中国企业国际化发展 粤港澳大湾区 上市公司内部控制 企业内部控制 董事之家 专精特新企业 企业内控与风险管理 集团管控 民营企业与经济 通商董事会馆 雏鹰企业 高新技术企业 瞪羚企业 企业治理
信息与软件 系统集成 创新创业创投创意 BIM工程 人工智能 互联网+ 网络工程 电子商务师 制造业创新 乡村振兴工委会 数字经济 价值共创 企业科创管理 视觉传达设计 《类似商品和服务区别分表》 创新创业与可持续 电子商务 数字媒体艺术 数字创新中心 全面质量管理 移动支付 私营经济 企业经营 商业模式创新 数字转型 灯塔工厂 企业产品创新 客户与营销 专利 商标 著作权 视觉传播设计与制作 商业规划 产品检测 金融科技 企业创新绩效 价值网络 企业创新管理 科技管理创新 集成电路布图设计 企业知识产权管理 发明专利 技术投资与并购 版权 新一代信息技术产业 精益创新 绿创中心
十四五规划专题 科技创新 全过程工程 转型升级 绿色建筑 环保技术 装配式建筑 并购重组动态 节能减排咨询 数字化转型 制造业转型升级 碳排放管理 工业转型升级 教育转型升级 外贸转型升级 能源转型升级 供给侧改革 企业转型升级 地产转型升级 制造业转型与高质量发展 产业转型升级 转创国际技术转移 数控工厂 工业互联网 绿色转型升级 碳排放管理会计 服务业转型升级 智能制造 全面绩效管理 工业物联网 组织变革与管理转型 产业科技管理 国有资产管理 绿色转型与可持续发展 低碳转型 盈利模式转型 绿色能源与碳核算
广东股权交易中心 私募热点 私募投资 投融资简报 案例研究 内保外贷 融资策划 气候投融资 供应链金融 银行境外贷款 前海港企贷 知识产权金融 股权投资 风险投资 股权质押 企业投资 股权激励 内部控制准则
工程造价 管理会计 企业内控管理 医院管理 物流与供应链 预算管理与会计 中小企业内部控制 财务经理人 转创产研 家族企业管理 企业价值 企业发展管理咨询 企业能源效率 管理培训 质量管理 流程管理 精益生产 商业策略 企业技术与绩效 中国卓越管理公司 数据分析 核心业务运营 制度智库 投资管理 管理信息系统 许可证 管理咨询 可行性研究 商业计划书 绩效评价 预算评审 绩效考核 企业运营 价值创造 商业模式评估 内部控制政策
建筑工程管理 消防企业管理 安全企业管理 乡村振兴 制造企业管理 卫生企业管理 工程管理中心 企业质量管理 科技企业管理 医药企业管理 产品质量管理 电力企业管理 企业经济管理 食品企业管理 工业企业管理 软件企业管理 能源企业管理 智能企业管理 汽车企业管理 环保企业管理 进出口企业管理
Preparing for the New Digital Operational Resilience Rules
EXECUTIVE SUMMARY
Rapid digitization of the European financial services sector in the last two decades has
put technology at the center of all financial activities, exposing institutions to a broad
set of new and emerging risks. In response, institutions have built out controls aimed at
mitigating these risks and have developed back-up protocols to “keep the lights on” in the
event that critical digital infrastructure fails.
But maintaining robust defenses against information and communications technology (ICT)
risks has not come naturally to many financial institutions. Efforts to establish operational
resilience often have been haphazard and poorly coordinated, resulting in deficient control
environments or poor backup plans for critical activities. Making matters worse, board
members and senior managers are often unaware that the institution is running unacceptably
high levels of ICT risk because management information is poor or non-existent. A series of
high-profile outages and business disruptions at European banks over the last few years has
underscored the threat that the lack of operational resilience poses for the industry.
In response, the European Council has turned its attention to instilling more robust
operational resilience across the financial services sector, while consolidating and
harmonizing existing national regulation.
The Digital Operational Resilience Act (DORA) sets out a detailed and comprehensive
framework for the management of ICT risks for European financial institutions.
DORA consists of five pillars that lay out requirements and expectations for different
aspects of operational resilience: ICT risk management and governance, ICT-related incident
reporting, digital operational resilience testing, ICT third-party risk, and information sharing.
While DORA is still an evolving standard, the direction of travel from the regulator is clear
and requires a fundamental mindset shift across institutions.
