In the rapidly evolving landscape of financial regulations, the Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, stands out as a groundbreaking development in EU financial regulation.
Designed to address operational risk management for financial institutions, DORA will undoubtedly impact all businesses and emphasise the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents.
Evolution of operational risk management
Before the advent of DORA, financial institutions predominantly managed operational risk through capital allocation. However, this approach lacked comprehensive coverage of all operational resilience components.
DORA introduces a paradigm shift by imposing rules for managing ICT risk, incident reporting, functional resilience testing, and third-party risk monitoring. Recognising that ICT incidents and a lack of operational resilience can threaten the stability of the entire financial system, DORA aims to usher in a more robust and holistic approach to risk management.
RELATED CONTENT: How to get started with the UK’s Consumer Duty
DORA’s impact on customer experience (CX)
DORA goes beyond traditional risk management and directly impacts the CX landscape for financial institutions. Compliance with DORA is not merely a regulatory obligation but a crucial step in enhancing overall customer experience and changing customer perception. For example, research from Age UK shows that the main reasons people feel uncomfortable using online banking include fear of fraud, a lack of trust in online banking services and a lack of IT skills.
Here are some practical tips for compliance tailored to bolstering CX.
Review and strengthen ICT risk management
Evaluate and enhance your current ICT risk management strategies to align with DORA requirements.
Financial institutions can build customer trust and satisfaction by actively managing ICT risks. Continuous risk assessments, cyber threat identification, and comprehensive frameworks are essential components.
Establish incident reporting procedures
Develop robust incident reporting procedures to ensure a quick response and resolution. This minimises potential disruptions to customer services, enhancing the overall customer experience.
As rules on incident classification and reporting timelines are pending, businesses should remain agile in adapting their procedures accordingly.
Conduct digital operational resilience testing
Regularly test digital operational resilience to identify and rectify vulnerabilities, ensuring a seamless and uninterrupted customer experience.
Basic tests, vulnerability assessments, and scenario-based testing should be conducted annually. Preparing for comprehensive testing validates systems’ resilience.
Monitor and managing ICT third-party risk
Vigilantly monitor and manage third-party ICT risks to safeguard customer data and maintain service integrity. Negotiate specific contractual arrangements and map dependencies, as DORA extends to ICT providers servicing the financial sector.
For critical third-party service providers, prepare for direct oversight from relevant European Supervisory Authorities (ESAs).
Stay informed and engage with ESAs
Keep abreast of regulatory updates and engage with relevant ESAs to align practices with the evolving regulatory landscape.
This contributes to a proactive and customer-centric approach, ensuring financial institutions stay ahead of emerging challenges and changes.
Understand the relationship with NIS 2 Directive
Comprehend the interplay between DORA and the Network and Information Systems Directive (NIS 2) to create a holistic strategy that enhances operational resilience and, by extension, customer experience.
Proactive understanding and navigating this relationship are crucial for compliance with both frameworks.
RELATED CONTENT: A step-by-step guide to building customer loyalty
By implementing these practical tips, businesses can ensure compliance with DORA and elevate their operational resilience, directly benefiting overall CX. During this process, organizations should communicate clearly with their consumers about the steps they are taking to deliver safe experiences and transactions.
As organizations navigate the complexities of DORA and work towards building a resilient and customer-centric operational framework, they must embrace DORA not just as a regulatory requirement but as an opportunity to enhance CX in the digital era.