We have updated our Privacy Policy, click here for more information.
Thank you
Published: October 15, 2024
Hosted by:
Last week, ten leading financial institutions gathered at JWG’s Winning the OpRes Marathon roundtable in London to debate the evolving challenges of the Digital Operational Resilience Act (DORA) and other global Operational Resilience (OpRes) regulations.
Hosted by First Derivative and facilitated by JWG under the Chatham House Rule, the discussions underscored the urgency for financial entities to become “seaworthy” as they navigate an increasingly complex regulatory landscape. With the 2025 compliance deadlines looming, the roundtable emphasised the need for swift and decisive action across several key areas: vendor management, operational resilience, and technology adoption.
Financial entities and their vendors must reshape their strategies to avoid being “swallowed by the storm.” As the regulations evolve, the pressure on banks to ensure long-term compliance and sustainability is intensifying. Fostering industry collaboration will be essential for firms aiming to weather the waves of regulatory change.
A central challenge under DORA is enhancing third-party risk management. Financial institutions rely heavily on vendors for services critical to their operations. However, this dependence creates vulnerabilities that DORA seeks to address. Banks must adopt a proactive approach, moving beyond traditional vendor relationships toward continuous oversight and performance tracking.
Participants at the JWG roundtable emphasised the growing complexity of vendor management necessitates a paradigm shift. Banks must ensure that each vendor, no matter how small, adheres to strict operational resilience standards. This means continuously monitoring vendor performance and resilience, engaging with vendors more deeply, and anticipating risks before they escalate. If these processes are not adequately managed, banks risk becoming casualties of unforeseen regulatory storms.
Financial institutions must ensure that their critical functions—particularly Information and Communication Technology (ICT) services —are robust enough to withstand severe disruptions. This requires a comprehensive review of business continuity plans and incident response mechanisms to ensure organisations can recover swiftly from any service interruption, whether it’s due to a cyberattack, a system failure, or a vendor outage.
Participants emphasised major disruptions—such as the 2023 ION and 2024 CrowdStrike failures —underscore the need for enhanced resilience measures. These attacks resulted in widespread outages, impacting some firms for nearly a month.
This kind of vulnerability cannot be tolerated under DORA, which requires businesses to assess, test, and fortify their resilience frameworks. By creating a sturdy infrastructure, banks can endure the waves of future disruptions, ensuring business continuity and compliance.
In a world of escalating compliance demands, banks cannot rely on traditional and manual processes to meet DORA and OpRes obligations. Technology and automation will be the key “navigational tools” for financial institutions as they streamline compliance and improve operational efficiency.
By centralising critical information such as vendor registers, performance monitoring, and incident reporting, banks can ensure real-time oversight and quick response times, ultimately reducing risks and improving resilience.
The use of advanced RegTech tools, such as AI-driven solutions, will become a critical asset. These tools can automate risk management processes, continuously monitor third-party risks, and provide actionable insights into regulatory compliance. As highlighted during the industry discussions, automating key compliance areas allows firms to “chart a safer course” through regulatory waters, reducing human error and cutting costs.
Collaboration across the financial industry is another key aspect of building operational resilience. By working together, financial institutions can develop common standards, share best practices, and even create shared utility services to handle critical functions. This industry-wide approach will allow fleets to collectively become more “seaworthy,” as they will be better equipped to manage systemic risks that affect the entire financial ecosystem.
As JWG highlighted in our Winning the OpRes marathon research here, regulatory initiatives such as DORA provide an opportunity for collaboration between banks, industry associations, and regulators.
However, there is an undercurrent of digital sovereignty which European regulators have introduced to regain control over critical infrastructure dominated by external non-EU vendors like AWS and Microsoft. The industry will need to navigate these currents carefully to create shared solutions that reduce vendor concentration risks and meet EU resilience objectives.
One thing is certain: regulatory frameworks like DORA will continue to evolve. To stay compliant, financial institutions must remain agile and adaptable, continuously updating their compliance programs to meet new requirements. Just as a ship adjusts its course to navigate changing weather, banks must constantly revise their strategies to keep up with new regulatory guidance.
DORA’s requirements for real-time monitoring, detailed incident reporting, and continuous testing will place additional pressure on firms, particularly those that lag in their adoption of advanced technological solutions.
As one executive noted during the dinner, while many firms are 85% compliant, the “quirky little things” often pose the greatest challenges. These seemingly small details can cause significant compliance risks, making continuous improvement and adaptation crucial for long-term success.
As financial entities know well, the safest ship is the one that never leaves the harbour, but to achieve meaningful rewards, some level of risk must be embraced.
To survive and thrive amid the waves of OpRes, Cyber, AI, Quantum, and other regulatory change, banks must remain on the water while becoming “seaworthy” to a set of evolving maritime standards. This means leveraging technology, collaborating with industry peers, and maintaining the flexibility to adapt to evolving regulations. By doing so, banks can navigate the storm of DORA and OpRes, ensuring compliance, resilience, and long-term success.
As the 2025 deadlines approach, the financial industry must focus on becoming proactive rather than reactive. Those that fail to reshape their plans may find themselves engulfed by the regulatory storm, while those that invest in resilience, technology, and collaboration will emerge as industry leaders, capable of weathering any future challenges.
DORA is just the beginning when it comes to building a strong IT risk posture. Our team of experts can leverage AI to prepare for the races ahead including Cyber, AI, and Quantum.
First Derivative is available to help. Get in touch today to discuss how First Derivative can help.