Complying with DORA will not be easy — it requires a
purposeful and deliberate business-led technology strategy,
and an integrated risk management approach aligned to critical
business services.
The size of the prize from better operational resilience is potentially enormous: reduced
financial losses from operational incidents, faster and more trouble-free implementation of
new systems, maintenance of good customer service levels, increased brand value, lower risk
management costs, as well as lower regulatory risk. Building digital operational resilience
is not optional and no longer a topic that is confined to specialists in IT and risk; it needs
widespread engagement from across the organization, including from individual business
lines, senior management, and boards.
© Oliver Wyman
3
Preparing for the New Digital Operational Resilience Rules
THE CASE FOR OPERATIONAL RESILIENCE
In the last two decades financial institutions have grown rapidly, driven by large
investments in technology and increasing digitization of processes. With more than 80%
of payments in the European Union being processed electronically, according to a study
by industry group Payments Europe, and the volume of data stored in the cloud by banks
expected to double over the next three years according to another recent study, the
industry is seeing the level of digitization reach new peaks. Financial institutions have
become increasingly exposed to a wide spectrum of digital-related risks — everything
from fraud and malicious attacks to technical outages and data losses. In response to
these emerging risks, financial institutions have been on a journey to build controls that
establish operational resilience — the ability to prevent, respond, recover, and learn from
operational disruption.
Efforts to build operational resilience have been fragmented and inconsistent within
financial institutions. Typically, IT teams have looked after operational resilience in a silo,
putting in place controls and backup plans for new digital assets in order to maintain
operational continuity. Security teams under the chief information security officer may
put in place further controls aimed at managing cyber risk. Risk teams have focused on
ensuring there are appropriate second-line controls and oversight, yet often at a less
operational level. Business leaders often neglect giving adequate focus to the control
environment, assuming the responsibility of implementing and operating controls sits
with the IT, security, and risk teams. Meanwhile compliance is predominantly focused on
force-fitting these activities and controls to align with what the regulator has demanded.
With so much activity taking place in silos, there has been a
fundamental lack of a joined-up, integrated approach.
Recent well-publicized incidents in Europe, such as failed bank IT migrations that led
to millions of customers being unable to access online services and trading stops
after serious technical failures impacted exchanges’ data management systems, have
demonstrated that the threat of operational incidents is real. With operational disruptions
and a rapidly evolving threat landscape becoming increasingly prevalent, the European
Council’s focus has turned to getting a tighter grip on operational resilience across the
financial services sector.
© Oliver Wyman
4
Preparing for the New Digital Operational Resilience Rules
INTRODUCING ‘DORA’
Against this backdrop, the European Council has set an intention to bring stricter guidance
and oversight on how ICT risks are managed, acknowledging that there is a proliferation of
both national and international regulatory initiatives and supervisory approaches. Given
the ever-increasing risks of cyberattacks and the importance of a resilient financial sector,
the Commission aims to develop an approach that fosters technological development and
ensures financial stability and consumer protection.
To this effect, it has set out to define a detailed and comprehensive framework on
management of ICT risks for EU financial entities, the Digital Operational Resilience Act
(DORA), which was adopted by the European Council in November 2022 and is now being
transposed into law by each EU member state, with an expected two-year implementation
period. The regulation applies to a wide array of financial entities, from traditional financial
services players such as credit institutions, payment institutions, investment firms, and
exchanges, to more recent entrants to the sector such as crypto-asset services, fintechs,
and ICT third-party providers.
DORA goes beyond existing regulations by bringing together multiple aspects of operational
resilience into one framework, while also increasing the level of expectations on how
institutions go about managing ICT risks. It sets out a broad set of requirements across five
foundational pillars shown in Exhibit 1.
Exhibit 1: Five pillars of DORA
ICT risk management
and governance
1
2
3
4
5
Incident
reporting
Digital operational
resilience testing
ICT
third-party risk
Information
sharing
The approach centers on identifying critical business services and building the resilience
framework around them. This reflects a mindset shift by the European regulator and an
evolution to approaches observed at the Federal Reserve and Bank of England, in which the
strategy for building resilience is more outcomes-based.
© Oliver Wyman
5
Preparing for the New Digital Operational Resilience Rules
The level of detail in the regulation varies across different pillars. Some elements of the
regulation are highly prescriptive, for example listing exact elements the regulator thinks
should be included in an ICT third-party provider contract. Other parts are comparatively
high level, such as the guidance on what should be included in the governance and
control framework.
