Enabling Operational Resilience with DORA: Supply Chain Risk Management

By Max Kanaskar and Geraint John

Upcoming regulatory compliance requirements under the European Union’s Digital Operational Resilience Act (DORA), will require financial institutions to transform the way they conduct supply chain risk management (SCRM) and thus the way they build digital operational resilience.

However, financial services companies typically do not have visibility of their digital supply chains beyond third parties. Many lack comprehensive operational risk intelligence on their core ICT (information and communication technologies) suppliers, and more still struggle to scale SCRM processes, especially continuous monitoring.

Successful firms will begin by focusing on SCRM resource efficiency and risk mitigation, and transition to engaging it for true operational resilience.

DORA: Beyond compliance to transformation

DORA, an EU-wide rule book governing cyber resilience management for financial institutions and their critical ICT suppliers, is expected to become law sometime later this year. It underscores the strategic significance of operational resilience: the “double dividend” of operational loss avoidance and higher levels of business effectiveness in terms of financial stability, risk-taking and stakeholder engagement.

Leading institutions are approaching DORA not as a compliance requirement, but as a transformational opportunity. Central to this transformation is the maturity of SCRM programs.

While we await detailed supervisory guidance around DORA, European financial services firms are examining their third-party relationships, uncovering hidden risks, and driving maturity of their SCRM processes. In parallel, they are setting up enterprise resilience programs, with a top-down, cross-functional organizational mandate to institute operational resilience.

SCRM can help to enable several resilience-related capabilities, including:

• Enhanced scenario identification through nuanced illumination of third parties and their connection to critical economic assets and business services.
• Improved response and recovery speed through timely and targeted event monitoring and third-party engagement.

Building up to this strategic resilience vision is the 360-degree situational awareness of digital supply chain risk – a challenge that many financial institutions still have today.

The importance of multi-tier supplier visibility

Data analysis by Interos using its global relationship mapping platform on 12 systemically important European banks reveals the extent of this challenge:

• On average, a single such institution has 75 direct, tier-1 (third-party) relationships with ICT suppliers.
• This quickly explodes to 3,500 relationships when tier-2 suppliers (fourth parties) are included, and a whopping 15,000+ at the tier 3, or fifth-party, level.

Very few institutions have good visibility into this extended ICT supply chain, and fewer still can ascertain where vulnerabilities may arise.

To underline the importance of this multi-tier visibility, Interos’ 2022 global supply chain survey found that while 18% of financial services executives said they experienced disruptions among third-party suppliers in the previous 12 months, the corresponding figures for fourth and fifth parties were 31% and 43% respectively.

If financial institutions do not have visibility of their extended digital supply chains, then they are not prepared to prevent, respond to and recover from incidents that occur there.

At the same time, there is a more insidious effect that companies need to be cognizant of when dealing with ICT suppliers and their extended supply chains: complacency.

Interos’ analysis of the cyber risk scores of the most common ICT suppliers to major European banks reveals that they are generally well positioned to handle cyber threats. However, as recent incidents affecting vendors such as F5 Networks and VMWare show, even the best firms are vulnerable.

Invest in resilience-building capabilities to meet DORA requirements

The impact of this is wide ranging, especially from a resilience standpoint:

• If financial institutions do not have the required visibility into their extended supply chains, how can they develop sound threat-led penetration tests to test their resilience strategies?
• How can they engage with suppliers on joint resilience planning if they do not understand their suppliers’ detailed risk profiles?
• How can they continuously monitor their vast digital supplier relationships and notify concerned authorities under strict SLAs with limited resources?

This challenge is acute for financial services and projected to become even more so, given the exploding number of supplier relationships for a typical company.

Studies highlight the importance of investing in building these capabilities: by one measure, a dollar invested in resilience-building early on helps avoid downstream losses to the tune of five dollars. Other similar other studies have highlighted the impact of resilience on total return to shareholders (TRS).

These financial measures are useful, but only one-dimensional; the returns in terms of preserving trust and reputation with key stakeholders are immeasurably greater – perhaps by several orders of magnitude.

Get started with ‘no regret’ actions

Once DORA becomes law later this year, financial institutions will have two years to comply with the requirements. The EU supervisory bodies that are currently working on the detailed Regulatory Technical Standards for DORA have until six months before the compliance deadline to release those requirements.

Companies have already been complying with various regional, cybersecurity-specific and resilience-related requirements and guidelines that predate DORA. So, from a compliance standpoint, many will not be starting from a greenfield position.

The challenge will be to pursue organizational transformation in the quest for true enterprise-wide operational resilience, for which institutions can start with “no-regret” actions today. These include:

• Understanding risk exposures of extended digital supply chain – companies can begin by enabling this visibility and creating the supporting process and organizational infrastructure.
• Leveraging these insights to begin planning for collaborative resilience with their key ICT suppliers.
• Enhancing their existing resilience operating models to better leverage such risk insights by bringing in SCRM experts earlier in the planning process.

Such actions will not only help financial institutions comply with DORA requirements when they are released, but also will pay off from an enterprise resilience standpoint.

The EU’s DORA framework may well serve as the template for global resilience efforts. Either way, resilience requirements are coming from a regulatory standpoint.

Financial institutions are advised to take action today to prepare for this eventuality and ensure that they don’t fall behind nimbler peers.

To learn more about supply chain issues affecting major financial services institutions and banks, read the FSI cut of our annual industry survey.