IT Professionals

Operational resilience: Changing practices and familiar themes as DORA looms

TechBeat looks for experiences of IT pros balancing technology, internal policies and legal obligations
Insights
Image: Shutterstock/Dennis

2 October 2023

Many organisations are preparing for the introduction of Digital Operational Resilience Act (DORA) which comes into effect on 17 January 2025. Ask any IT professional exactly what ‘operational resilience’ means and you may get differing answers depending on the underlying industry. Still, there is a standard set of themes: incident management, data protection, privacy operation risks, cyber threats, vulnerability management, digital transformation, business continuity, etc. 

DORA isn’t the first regulation of its kind. Over the years industry practices and common sense have also helped evolve the IT operating environment. So, how far have we come in our operational resilience journey?

A recent blog by NTT DATA’s Matt Leach, VP for digital transformation, said: “Organisations must become perpetually resilient to quickly pivot and thrive in the face of constant change; brought on by continued global, competitive, and macroeconomic challenges.” This position is supported by NTT Data’s annual Innovation Index research, which shows a significant shift in the ability to deal with uncertainty with the negative impact of natural disasters and health crises, dropping from 61% to an optimistic 23%. 

In the face of the pandemic, organisations accelerated their digital transformation and strengthened their operational resilience. Through necessity, organisations needed to act quickly to build flexibility into their critical business service, process and IT systems to adapt to an ever-changing environment presented by the pandemic. Instead of being a twice-a-year testing activity, business continuity planning (BCP) became an ongoing exercise reshaping the operating model and adapting systems for secure remote access. They leaned on technology to enhance the way we collaborate and communicate with each other. They had to rewrite policies and procedures governing the course of work and fortify their supply chain. This has resulted in organisations emerging from the pandemic with greater confidence in their operational resilience and ready to face the imminent DORA regulation.

So, how do you determine the impact DORA will have and test your organisation for operational resilience? It is true that DORA is multi-faceted and considers many dimensions of your operating environment. However, its core principle is relatively straightforward, defined in a set of rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents.

Above the line, DORA wants organisations to map and understand their critical business service, processes and IT systems, recognising the impact incidents, risks and technical debt has on this environment. Note the multiplying effect incident and risks have, but its impact can be greater where there is significant technical debt.

Below the line are the actions DORA mandates to better control the impact above the line through strengthening operational governance, risk management, cyber security posture, incident reporting and BCP. The more proactive actions you take below the line, the more significant the impact is above the line. In addition, the more testing, training and digital transformation you do, it will have a multiplying effect and reduce the overall exposure above the line.

The actions taken during the pandemic and industry best practices adopted over many years should set a sound foundation for DORA adoption. To better understand the level of readiness, the time is now to take a measure against the draft regulation.

TechBeat in association with NTT Data is looking for your opinions on operational resillience. To be in with a chance to win a €250 Good Food Ireland voucher click here.

Read More:


Back to Top ↑

TechCentral.ie