We expect DORA to be an evolving standard that will change as operational resilience
practices develop and standards are iterated between regulators and industry. What is clear,
however, is that operational resilience is increasingly looking to become a prime focus of
regulators this decade.
THE CHALLENGE OF DORA COMPLIANCE
Complying with DORA won’t be easy. For many organizations the regulation fundamentally
changes how operational resilience is currently thought about, requiring institutions to
deconstruct and assess the complexity of their own IT systems and processes and answer
some tough questions on their management of ICT risk for critical business services.
Based on the emerging guidance across the five pillars, there are a number of key
requirements we observe that introduce challenges for institutions in building resilience,
while also posing a number of questions on the practicalities of implementation for
institutions (see table on following page).
Fundamentally, instilling operational resilience throughout the
organization requires a deliberate approach driven top-down by
senior management and the board, who will need to be involved in
defining the operational resilience strategy and how it links to the
business strategy.
Financial entities should already start undertaking measures to prepare for DORA. The
length of time required to enact the required standards across the entire organization,
including all underlying entities, should not be underestimated due to the need to engage
a diverse set of stakeholders, secure sufficient investment to implement the necessary
capabilities, and balance the implementation alongside what is an already busy portfolio of
technology work.
© Oliver Wyman
6
Preparing for the New Digital Operational Resilience Rules
Exhibit 2: Challenges and questions raised by DORA
Summary requirements
Challenges observed
Key questions for
Financial Institutions
1
ICT risk
management
and
governance
The management body
of a financial entity is
required to define, approve,
oversee, and be accountable
for the implementation
of all arrangements
related to the ICT risk
management framework
• Senior management and
board-level accountability is
expected, which should link
the business strategy to the
resilience strategy
• An integrated risk management
approach is required that
designates and agrees across
the enterprise what the critical
business services are and
which assets are instrumental
in driving those
• What is the exact role of
senior management and the
board in steering the digital
resilience strategy?
• How to achieve business
benefits from end-to-end
management of critical
business services?
• What are the organizational
implications of this framework?
• Where do we start?
2
ICT-related
incident
reporting
Financial entities are required
to establish and implement
an ICT-related incident
management process to
detect, manage, and notify
ICT-related incidents and shall
put in place early warning
indicators as alerts
• Integration of predictive
analytics into incident
management through early
warning indicators is necessary
to drive proactivity in
the organization
• A classification framework for
incident handling should guide
proportionality and consistency
in the response
• What set of early warning
indicators should be monitored?
• How can incident
management and reporting
be made consistent
despite differing national
reporting requirements?
• How should severity thresholds
be set for classifying ICT-
related incidents?
3
Digital
operational
resilience
testing
Financial entities are required
to establish and implement
an ICT-related incident
management process to
detect, manage, and notify
ICT-related incidents and shall
put in place early warning
indicators as alerts
• A comprehensive testing
program should be in place
that considers a wide variety
of tests limited not just to IT
systems, but also extending to
processes and people
• The overarching testing
regimen should be governed
through a risk-based
approach, taking into account
service criticality
• How can existing testing
programs be adapted to meet
these requirements?
• Which kinds of tests should
be used for which systems
and applications?
• Which tests can be performed
internally and which require
independent external testers?
4
ICT
third-party
risk
Financial entities shall
manage ICT third-party risk
as an integral component of
ICT risk within their ICT risk
management framework
and in accordance with key
principles for ICT third- party
risk management
issued by the
regulatory authority
• A purposeful and deliberate
business-led strategy for use
and management of third-party
providers is required
• Adequate due diligence of
third party providers with
contractual agreements
that clearly set out rights
and obligations
• Is the overarching ICT third-
party risk strategy clearly
purposeful and deliberate?
• Is the cost of risk management
for smaller, less sophisticated
third-party vendors worth it?
5
Information
sharing
Financial entities may
exchange among themselves
cyber threat information
and intelligence, including
indicators of compromise,
tactics, techniques, and
procedures, cyber security
alerts, and configuration tools
• Organizations should be on
the front foot in exchanging
cyber threat information and
intelligence, with it being better
to have something already
in place than waiting for the
regulator to introduce clear
standards and templates
• Which entities should be
in charge of setting up and
running the information
exchange alliances?
• How should sensitive technical
information be shared to the
benefit of all?
• What tooling is required to
facilitate information sharing?
Note: Detailed requirements for each pillar can be found in the Appendix.
