Business Drives the Need: Understanding DORA's Importance

A recent survey by McKinsey found that 94% of financial institutions are engaged in meeting DORA’s requirements. However, only a third of these institutions expressed confidence in meeting the January 2025 deadline. Financial institutions face fines of up to 1% of their average daily worldwide turnover for severe breaches of DORA. For large global banks with $50 billion in annual revenue, this could translate to a $500 million penalty.

The objective of DORA, as "is to reduce the risks associated with digital transformation by implementing uniform rules on operational resilience throughout the EU. This has been initiated to mitigate risk posed by growing vulnerabilities due to the increasing interconnectivity of the financial sector."

Deloitte emphasizes the broader impact of DORA: "The DORA represents the EU’s most important regulatory initiative on operational resilience and cyber security in the financial services sector. It requires firms to adopt a broader business view of resilience, with accountability clearly established at the senior management level."

It has been stated that organizations that have implemented DORA's guidelines have seen increases in their operational resilience within the first year. This isn't just about compliance; it's about building a foundation for long-term success.

Operational Resilience Explained

Operational resilience refers to an organization's ability to anticipate, prepare for, respond to, and recover from unexpected disruptions while continuing to deliver its core products and services. It's about building the capacity to absorb shocks and adapt swiftly to evolving circumstances, ensuring that the organization remains functional even during crises. What can’t be overlooked is data resiliency management.

Example of Operational Resilience Improvement: Article 12

Article 12 of DORA focuses on backup policies and procedures, restoration, and recovery methods. By implementing these measures, organizations can significantly enhance their operational resilience:

·       Backup Policies and Procedures: Financial entities must develop and document backup policies specifying the scope of data to be backed up and the minimum frequency of backups, based on the criticality and confidentiality of the data.

·       Restoration and Recovery Procedures: Entities must establish restoration and recovery procedures to ensure that ICT systems and data can be restored with minimal downtime, disruption, and loss. These procedures must be tested periodically.

·       Segregated ICT Systems: When restoring backup data, financial entities must use ICT systems that are physically and logically segregated from the source systems. These systems must be protected from unauthorized access and corruption, ensuring timely restoration of services.

·       Redundant ICT Capacities: Financial entities, except microenterprises, must maintain redundant ICT capacities to ensure business continuity. Microenterprises should assess their need for such capacities based on their risk profile.

·       Secondary Processing Sites: Central securities depositories must maintain at least one secondary processing site, geographically distant from the primary site, to ensure continuity of critical functions in case of disruptions.

By adhering to these requirements, organizations can ensure they are better prepared to recover from ICT-related incidents, thereby enhancing their overall operational resilience.

Challenges in Implementing Article 12

·       Resource Allocation: Developing and maintaining comprehensive backup policies and procedures require significant resources. Smaller organizations may struggle with the financial and human resources needed to implement these measures effectively.

·       Technical Complexity: Ensuring that backup systems are physically and logically segregated from source systems can be technically challenging. This requires advanced IT infrastructure and expertise, which may not be readily available in all organizations.

·       Testing and Validation: Regularly testing restoration and recovery procedures to ensure minimal downtime and data loss is crucial. However, this can be disruptive to normal operations and requires meticulous planning and execution.

·       Redundant ICT Capacities: Maintaining redundant ICT capacities to ensure business continuity involves additional costs and complexity. Organizations need to assess their risk profiles and determine the appropriate level of redundancy, which can be a complex decision-making process.

·       Regulatory Compliance: Keeping up with regulatory changes and ensuring ongoing compliance with DORA can be burdensome, especially for organizations operating in multiple jurisdictions.

Enhancing Business Recovery through Data Resiliency Management

Data resiliency management is crucial for ensuring that mainframe data remains available, secure, and recoverable. It not only requires thorough testing but also significantly improves a business's ability to recover from disruptions. This improvement must be practiced regularly to ensure effectiveness. Key aspects include:

·       Understanding Application Resiliency: Assessing the resilience of applications and their ability to recover from disruptions.

·       Analyzing Data Usage: Monitoring how data is used across the infrastructure to identify critical data, its dependencies, and prioritize its protection.

·       Managing Backups: Keeping track of where backups are stored and ensuring they are up-to-date and secure.

·       Simplifying Resilience: Implementing automated processes to streamline backup, recovery, and data protection efforts, making resilience easier to achieve and maintain.

Timely Insights and Practice

To ensure that data resiliency management is effective, organizations must practice recovery regularly. This involves:

·       Anomaly Detection: Using automated tools to detect and respond to anomalies quickly.

·       Real-Time Analytics: Leveraging real-time analytics to improve the speed and accuracy of recovery decisions.

·       Automated Processes: Implementing automated processes to streamline backup, recovery, and data protection efforts.

·       Regular Testing: Conducting tests to simulate various disruption scenarios, such as data corruption, deletions, and system upgrades gone awry.

·       Comprehensive Recovery Plans: Ensuring that recovery plans are detailed and account for all potential disruptions.

By leveraging tools like IZBR which provides data resiliency management for z/OS, organizations can enhance their operational resilience through:

·       Automated Backup and Recovery: Automating the analysis, backup, and restoration of batch application data.

·       Data Visibility and Recovery: Providing real-time visibility into jobs and open data sets for faster recovery.

·       Workload Interdependency Insight: Offering insights into application interdependencies and recovery points through detailed analytic reporting.

·       Ease of Recovery: Simplifying recovery processes without requiring extensive application expertise.

Simply put, IZBR is a must for any business that operates on the mainframe. The software minimizes the impact of data corruption with fast and automated data recoverability features while providing audit reporting necessary to meet DORA requirements.

Conclusion

DORA requires robust operational, cyber, and data resiliency management. By integrating people, processes, and technology, DORA helps organizations mitigate risks associated with digital transformation and interconnectivity within the financial sector.

Implementing DORA's guidelines, such as those in Article 12, enhances an organization's ability to recover from ICT-related incidents. This requires resource allocation, technical expertise, and ongoing testing.

Implementing DORA guidelines, such as Article 12, enhance an organization’s ability to recovery from ICT related incidents. As such, data resiliency management is key. By understanding application resiliency, analyzing data usage, managing backups, and leveraging automated processes, organizations can ensure data security and recoverability. Regular practice and timely insights, including anomaly detection and real-time analytics, are essential. Embracing DORA and implementing robust data resiliency management as part of day practice, builds a foundation for long-term success, and meets the needs of compliance and regulations.

References

1.     McKinsey Survey on Financial Institutions and DORA

2.     Deloitte on DORA's Impact on Operational Resilience and Cyber Security