Navigating DORA: key challenges and strategies for long-term resilience

Understanding end-to-end processes: a critical challenge

One of the primary hurdles organisations face is developing a comprehensive view of their end-to-end business processes and supporting ICT infrastructure. This challenge is particularly acute for firms that have extensively outsourced activities over the years. DORA now requires these companies to unravel the ‘black box’ of outsourcing and gain a clear understanding of the risks facing their businesses.

This process involves mapping critical business functions to ICT systems, both within the organisation and across their third and fourth parties and potentially beyond. While complex, this exercise is crucial for effectively managing risks and ensuring operational resilience and will provide organisations with an end-to-end view that will also help them comply with other regulations on the horizon. 

Completing the DORA Register of Information

All financial institutions under the scope of DORA will need to complete a Register of Information listing their ICT third parties. This register will be required for the European Supervisory Authorities to determine who they will designate as critical third-party providers (CTPPs). It is likely that the authorities will require this information after the DORA go-live date of 17 January 2025.

While many institutions already have various outsourcing registers in place, this DORA register will require additional effort. Some of the information needed will not have been captured previously and will require an outreach to third-party providers. While the register has more than 90 data points, it is not simply a data entry exercise. The classification of providers is proving time-consuming and requires an understanding of your end-to-end business processes to determine what providers need to be classified in which category.

It’s a complex and tedious exercise, but one that will improve organisations’ understanding of who they rely upon and what subcontractors are supporting these providers. 

Repapering contracts: a race against time

DORA requires changes to third-party contracts, both for those supporting critical or important functions (CIFs) and those that don’t. Financial services organisations are required to update existing third-party contracts and given the volume, this can present a huge challenge for organisations not only to update contracts but to conduct contract negotiations and ensure the provider is willing to support their DORA programme.

It is simply not sufficient to wait until the contract renewal date. This approach could mean that if you had an incident and it could have been prevented or managed differently had the requirements of DORA been updated and applied to third-party contracts, organisations may be penalised under the Act after the 17 January deadline date

Instead, organisations should focus on those contracts that support CIFs and those that have a greater level of risk to the resilience of the organisation in the first instance. They should then manage the residual risk through mitigating controls on the company risk register where a contract may not be fully updated and/or agreed.

By taking a risk-based approach, organisations can manage their risk effectively. Using technology, organisations can accelerate their compliance to ensure they are effectively managing the resilience of their organisations and protecting their business.

Beyond compliance: building a culture of resilience

It’s important to view DORA not as a one-time compliance exercise, but as a catalyst for organisational transformation. The regulation demands a cross-functional approach to resilience, often requiring a cultural shift across the entire business.

To ensure long-term compliance and resilience, organisations should:

• embed resilience thinking into all aspects of the business;
• foster collaboration between IT, risk management and business units;
• regularly review and update risk assessments and mitigation strategies; and
• invest in ongoing employee training and awareness programmes.

By taking this holistic approach, businesses can meet regulatory requirements, protect the value they’ve created, and prepare for future regulatory changes.

Leveraging technology for DORA transformation

Technology plays a crucial role in achieving and maintaining DORA compliance. Some key areas where technology can support the transformation include:

• Structured data management: tools for creating and maintaining the register of information, ensuring data quality and completeness.
• Process mapping: solutions that support the mapping of critical business functions to ICT systems, providing real-time insights and facilitating ongoing maintenance.
• Workflow automation: tools to streamline the compliance process and ensure consistent application of controls.
• AI-powered contract analysis: accelerating the review and updating of contracts with third-party providers.

A real-world example: streamlining third-party risk management

In a recent client engagement, we leveraged a tech-powered solution to assist with outreach to third-party suppliers for completing the register of information. This approach allowed us to:

• identify specific data fields required from each supplier;
• conduct systematic outreach;
• collect structured, usable data; 
• create an audit trail; and
• significantly reduce processing time and improve data quality.

This tech-powered approach accelerated the compliance process and provided our client with a robust foundation for ongoing third-party risk management.