Pillar
© Oliver Wyman
7
Preparing for the New Digital Operational Resilience Rules
BENEFITS OF A MORE RESILIENT INSTITUTION
The long-term competitive benefits of better operational resilience are undeniable — complying
with the spirit of DORA as opposed to approaching it as a ‘box-ticking exercise’ — will yield
significant upside. Fundamentally, DORA presents organizations with a pivotal opportunity to
strategically redesign their framework for management of technology-related risks and build
end-to-end resilience throughout the enterprise. Improving operational resilience will have
repercussions broadly, from improving client experience, allowing employees to perform their
roles more effectively, to reducing the financial losses associated with operational incidents.
Exhibit 3: Benefits of operational resilience
Increased Brand Value
Effecient Implentation
Seamless implementation of
new systems with an
integrated risk strategy
Lower Regulatory Risk
Reduced risk of regulatory
non-compliance with international
or regional legislation
Reduced Financial Losses
Lower direct costs associated with
critical incidents such as client
compensation or regulatory fines
Strengthened brand
reputation and value
Lower Risk Managment Costs
Fewer high-risk events and a more
streamlined risk management
process result in lower costs
Improved client experience
Streamlined customer experience
and improved customer service
levels with less disruption
In light of these benefits, senior management and boards should be driving operational
resilience as a key agenda item, with active involvement from key stakeholders across the
organization. Building operational resilience for financial institutions is not optional and no
longer a topic that is confined to specialists in risk and IT.
© Oliver Wyman TESG
8
Preparing for the New Digital Operational Resilience Rules
APPENDIX: DORA REQUIREMENTS BY PILLAR
Summary requirements
1 ICT risk
management
and
governance
• Financial entities shall have in place internal governance and control
frameworks that ensure an effective and prudent management of all
ICT risks.
• Financial entities shall have a sound, comprehensive, and well-documented
ICT risk management framework, which enables them to address ICT
risk quickly, efficiently, and comprehensively and to ensure a high level
of digital operational resilience that matches their business needs, size,
and complexity.
• Financial entities shall use and maintain updated ICT systems, protocols,
and tools.
• Financial entities shall identify, classify, and adequately document all
ICT-related business functions, the information assets supporting these
functions, and the ICT system configurations and interconnections with
internal and external ICT systems. Financial entities shall review as needed,
and at least yearly, the adequacy of the classification of the information
assets and of any relevant documentation.
• For the purposes of adequately protecting the ICT systems and with a
view to organizing response measures, financial entities shall continuously
monitor and control the functioning of the ICT systems and tools and shall
minimize the impact of such risks through the deployment of appropriate
ICT security tools, policies, and procedures.
• Financial entities shall have in place mechanisms to promptly detect
anomalous activities, including ICT network performance issues and
ICT-related incidents, and to identify all potential material single points
of failure.
• Financial entities shall put in place a dedicated and comprehensive ICT
business continuity policy as an integral part of the operational business
continuity policy of the financial entity.
• For the purpose of ensuring the restoration of ICT systems with minimum
downtime and limited disruption, as part of their ICT risk management
framework, financial entities shall develop a backup policy and
recovery methods.
• Financial entities shall have in place capabilities and staff, suited to their
size, business, and risk profiles, to gather information on vulnerabilities and
cyber threats, ICT-related incidents, in particular cyberattacks, and analyze
their likely impacts on their digital operational resilience.
2 ICT-related
incident
reporting
• Financial entities shall establish and implement an ICT-related incident
management process to detect, manage, and notify ICT-related incidents
and shall put in place early warning indicators as alerts.
• Financial entities shall establish appropriate processes to ensure a
consistent and integrated monitoring, handling, and follow-up of ICT-
related incidents, to make sure that root causes are identified and
eradicated to prevent the occurrence of such incidents.
• Financial entities shall classify ICT-related incidents and shall determine
their impact based on the following criteria:
–
the number of users or financial counterparts affected by
the disruption.
–
the duration of the ICT-related incident.
–
the geographical spread
© 2024 All rights reserved. 北京转创国际管理咨询有限公司 备案号: 京ICP备19055770号-4
Transverture International Group Co Ltd, Guangdong Branch
地址:广州市天河区天河北路179号尚层国际1601
深圳市福田区深南中路2066号华能大厦
汕头市金平区华坞路华坞村七巷三楼
梅州市丰顺县留隍镇新兴路881号
欢迎来到本网站,请问有什么可以帮您?
稍后再说 现在咨询