Program steering is a vital cog in the implementation machine, but our research gives little indication that the industry has arrived at a standardized approach. At about 50 percent of surveyed institutions, the IT organization drives DORA implementation, whereas among the remaining group, a mix of business and oversight functions more commonly take control (Exhibit 3). The prevalent ownership distribution suggests many organizations still see digital resilience as an “IT problem” rather than a groupwide concern.
Regulatory compliance is rarely inexpensive, and most survey respondents feel that maintaining DORA compliance will incur ongoing costs. Among our survey respondents, 70 percent say continuing to meet DORA requirements will result in permanently higher run costs for technology and technology control.
Challenges facing industry participants and ICT service providers
Of the many challenges facing institutions, one
that stands out in our survey responses is ICT third-party risk management (Exhibit 4). To manage third-party risk effectively, financial institutions must make significant efforts on two fronts: ensuring comprehensive oversight of all ICT service providers and their associated risk and proactively managing the digital risk associated with critical ICT third-party service providers. To achieve these goals in a cost-effective, end-to-end manner, leading FIs take a risk-based and holistic approach, in turn requiring dedicated processes and technologies.
Once more, a key variable is scoping, and our discussions with major FIs show wide variation in understanding of the legislation’s scope—even among companies working with similar numbers of ICT vendors. For example, in contract remediation, some organizations are focusing on as few as 20 remediations, whereas others plan to remediate as many as 3,000 contracts (see sidebar “Key scoping items for DORA remediation activities”).
An important factor in making remediation decisions is how to define a “critical” ICT third-party service provider. Under Article 31 of DORA, criteria for consideration include systemic impact on stability, continuity and quality of provision of financial services, the number of institutions relying on the provider, and interdependencies among institutions. Organizations must work closely with legal counsel to determine which interpretation of that definition optimally fulfills DORA requirements and boosts digital resilience.
In terms of engagement with third parties, many FIs report challenges when negotiating with smaller entities. One difficulty is that smaller third parties often lack sufficient talent or resources to achieve full DORA compliance and, thus, may struggle to meet requirements on time. Such variations in capabilities among organizations are likely to lengthen the time frame for some implementation programs.
A common structural challenge for a financial institution is in its dual role of engaging with providers and being a provider for others. For instance, a financial institution may offer payments services on behalf of another financial institution, while also using third parties to support its own business services. These twin dynamics can expose the institution to regulatory scrutiny from two angles: it may need to both initiate and respond to contract remediation exercises.
Across the industry, timing is likely to be a significant concern in the months ahead. In our survey, just about a third of financial institutions express confidence that they can fulfill all DORA regulatory expectations by January 2025. Moreover, all expect at least some DORA efforts to continue beyond then (Exhibit 5). Even those that believe they can achieve compliance by January 2025 say that implementation and rollout into “business as usual” across geographies will continue beyond the legal enforcement date.
Taking action: Four strategic imperatives
Preparations for DORA will continue to accelerate in the coming months. As decision makers navigate the process, best practice will be not only to focus on complying with the regulation, but also to reflect broader business goals. We have seen some leading organizations anchor their efforts on four strategic principles.
See the regulation as a resilience opportunity rather than a tick-box exercise
As many as 80 percent of remediation programs fail because they lack a strategic foundation. To prevent DORA programs from succumbing to the same fate, decision makers need to see the program for what it can be: a transformational opportunity to reorganize and enhance processes, tools, and technologies, while boosting resilience. But if institutions simply update policy documents and define system mappings to do the bare minimum, they risk turning their DORA programs into paper tigers—inflating costs with limited impact beyond paper. If, conversely, institutions implement DORA with digital resilience as an objective—by using their DORA program to identify and eradicate ICT risk at scale—they will create a fundamentally stronger financial ecosystem and improve customer trust.
Make resilience business-led
As in many transformative projects, leadership is a critical enabler. We see two vital building blocks:
Drive the transformation from the top. For an effective transformation, senior managers need to formulate a clear strategy, enhanced by programmatic support structured around the business and its priorities. Regulators’ expectations will be relevant in this context. In one recent examination, the regulator requested evidence that IT risk-management efforts were business-led and involved leaders from the business. Our experience suggests that linking regulatory remediation deliverables to business objectives is key to measuring resilience success, which is possible only
when business colleagues are at the helm in driving implementation.
Appoint a single accountable program owner. While DORA affects multiple functions, a single accountable owner provides a point of coordination and steering. This approach will sharpen strategic oversight and lead to better prioritization and communication throughout
the program.
Scope astutely: Take a risk-based approach; define ‘done’ clearly
From our survey, scoping is a significant challenge—and opportunity—as DORA preparations reach their final stages. Our surveyed FIs commonly report struggling with seemingly unending regulatory programs that “boil the ocean” in terms of interpreting and meeting regulatory expectations, consequently with ever-growing scope and costs.
Organizations that precisely define the regulation’s risk-based aims are most likely to execute effectively. They engage in two best practices:
Implementing requirements based on risk. Leading companies take a risk-based approach to resilience, identifying their most critical processes and prioritizing capability requirements according to risk. This means not creating “one control requirement set to rule them all” but defining risk-differentiated policies and controls based on the business value of different processes. Such an approach yields a more streamlined, efficient application of DORA requirements, optimizing both DORA spend and time to compliance.
Explicitly defining “done”: when DORA requirements are met and risk is mitigated. Often in the course of regulatory and remediation programs, organizations run into the challenge of proliferating requirements and ever-lengthening timelines. That may occur when internal stakeholders seek to add their own priorities to the list, increasing the effort required. By agreeing from the outset on how to define “done,” a company can save months of program extension, spend, and iteration.
Collectively collaborate to ensure systemic resilience
Business leaders may feel it is counterintuitive to collaborate with competitors on regulatory alignment, but information sharing can actually streamline the implementation process and build trusted networks. We have seen, time and again, the power and impact of cross-industry collaboration on security and regulatory topics. Consider these approaches:
Invest in information sharing and exchange; candidly communicate how you view scope requirements and challenges. Given that DORA expressly aims to strengthen the resilience of the entire financial ecosystem, it should catalyze collaboration across the European financial industry. Lean into the fact that it makes sense for FIs to work together.
Use DORA to build digital trust. ICT service providers and FIs can use DORA to boost transparency and build trust in their digital products and services. As quality, resilience, and security improve, so will uptime, access, and fraud-mitigation outcomes. Digital trust can become a value differentiator for customers.
As the deadline for DORA implementation approaches, financial institutions and ICT service providers have their work cut out to achieve the expected level of digital resilience. Scoping exercises and closure of gaps against the final text and RTS batches will demand significant attention in the months ahead.
That said, DORA also presents a valuable opportunity. Institutions have a chance to revisit critical challenges around digital resilience, bring diverse parts of the organization together, and transform fundamental capabilities that will maintain the resilience of the financial ecosystem. Given the systemic reach of digital technologies, financial institutions and ICT providers can work together to increase trust in the industry and create value for the long term.
Source link : https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/europes-new-resilience-regime-the-race-to-get-ready-for-dora
Author :
Publish date : 2024-06-28 07:00:00
Copyright for syndicated content belongs to the linked Source.