DORA: Moving Beyond the Basics of Compliance and Implementing a Cross-Functional Approach to Resilience

Posted on: June 15, 2023
Author: Mandy Leavell

A close up look at a courthouse or government building with lots of copy space to the rightWith the twenty-four-month implementation period already underway, entities impacted by the Digital Operational Resilience Act (DORA) are beginning to implement best practices to drive compliance and operational resilience. It is important to recognize, however, that DORA is not simply a “check-the-box” compliance activity. It is an opportunity for companies to find concrete and practical ways to be more resilient through disruption and improve their best practices. And while it may seem like certain aspects of the regulation belong to different parts of your organization, a cross-functional approach will best serve your business and your comprehensive operational resilience strategy in the long run.

Adopting a Cross-Functional Approach to Resilience

To be fully successful in not only complying with DORA, but also in creating an agile and integrated operational resilience program, organizations must break down departmental silos and work with teams across the business holistically. DORA does not reside in any one place in your organization; rather, all parties must assume responsibility for resilience. But don’t fret – this does not mean that your business continuity (BC) team must suddenly become IT experts! They simply must understand, as BC practitioners, that IT could be a source of disruption and, therefore, work to embrace their portion of the business as it contributes to operational resilience. Every department must be mindful of who they need to partner with to achieve compliance with the DORA regulation.

Implementing a cross-functional approach is one of the most common challenges that organizations face, and it often seems to be the biggest obstacle when it comes to carrying out a successful operational resilience strategy. In our recent webinar, participants reported that information and departmental silos as well as alignment across teams are the two biggest obstacles that they face (36% and 38% of those polled, respectively). Addressing DORA on a department-by-department basis will cause you to lose key stakeholders early on and will only cause problems down the line. Involving every stakeholder from the very beginning is one actionable way to mitigate these issues.

How to Strategically Approach DORA Implementation

If you’re just starting out with preparation for the regulation, you’re not alone: 73% of our webinar participants reported that they were still in the early phases of gathering information and planning for DORA. These early stages are crucial for setting your operational resilience program up for success with a holistic approach from the onset.

Implementing DORA is a multi-year investment, as there is a considerable amount of technical and tactical items involved. For this reason, it is important to understand its requirements as soon as possible. While each business is unique, those who have had a more successful approach to resilience and compliance tend to follow this similar methodology:

  1. Identify your critical business functions

Begin by identifying what your individual critical business services are. Map out their dependencies and make sure to understand what the impact would be for each should that service experience a disruption. Ask yourself: which are the most important in delivering our products/services to our customers? These assessments will help you develop response plans and better prepare your organization.

  1. Understand which underlying data sets impact your business services

Once you have a grasp on your most critical business services, you can begin to map the delivery processes to better understand interdependencies, timing, and the order of operations. In the case that one data set is compromised, you can quickly assess which applications and services are impacted.

  1. Define your impact tolerances

Determine what magnitude of impact your organization can survive. How long can an application be down before, say, your revenue loss is too great? Make sure to check that your understanding of tolerances matches the existing requirements of those you work with.

  1. Perform scenario testing

Stress test your recovery plans and resilience program against various scenarios. Understand what would happen within your organization in the face of different types of disruption. Practice carrying out your recovery processes, identify gaps, and solve any issues or bottlenecks that arise. Should a real-life incident occur, you’ll then be able to quickly mitigate the downstream negative impacts. By running scenario analyses, you will also be able to show regulators that you’re prepared.

  1. Monitor and mitigate risks

Based on the information that you’ve gathered in the previous steps and the findings from your scenario analyses, begin to review and improve your approach. Does your organizational model need to change to better position your organization to carry out its resilience plans? Perhaps you need to better train your teams to make decisions. Your approach to operational resilience should be a dynamic one that continues to improve and evolve as you better understand risks and improve planning for them.

What Does DORA Look Like in Practice?

To better understand the steps above as well as the importance of a cross-functional approach to resilience, it can be helpful to look at a real-life scenario in which these resilience practices would be used.

Note: For a more in-depth walkthrough, as well as a platform view of this approach, watch our latest webinar replay.

Let’s explore the scenario of a ransomware attack. Attackers are well aware of what is going to cause the most chaos in your organization and how to extort the highest ransom possible. Asking the right questions ahead of time and walking through the scenario will give you leverage against their demands and allow you to return to delivering your products/services as soon as possible. Let’s jump in:

  • Your organization is the victim of a ransomware attack. One of your data sets is encrypted.
  • The IT team determines where the data set is located and analyzes which operations and services are dependent on the data.
  • The crisis management team validates that your organization’s credit line is dependent on the affected data set, which impacts your Settlement Transactions service.
  • The crisis management team opens a ticket for the new issue and starts to activate the necessary teams to manage the attack.
  • Each team is prepared against a variety of contingencies. For example:
    • Your executive team decides ahead of time whether they are willing to pay a ransom, as well as how much they are prepared to pay.
    • The cyber team identifies what data has been encrypted, as well as who is responsible.
    • Your legal team determines whether you can even pay a ransom without violating any sanctions, ensures that you abide by any disclosure rules, and makes decisions based on who is carrying out the attack.
    • The communications department will know whether you are required to publicly disclose data loss and will carry out plans to mitigate any loss of reputation.

While there will no doubt be more players involved in recovery, these are just a few examples of how operational resilience, and, by extension, DORA, is an end-to-end approach that encompasses your entire organization.

Taking the Next Step with DORA

If you’re looking to bring together your entire operational resilience strategy in one place, Fusion can help! From relationship mapping, to scenario analyses, to managing your third-party risks and beyond, Fusion is the hub that unifies your DORA compliance efforts.

Contact your Account Manager or request a demo to learn more about how Fusion can support your DORA compliance and operational resilience strategies.