I am currently involved in a DORA project where, on one hand, I am there for the risk management expertise, but I also act as the lead for the governance and strategy workstreams.
I joined this project because I wanted to learn a bit more about this concept, digital resilience, and after the CrowdStrike / Microsoft incident from 19 July, I must admit it was a good decision. Where are the days when being a generalist internal auditor / ERM expert was just fine?
Sometimes, when I need to write yet another procedure on the assessment of end-of-life systems, I just want to cry. 🙂
HIGH-LEVEL CONCLUSIONS
Here are a few conclusions:
· WE NEEDED THIS. We / the world needed it. The regulators can’t really let big players, and banks are big players, make mistakes that could collapse the financial system and possibly the world.
· PROPORTIONALITY. The regulation might feel an admin burden, and it is, if you do not analyse and recognise the “proportionality” principle it includes. To be very clear, the regulator is not after small non-banking financial services. They want High Street Banks and insurance companies to … well, behave.
· MONSTER (PROJECT). In very much relation to the above, the project you undertake to become compliant with DORA can be a monster that takes ages and costs you maybe more than achieving a trade license. If that is the case, the approach is probably ineffective. I will write about how I would approach now DORA in a next post.
· LOOSING TIME TO BE PERFECT. I must admit it, it frustrates me tremendously that we try to be perfect. The regulator has not yet issued all technical standards, the application norms, but we try to have, for example, the perfect digital operational resilience strategy. WRONG. Just do it, have something to start with and adjust it in time, with feedback from the regulator, learnings from fines and measures against others etc… I will write about how a regulator thinks in another post.
· CONCENTRATION RISK. I must admit something else. When I started getting involved in DORA at the beginning of this year, I completely ignored the concentration risk. After the Microsoft issue, I realised this is the main focus for the regulators. I now think that the one coordinating DORA regulation was either a visionary or simply a very good risk professional. 😊
DORA SERIES
These DORA series will include:
· DORA Part 1 – High-level conclusions after working on a DORA project
· DORA Part 2 – How I would approach DORA implementation now
· DORA Part 3 – My thoughts on how the project team should look
· DORA Part 4 – Digital Operational Resilience Strategy
· DORA Part 5 – Think like a regulator – why is it important?
· DORA Part 6 – Concentration risk – the strategic aspect
You can find DORA text HERE.
Posted initially on LinkedIn: Claudia Craia
