COLUMN – OLAF RANSOME | With the EU’s new DORA legislation to underpin (or force) good oversight of third-party ICT providers, it is made clear that firms have to manage their vendor and outsourcing relationships. Saying “our vendor takes care of it” will no longer be enough. Bite the bullet with operational veteran Olaf Ransome.
In a series of six column contributions with PostTrade 360° throughout 2024, banking operations veteran Olaf Ransome digs into the topic of operational resilience – to help us understand its meaning under changing rules, and get adequately prepared. Find his articles listed here.
Resilience does not come naturally: we assume that IT works like we assume electricity when we flick the switch and water when turn on the tap. That said, it is not a totally new thing. In an Operations Management course at Loughborough University in the ‘80s our wonderful lecturer, Peter Lawrence, explained resilience by explaining how German companies focused on their “zweites Bein”, or second leg, in their supply chain management.
Why the focus on resilience?
In my financial services (FS) career, back-ups and alternatives have been a constant theme. That said, we have not always thought things all the way through. Post the attacks of 9/11 in New York, many firms discovered that the back-up connectivity for phone lines had a single point of failure aka SPOF because all the carriers went through one installation in lower Manhattan.
Post the challenges of 2008, the topic of RRP, Recovery and resolution planning, was added to the regulatory must-do catalogue. That was more legal entity level planning.
We often joke that banks are IT companies. For financial services firms, significant IT issues keep happening. NatWest and cash machines is a recurring theme in the UK, as are outages in the UK payment system CHAPS. The LDI crisis in the UK of late 2022 highlighted how many firms were just not able to react in volatile times. And, summer 2024 saw significant global problems caused the Microsoft / CrowdStrike mess on 19 July. Interestingly, in the aftermath, the lawsuits are flying; some shareholders have filed suit, saying CrowdStrike overstated its capabilities. Delta Airlines has estimated its losses at USD 500 million and is apparently considering legal action.
The European Union has also faced increased pressure from large-scale cybersecurity threats, many having a cross-border dimension and a very public impact. As far back as 2002, the EU. took the first steps in improving the digital resilience of its European Members and industry stakeholders by improving information security. In 2013 it published the European Union Agency for Cybersecurity joint communication, followed in 2016 by the first horizontal cybersecurity legislation in the first Network and Information Security Directive (NIS). More recently in 2022 the EU introduced the Digital Operational Resilience Act (DORA), a binding regulation for all Member States. NIS2 was updated in 2023. This is not the end of the efforts the European Union will have to take; evolving technologies will lead to evolving regulations, for example post-quantum cryptography, for which new recommendations were published in April 2024.
So, none of us should be surprised that regulators are worried about both individual institutions and FMIs – fiscal stability, i.e. excessive volatility, as well as systemic risk, i.e. the failings of one institution creating a snowball effect.
What’s new?
DORA sets out a detailed and comprehensive framework for the management of ICT (Information and communication technology) risks for European financial institutions. It consists of five pillars which lay out requirements and expectations for different aspects of operational resilience:
1. ICT risk management and governance
2. ICT-related incident reporting
3. Digital operational resilience testing
4. ICT third-party risk
5. Information sharing.
DORA is the first EU legislation to establish an oversight framework for Information and Communication Technology (ICT) third-party providers. In simple terms, it is clear that firms have to manage their vendor and outsourcing relationships; “Oh, Acme IT take care of that, we rely on them,” is no longer a sufficient answer.
Overall, DORA empowers the three European supervisory authorities to request information, conduct investigations and inspections, make recommendations, and impose fines. The act requires financial entities to define, approve, oversee, and take responsibility for implementing their ICT risk management framework, as well as to continuously update their knowledge and skills. Member states are required to impose administrative fines and remedial measures for non-compliance, including criminal penalties. DORA streamlines existing EU financial incident reporting obligations and creates a unified hub for reporting major ICT-related incidents, reducing administrative burden and duplicate reporting requirements.
While DORA is still an evolving standard, the direction of travel from the regulator is clear and requires a fundamental mindset shift across institutions. All financial institutions operating within the EU, including banks, payment providers, and even crypto exchanges, must comply with DORA’s requirements by 17 January 2025. For more detail on the scope see this article from McKinsey.
DORA is a specific focus area and a subset of the wider expectations on resilience. The wider focus comes from the Basel Committee on Banking Supervision, the BCBS, which has laid out some Principles for Operational Resilience (POR) and the Revised Principles for the Sound Management of Operational Risk (PSMOR). Their latest report on progress in those areas is worth a read.
What do we have to do?
When the FS industry is confronted by regulatory change, the response typically follows a known pattern. First, we look at the date and tell ourselves it will be delayed, so we can kick the can down the road a little bit, and juggle priorities in the book of work. Then when dates are firmed up or time moves on enough that we must assume the deadline, we tend to manage the scope: “what is the minimum we have to deliver in version 1.0 to get a tick in the box?” That is done with the promise of a version 2.0 which will fix all the shortcomings of version 1.0. In the all-time list of empty promises, that one comes in third behind “the cheque is in the post”.
So, we come to the perennial battle between “compliance” aka getting a tick in the box versus making a virtue of change. Marsh McLennan offer some useful arguments for the latter.
One of my oldest friends in this business has been looking into things DORA. David Mote is an industry veteran for whom “reporting” has been a consistent theme in his career. Sometimes firms must do things, because regulations change and deadlines are imposed, other times, change and progress are discretionary, with firms investing to improve their product or service offering. Currently David is responsible for Business Development at PUA Group, the company behind a platform to support DORA compliance at financial institutions. Talking with David, some themes emerged which help us understand what is expected and needed here, as well as why standards are a good thing:
1. DORA sets a clear, common standard level. In Financial Services, having common services and financial market infrastructure (FMI) will often lead to a consistently higher standard of performance across the market. The use of CLS Bank for FX Settlement is a great example; trillions of dollars per day, over a million transactions, some very precise requirements for so-called timed payments. It all works; all the participants have raised their game. Now, I am Swiss and British, so as a rule you will find me chiding the EU for bureaucratic overreach. Rules like DORA are an exception to that rule.
2. DORA is about on-going compliance. It is less about periodic reporting than it is about continuous compliance. One dimension is that firms must have the procedures in place to identify issues if they happen and to report on them. Now, I will offer that the best approach to resilience is to make sure things do not go wrong in the first place. That said, things will go wrong. That means regulators will quickly get a sense of what is normal in terms of frequency and severity. If your firm is not reporting or reporting very differently, this will likely prompt questions and some form of audit.
In summary
My own, simple view as the Bankers’ Plumber, is that it is always a good thing to invest in stopping things going wrong in the first place. That adds control in a more holistic way, which leads to more capacity and from there to lower cost. The argument being that the result is that you can do more for the same, ensure compliance with the regulations and that the security of your technology is optimised.
So, if you are subject to things DORA, then it is worth zooming out to zoom in: are you just ticking the box and where is the value add? If you are not subject to DORA, you might give resiliency some focus in your next management forum: “what if CrowdStrike happened to us as a supplier or customer?” McKinsey offer a great starting point to spur your thinking: “What should you be asking your team after the CrowdStrike outage?”
Referring to himself as The Bankers’ Plumber, Olaf Ransome is founder of 3C Advisory LLC – drawing on decades of senior operational experience from large banks. To connect, find his LinkedIn page here.