With the summer now seemingly a lifetime ago and the implementation deadline getting ever closer, we are starting to see Financial Services firms switching their focus to the EU’s Digital Operational Resilience Act (DORA) readiness and how to practically go about implementing it.
The challenge is that this cross-cutting regulation requires not only to change policy and procedure but also change that goes to the very heart of an organisation’s operating model: delivering on technological change, working with third parties, understanding how they interface within your organisation’s IT estate and potentially rationalising processes through outsourcing to a trusted third-party.
This means you need more from your partners. Especially from those well-placed to help you through this complex transition. While this may seem a little self-serving, this is where consultancies that can cover the full end-to-end service, from consulting to IT services, can make all the difference.
First, you need a strong advisory capability
A large regulatory change requires support from advisory firms to help interpret the changes, align expectations across the industry and help firms make sure they are ‘in the pack’ rather than outliers in their approach. Especially for international firms, who have to contend not just with DORA, but also the other global versions of Operational Resilience, as well as the Basel Committee on Banking Supervision (BCBS) Principles for Operational Resilience. Furthermore, technology is never static, and the regulatory approach will need to evolve to keep up. Meeting these evolving requirements across potentially multiple jurisdictions yet avoiding duplication and doing it cost-effectively is a major challenge for the industry.
A wealth of capable advisory firms exist, from the Big 4 down to smaller consultancies, that can all capably help here.
Secondly, you need a delivery capability
Here things get a bit more complicated. Significant parts of DORA detail the enhanced governance, risk and control framework requirements together with new supporting processes and policies, many being cyber security related. These need to be in place to bring to fore and strengthen activities that are critical to the provision of services to clients and markets that could exist both on-premise and in the cloud. While some management consultants can do this, they do not always have extensive hands-on experience and are unlikely to be cost-effective for extended periods.
Hence a partner with a proven record of delivery excellence that can also support you with these elements of DORA is needed. Especially if, like most firms I work with, rapidly scaling in-house teams with the necessary capabilities can be a major challenge.
Thirdly, you need a partner who works with, and knows, the various third-party solutions and platforms you use
Now things get even trickier. Inevitably, a closer relationship with your third-party providers will need to be established, especially where they form part of your critical services. We’ve seen most third parties set up a dedicated compliance function as a result. But this interaction can be difficult – especially as these compliance functions are often brand new and facing demands from many clients at once.
Thus, you want to work with a partner who already knows these third parties, talks to them frequently, knows how the platform/solution works, who the key people are, and can reach out to them directly.
This is where leading consulting and IT services firms will come into their own – they will have many of these third parties as high-tier level partners, especially the major IT services providers such as Amazon, Microsoft, Google and ServiceNow. They will have a view across all their clients on how to handle the changes and will probably have been engaging with those third parties on the topic for a while already.
Finally, you need a partner with a business process outsourcing capability
Inevitably, the various DORA and related global operational resilience changes will mean significant elements of operations will move to the cloud, a hybrid setup, or at least a significantly strengthened on-premise managed service. This is where services such as Security Operations Centre (SOC) and Incident Event Management (SIEM) and platform run capabilities come in.
And this is the domain of the large global IT services providers. Their scale and capability to handle these kinds of changes with ease is what sets them apart as a logical and cost-effective partner.
In conclusion, I believe addressing DORA is one that requires a mix of capabilities – one that a truly global consulting and IT Services firm is well placed to provide. It is of course possible to partner with dedicated specialists for each of the capabilities above – but in my experience that inevitably leads to duplication of work as the handoff points are never really trusted when teams work in isolation - for instance where advisory may develop an operating model and handing this over to delivery without full consideration of the engineering challenges.
That’s why a global combined consulting and IT services firm is, in my mind, the logical partner to help you address a change like DORA. Cognizant can help you with setting a comprehensive DORA compliance programme or support your various technology changes already underway to ensure they are DORA compliant from the outset.
To learn more, visit the Consulting section of our website.