Exploring DORA

In this episode, our podcast host, Matthew O’Neill takes us on a deep dive “Exploring DORA”, Europe’s new Digital Operational Resilience Act which is being suggested, will be as significant for Financial Services as GDPR has been to the rest of us.

Matthew discusses the key provisions of DORA and how it aims to ensure the robustness and resilience of the financial system in the digital age. We'll uncover Matthew’s take on the motivations behind the act, its implications for financial institutions, IT service provider partners, and even the regulators, all with the aim of providing protection for consumers. 

From cyber threats to operational disruptions, DORA's framework addresses a wide range of risks and sets new standards for digital operational resilience. Matthew makes it clear that regulators from other jurisdictions are watching with interest.

In addition, we learn of Matthew’s unprecedented journey in the financial sector; from an office junior at a local bank in the UK to becoming the Head of Infrastructure and Operations in Asia and then the Global Head of Data centres and IT Service Management at one of the world’s largest banks, and then on to his landing here at VMware. 

Matthew’s take on DORA gives you a true insider’s perspective. It’s a must-listen!

3 Takeaways:

1. DORA emphasizes that operational resilience is not limited to financial services firms alone. The entire ecosystem supporting critical services must be considered. This means mapping out end-to-end processes, understanding who and what is involved, and ensuring full observability to keep things running optimally.
2. DORA introduces a significant shift in regulatory testing. Supervisors will now conduct tests on production systems especially where these are sharing cloud infrastructure with multiple firms. Stress testing operational resilience will become a priority, moving away from a mere tick-box exercise.
3. To comply with DORA's requirements, both financial service providers and their partner firms should invest in regulatory risk professionals and banking risk specialists. The act will challenge existing assumptions and practices. It might reveal whether claims of regulatory constraints are genuine or merely used as an excuse for avoiding technological advancements. This suggests that firms will need to navigate a potentially uncomfortable period of reevaluation and adaptation.

Key Quotes:

•  It's not just about the financial services firm.It's also about, the whole ecosystem that supports you in the provision of what are deemed as critical or important services. So, if you have one of those types of service, you've really got to map out end to end, how that operates, who operates through, who's touching what part of it and making sure that you're not just monitoring it, but you've got like full observability as to what's going on, who's doing what, where, when, and why, and if anything goes wrong, how quickly you can bring that back.
• The big differences now though, is that there will now be testing performed and you've got to perform tests, but it's also the supervisors are likely to be performing tests and they'll be performing tests on production systems that are potentially running on the same cloud infrastructures as many other [financial service] firms and many other firms. So, there's going to be much more stress testing of that operational resilience than it ever being a kind of a governance, tick box exercise. So I think that's one thing that's got folks concerned.
• What's going to happen here is there's going to be an increased level of transparency. I can kind of say maybe an implicit increase in levels of trust between FSI firms and their supplier partners, because the supplier partners are going to be held to account for what's running. And if they don't know what's running,that's a little bit of a hard positio