At a glance:

  • The UK and EU operational resilience frameworks are developing in similar directions, but in parallel and at slightly different paces. Even at this early stage in the rules’ development, understanding their similarities and differences will help firms embed them more effectively and at reduced cost.
  • The UK framework puts more emphasis on firms designing ways to deliver important business services even when redundancies have failed, while the EU’s framework focuses more on prevention and the recovery of critical functions. In practice, firms should aim to achieve both objectives.
  • The exercise of mapping assets underpinning important business services (UK) is similar to the one for critical functions (EU), meaning firms could do the mapping at the group level, rather than locally, potentially reducing overall costs.
  • Firms that have already started this exercise can leverage mapping done in the context of operational continuity in resolution (OCIR), and should consider combining mapping exercises with any planned large IT change programmes to reduce duplicative work and save resources.
  • The increasing role of boards in managing firms’ operational resilience strategies should prompt them to look further at how their firm’s operational resilience affects its financial resilience. Firms that align their operational contingency planning with their liquidity and capital planning, while keeping in mind their stakeholders’ and customers’ needs, are likely to cope better with adverse and unexpected events.

Reading time: 6 minutes

What does the EU’s digital operational resilience act (DORA) mean for firms which have activities both in the UK and the EU, and have been preparing for the UK’s operational resilience framework requirements coming into force? The DORA’s text is far from final, but in this blog we provide some preliminary considerations for cross-border firms that are designing or starting to implement their response to the UK’s framework, and must now also think about how to factor the likely requirements in the EU’s DORA into their operational resilience work. What emerges is that firms should be able to develop a joined-up approach, provided they can reconcile the likely differences in the eventual requirements of each framework.

First, that most of the requirements in the DORA are found in the UK framework, although sometimes indirectly so…

Most of the features of the UK framework are present in the DORA, albeit sometimes in an indirect way. However, the DORA goes into more detail on specific Information and Communications Technology (ICT) risk management requirements than the UK framework does. This may well level off when the finalised DORA is put into practice by financial supervisors, but not necessarily. What this could mean is that firms that have activities both in the UK and the EU may need to tailor their approach:

  • UK supervisors will expect firms to show they are focusing on important business services, and set out the impact tolerance levels should a severe but plausible disruption occur.
  • EU supervisors will expect them to provide more detail of some of the processes, controls, and procedures they have in place to maintain their critical functions through a disruption, or the specific Recovery Time Objectives and Recovery Point Objectives they have set for ICT processes.

This is because the emphasis of UK regulators is on ‘what if’ a severe but plausible disruption occurs – what operational resilience capabilities does a firm have to ensure it can provide important services within its impact tolerance threshold? While for EU regulators, the emphasis is on prevention of disruptions and recovery of the critical function if a disruption occurs.

In practice, firms can take a ‘twin-track’ approach, and it is not the intent of UK regulators to reduce the emphasis on prevention and recovery as a primary mitigant. But it is their intent to ask firms to consider what else can be done if these fail, using for example a combination of substitution, workarounds, and/or communications.

This does not therefore mean that firms will have to duplicate their efforts, as most of what firms have planned for their UK entities will translate to their EU entities. The definition of critical functions included in the DORA is close to that of important business services being adopted by the UK authorities, so firms can avoid having to go through the process of setting up two entirely different sets of criteria to identify the relevant functions and business services.

Second, that for both the UK and the EU, a potentially large mapping exercise will be due…

A mapping exercise to identify what underpins important business services and critical functions will be due in time for most FS firms, as a necessary step once important business services (or critical functions in the EU) have been identified. Firms are likely to start work on this as a result of UK requirements being finalised, in the first half of 2021. With regards to mapping, two challenges stand out for firms:

  • mapping will take time and resources; and
  • designing efficient processes to keep the mapping up to date may require more time and resources, but could ultimately prove useful in reducing the effort needed to update the mapping in the long run.

Firms should start thinking now about how they map their services and underlying processes, including across jurisdictions. For firms that have already developed OCIR frameworks, some of the mapping done in that context could be leveraged when identifying their critical functions or important business services in the context of operational resilience. And for those that are currently planning large IT change projects, including that mapping into the change programme may reduce duplication efforts in future.

Finally, firms should aim to do their mapping exercise at the group level. This could further reduce duplication efforts, as local entities are likely to rely at least in part on common shared services. Furthermore, supervisors are likely to take a cross-jurisdictional view of operational resilience, as many firms’ value chains span multiple countries and continents. Presenting a single holistic view should facilitate firms’ interactions with their different supervisory authorities.

Third, that redundancy may mean more than duplicating systems and processes that underpin your business services…

The DORA focuses more on the redundancy of ICT systems that underpin critical functions. This is different from the UK framework’s focus on maintaining business services, albeit at a potentially reduced level of service, so long as it is within impact tolerance. Redundancy or duplication of systems may be an important part of a firm’s operational resilience, but maintaining critical functions through disruptions is the objective firms should really have in mind. This isn’t always achieved through duplicating systems. There may be other ways of achieving acceptable levels of service while the main critical function delivery system is brought back up securely. For example, if one of the ICT systems that underpins the claims function of an insurer is down - meaning policyholders cannot give their first notice of loss through their phone app or the insurer’s website - firms may decide that for the most time-sensitive claims (such as people claiming on their travel insurance when injured abroad), an alternative, phone-based system should be put in place (or its capacity increased) while the main system is brought back up. Firms can also use communications to encourage customers to alter their behaviour, either by using alternative methods or choosing to defer non-urgent transactions.

Finally, that a firm’s operational resilience framework should fit into its wider resilience strategy.

 We believe firms should not approach the DORA, or the UK framework, in a silo. They will need to think of their operational resilience frameworks as being part of their overall resilience strategies (financial, operational, and reputational), as authorities see a clear link between operational resilience and financial stability. A severe but plausible operational scenario is likely to affect more than a firm’s ability to deliver important business services, and may require management actions that help the firm maintain a viable financial position. Firms that align their operational contingency planning with their liquidity and capital planning, while keeping in mind their stakeholders’ and customers’ needs are thus likely to cope better with adverse and unexpected events.