DORA – bureaucratic bugbear or golden opportunity?

The Digital Operational Resilience Act, commonly known as DORA, is scheduled to come into force on 17 January 2025. It aims to both harmonise EU Information and Communication Technology (ICT) regulation across EU member states and, more importantly, address a critical gap in how financial institutions manage ICT operational resiliency risks.

DORA introduces clear rules and stringent guidelines for ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks, as well as encouraging regulated entities to share intelligence on cyber threats. This means startups serving the financial services industry and fintech firms will need to adapt – fast. 

DORA’s scope is broad and its requirements complex. The task of implementing DORA is made more challenging given the legacy IT systems still in place, the inclusion of critical third parties in its scope, evolving ICT threats such as cybercrime and, last but not least, resource constraints. It’s easy to understand why tech startups and fintechs may see it as a real bugbear.

Where’s the focus?

While the legislation is intended to bolster the resilience of the financial system and continuity of service in the event of an incident, the focus is not just on ensuring customers can continue to open accounts, make and receive payments, make insurance claims, apply for credit etc., it also emphasises how important ICT’s support processes are.

For example, under DORA there is an expectation that if an outage occurs there is a plan to not only manage the incident as it unfolds but also that operations continue uninterrupted. Furthermore, it is not enough to have a plan: the plan must be tested, monitored and updated regularly under a range of scenarios. The plan must include critical third-party dependencies such as fintech providers, an ability to get to root cause quickly, provide detailed incident reporting, remediate the cause(s) such that the incident never happens again, and ensure the lessons learned from the incident are carried forward into future plans. 

Navigating the complexity

Financial services ecosystems are complex and core processes, such as issuing an insurance policy or approving credit, are fragmented. If, for example, a fintech firm has had a recent history of payment outages affecting corporate clients, this may have led the various cross-functional payment teams to build a world-class, incident management approach for corporate payment clients. But to what extent has this process been replicated across the enterprise? A series of KYC incidents may have led to a data consolidation and cleansing exercise for home insurance customers, which will make continuity of service for migrating these customers to a new platform easier, but what about car insurance customers? An outage at a third-party may have impacted government clients, but why didn’t it impact other corporate clients?

The key here is that, given the underlying core process fragmentation, the ICT support processes, at the heart of implementing DORA effectively, are unlikely to be standardised across the enterprise. Fortunately, the regulatory technical standards that will be introduced with DORA are intended to be relatively prescriptive, i.e., specifying what needs to happen when, what information is required to be shared, who is accountable and what their obligations are. This should make interpreting the DORA requirements, i.e., the “What”, easier than principle-based regulatory requirements. It’s then just a question of configuring the processes to satisfy these requirements, i.e., the “How”.

Pulling it all together

This is where process mining could be a way forward for firms. This is a data-driven technique that analyses, improves, and tracks business processes. Implementing a comprehensive process mining compliance solution can align all essential components, including the “What”, the “How”, the ongoing monitoring for incidents and violations, and many of the incident management tasks, in a single platform. This could provide detailed documentation critical for real-time tracking, root-cause analysis, and reporting of ICT incidents that impact core processes. It also enables analysis, re-design and continuous monitoring of the support processes that are critical to ensuring that startups and established businesses stay within both the letter and spirit of DORA. 

But how would it work? Compliance requirements from regulatory standards can be imported onto the platform, along with their associated controls. Using a template-based approach, these controls are translated into standardised compliance rules, which can then be mapped to the relevant support process, such as incident management, business continuity plan (BCP) testing. Event data from support processes can be uploaded in real time, alerting accountable owners immediately when operational risk incidents arise.  This approach captures the relevant incident data and simplifies root cause analysis, which can then be exported or integrated with the enterprise’s risk management system to satisfy reporting obligations. 

Process intelligence platforms can also reveal inherent variation within support processes due to ecosystem complexity, highlighting areas for improvement in incident management, such as removing loops and bottlenecks. It enables stakeholders across the organisation to simulate and analyse what-if scenarios for business continuity and disaster recovery planning and can even predict potential future incidents. 

It is tempting to view compliance as a bureaucratic bugbear, but seen through the right lens, it can be a real opportunity to not just future proof a business, but innovate through resilience.

For more startup news, check out the other articles on the website, and subscribe to the magazine for free. Listen to The Cereal Entrepreneur podcast for more interviews with entrepreneurs and big-hitters in the startup ecosystem.