Intended audience: CROs, COOs, CISOs, Heads of operational resilience, Compliance teams, ICT risk teams, TPRM teams in financial services firms with EU operations.
DORA[1] is EU wide Digital Operational Resilience Act defined by the supervisory authorities as ‘the ability of firms and Financial Market Infrastructures and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.’ Disruption could be caused by a variety of different factors including, for example, a cyber-attack or a third-party failure to perform a service.
Resolution is the restructuring of a bank by a resolution authority through the use of resolution tools in order to safeguard public interests, including the continuity of the bank’s critical functions, financial stability and minimal costs to taxpayers.
In view of the critical intermediary role that banks play in our economies, financial difficulties in banks need to be resolved in an orderly, quick and efficient manner, avoiding undue disruption to the bank's activities and to the rest of the financial system.
The BRRD and the SRMR set the following resolution objectives[2]:
Since the adoption of the BRRD in 2015, resolution authorities have made significant progress on resolution planning and are progressively increasing their focus towards testing resolvability[3]. EBA has prepared draft guidelines which introduces a Master Playbook and has also prepared Resolvability testing guidelines.
OCIR is considered as one of the critical components of Master Playbook as the primary objective is continuity of critical functions by putting measures to ensure financial resilience and maintain staff/roles.
Operational continuity in resolution (OCIR) refers to the ability to effectively implement, from an operational point of view, the resolution strategy and, consequently, to stabilize and restructure the bank[4].
DORA is designed to ensure the 'normal' operation (BAU mode) of a set of critical or important services all the time including 3rd party providers. OCIR is one of the 7 dimensions of resolvability and was originally designed to ensure the continuity of a set of activities critical as well as core to the economy when the firm has moved into recovery and resolution. There will be significant overlap in those activities (from preparation point of view) deemed important for operational resilience and critical for OCIR.
Based upon our analysis, here is the high-level linkage between DORA and OCIR requirements:
Note:
As we mentioned, the EBA’s guidelines (EBA/GL/2022/01 on improving resolvability for institutions and resolution authorities) have clear link with DORA’s requirements. It, also, clarifies that there is a clear narrative between a firm’s critical and essential services under the OCIR regime and critical (or important) functions under the Operational Resilience regime. However, based upon our observations, there are few possible areas where the opportunities for alignment between OCIR and DORA exists:
Glossary with aligned Terminology & Taxonomies: OCIR and DORA have number of similar terms. A common definition would help the firm long way in bringing clear and consistent terminology. This will generate alignment among different services and enable consistency between both regulatory initiatives. As a result, this will help in consistency of communication to internal as well as external parties.
Reconciled Operational Mapping: ICT Asset Management mapping, functions, inventories, service list, vendor list, technology etc. which is already available either as part of existing OCIR projects or as part of existing BCP can be leveraged to accomplish both DORA & OCIR by creating an operational mapping between the 2 regulatory initiatives.
Leveraging Framework of Resolvability Testing for DORA compliance: EBA’s recently published detailed framework for resolvability testing can be customized and used as an indicative framework for firms to perform their compliance against DORA regulations on regular basis.
Harmonization of the key contractual elements of the service and relationship with ICT third-party providers:
Both, OCIR guidelines and DORA as a single regulatory and supervisory rulebook for ICT operational resilience in the financial sector, clearly specifies that firms need to begin to plan seriously for the task of implementing these regulatory initiatives using an integrated and aligned approach to ensure complementary and mutually beneficial implementation programmes.
As we have said earlier in this analysis, we believe DORA to be a game changer for how FS firms approach operational resilience, as it will push them to take a broader view of resilience and develop sophisticated new capabilities in areas such as CIF identification, reporting, impact measurement and testing. The OCIR guidelines also focus on similar areas and establishes the ability to effectively implement, from an operational point of view, the resolution strategy and, consequently, to stabilize and restructure the bank.
The focus of both OCIR and DORA are same with only difference in the phase where they will help the firm.
DORA should be seen as a catalyst for firms to accelerate strategic change in how they manage digital risks, and how effectively senior management and boards are able to evaluate the business impact of operational disruptions and understand the mitigants at their disposal. The OCIR should be seen as strong backbone of the firm, especially, ICT capabilities, in how they manage operational continuity and 3rd party providers when things go wrong from financial perspective.
There are clear benefits to firms in investing time and effort early to align DORA and OCIR:
BAU - Business As Usual (normal condition)
BRRD - Bank Recovery and Resolution Directive
CIF - Critical and Important Functions
DORA - Digital Operational Resilience Act
EBA - European Banking Authority
EU - European Union
FS - Financial Services
MIS - Management Information System
NRA - National Resolution Authority
OCIR - Operational Continuity in Resolution
SRB - Single Resolution Board
SRMR - Single Resolution Mechanism Regulation
[1] Provisional agreement resulting from Interinstitutional negotiations (published on 24th June 2022)Subject: Proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (COM2020(0595) – C9-0304/2020 – 2020/0266(COD))[2] https://www.srb.europa.eu/system/files/media/document/intro_resplanning.pdf
[3] Guidelines amending Guidelines EBA/GL/2022/01 on improving resolvability for institutions and resolution authorities under articles 15 and 16 of Directive 2014/59/EU (Resolvability Guidelines) to introduce a new section on resolvability testing
[4] https://www.srb.europa.eu/system/files/media/document/2021-11-29_SRB-Operational-Guidance-for-Operational-Continuity-in-Resolution.pdf
[5] https://www.eba.europa.eu/regulation-and-policy/single-rulebook/interactive-single-rulebook/100556
[6] https://www.esma.europa.eu/press-news/esma-news/esma-publishes-guidelines-resolvability-and-cooperation-arrangements-central
[7] https://finance.ec.europa.eu/insurance-and-pension-funds/insurance/insurance-recovery-and-resolution_en
*This webpage is not optimized for mobile view.