that are not in-scope of DORA are doing mini-assessments to measure their compliance against the regulation. Triggers for this activity are often client RFPs asking how a firm measures-up against the regulation. In addition, Firms want to promote greater stability in the market and there’s recognition that bolstering frameworks (relating to topics such as cyber resilience, third-party risk management, and incident reporting) will help to achieve this. Contracting with DORA-compliant counterparts should reduce operational risk.
DORA and Emerging Regulation
In the midst of this post go-live activity, we encourage firms to think about how their current plans interfaces with existing and emerging regulation. Efficient implementations can be executed more quickly and at lower cost, with less impact on BAU functions.
To give an example, at the outset of their DORA-implementations, many firms assessed the impact of DORA on their existing Operational Resilience framework – in the UK, for example, there were existing proxies and tools that could be leveraged as part of the DORA-implementation. One example is the IBS-CIF proxy. UK firms had to identify their Important Business Services (IBSs). Recognition of this meant that firms had a head-start to their implementations – they were not starting from scratch.
Now that DORA-implementations are complete, or moving into their final phases, firms will be monitoring announcements from other regulators. Regulatory requirements continue to materialise and, as they do, it’s important for firms to respond quickly and pragmatically to these requirements. The UK’s Critical Third-party regime has now been finalised. HMT and the regulators will designate 3rd parties as critical. As firms prepare for this, there’s an opportunity to examine current-state and what might be required to satisfy new demands.
In addition, the Bank of England (which includes the Prudential Regulation Authority, PRA) has issued a consultation in relation to ‘Operational incident and outsourcing and third-party reporting’. Responses are due by 13 March 2025.
The FCA has also issued a consultation paper on the same topic (CP24/28):
CP24/28: Operational Incident and Third Party Reporting[CY2]
These examples, emphasise two things: [i] the need for firms to have robust horizon-scanning tools in place to alert them of these emerging regulatory requirements [ii] the need to create strategies in response to these emerging regulatory requirements. Firms need to have visibility of what’s in-place, what change programmes are in-flight and how these can be leveraged or adapted to meet future requirements. This will ensure a quicker response to regulatory requirements, creating less internal work (or potentially re-work!), which in turn results in less budget requirements for change programmes. Firms who have implemented Incident Management frameworks for DORA will have a strong current-state to work from – the gap analysis of how this can be leveraged (to meet the emerging UK requirements, and of course requirements from other regimes), will be the key task to perform at the appropriate time.
How we can help:
At Davies, we understand the unique challenges you face in navigating the regulatory landscape. With our extensive knowledge and experience, we can help you review your existing programs and provide actionable recommendations to move forward more efficiently. This is crucial as regulators increasingly require visibility of robust implementation plans.
Why Choose Us?
- Expertise: Our team has deep insights into the regulatory environment, ensuring you stay ahead of the curve.
- Efficiency: We streamline your processes, reducing complexity and enhancing compliance.
- Tailored Solutions: We customise our approach to meet your specific needs, leveraging existing DORA frameworks to address other regulatory demands.
Let’s connect! We welcome the opportunity to review your current regulatory state and provide expert opinions on optimising your frameworks. Please feel free to contact us and discover how we can support your regulatory journey.
