The Digital Operational Resilience Act (DORA) is a landmark piece of legislation in the European Union (EU) that is designed to help fortify the operational resilience of the financial sector, making it fit for purpose in the digital age.

DORA has several objectives, including to comprehensively address information and communications technology (ICT) risk management in the financial services sector and harmonize the ICT risk management regulations that already exist in individual EU member states.

Building the requisite level of digital operational resilience under DORA is mandatory for all financial institutions that fall within the scope of the regulation. With that said, there isn’t a one-size-fits-all route to addressing DORA.

On the surface, this might seem to complicate matters. However, the flip side is that each organization has the option to map out its specific DORA journey, acknowledging its starting point and making business and risk-informed prioritizations along the way to generate maximum value from its investment.

Knowing what we know about digital investments that deliver transformational value, we suggest that firms focus on increasing their digital operational resilience by accentuating their mastery of foundational capabilities in 4 key domains:

• Data
• Operations
• Risk management
• Automation & AI

By reimagining how smart combinations of technology can enhance the orchestration of their data, operations, risk and automation capabilities (and backing them with the right talent and processes to bring digital will and digital skill to their implementation), financial institutions can seek to address DORA sustainably and enable their business ambitions. We recommend financial services organizations focus on:

• Embedding security and stability across the ICT estate
• Driving proactive and prioritized risk mitigation
• Allowing for continuous monitoring and rapid response to threats
• Enabling adaptive business continuity and data recovery
• Fostering interoperability and technical optionality
• Creating reinforced, streamlined governance
• Prioritizing resource allocation according to business service criticality

To achieve the above, organizations should focus on their ability to adapt to and recover from shocks and disruptions. These scenarios of disruption can include man-made threats (such as physical attacks, cyberattacks, IT system outages, and third- and fourth-party risk) and natural hazards (such as fire, flood, severe weather and pandemics).

We believe building digital operational resilience in alignment with the requirements and objectives of DORA is far from a “one-and-done” compliance task. The journey to strategically build digital operational resilience should begin with prioritizing critical functions. Then organizations should dive deeper into the processes, technological interconnections and interdependencies across the enterprise.

We understand macroeconomic conditions can be challenging. Competition is tough, and margins are tight for financial institutions, which would make it easy to frame DORA as yet another costly compliance obligation on an already fraught business horizon.

However, we believe DORA is an opportunity to turn compliance expenses into a set of strategic investments aimed at delivering higher business performance. Embracing this mindset, financial institutions can seek both compliance and long-term digital business value from their investments in digital operational resilience. IBM® has the skills and technology to help you on your DORA journey and assist you in realizing the strategic benefits of your investment.

Let’s create something that changes everything.