By Alistair Mackenzie, Founder & CEO at Predatar
–
In the financial services industry, operational resilience is entirely critical and completely indispensable in keeping our economies moving around the clock.
With the introduction of DORA (the Digital Operational Resiliency Act) in 2025, the EU is recognising it’s no longer sufficient for organisations to simply have secure data backups, instead, they must demonstrate the ability to recover from potential disasters seamlessly.
Overcoming the challenge has become even more critical in recent years due to evolving risks, particularly those related to cybercrime.
It’s also worth noting that similar stipulations are also being introduced in the UK as part of the Bank of England PRA (Prudential Regulation Authority) operational resilience framework.
The Shifting Landscape of Operational Resilience
Operational resilience is a term that has gained prominence in both the UK and the EU, and more widely in the US too as financial institutions with regulatory bodies rightly recognise the need to enhance the strength of the financial system, given its heavy reliance on technology.
But why the big focus now?
The primary reason is the increased impact of disruptions in today’s interconnected world. With globalised systems and instant data transfers, any downtime in banking infrastructure affects not just a few, but virtually everyone.
Financial institutions are the lifeblood of economies, and even a brief interruption can result in substantial financial losses for businesses and individuals alike, as the crisis ripples outwards from the point of impact.
There is also the emergence of bad actors, including nation-states and cybercriminal gangs which have further escalated the risk landscape.
Unlike natural disasters, the probability of a cyber-attack is increasing and is challenging to predict – even insurers and actuaries find it harder to quantify those risks, leading to greater uncertainty.
Moving forward, the new DORA regulatory framework for operational resilience marks a significant departure from traditional disaster recovery and business continuity practices, leaving nothing to chance and requiring organisations to take precautions now.
Instead of focusing solely on risk avoidance, it emphasises a proactive approach to mitigating the consequences of an incident which entails two fundamental principles:
1. Identifying Critical Infrastructure
Organisations must identify their “minimum viable business” components – that is the systems and processes that are essential to their operations. By doing so, they can prioritise the recovery of these elements in the event of a disruption.
2. Proving Recovery Capabilities
The regulatory authorities no longer want businesses to merely measure the likelihood of an incident; they demand proof of recovery capabilities.
Organisations must demonstrate that they can restore critical infrastructure within a specified timeframe, which is particularly crucial in the financial sector, where even a short downtime can have severe repercussions.
While the shift towards operational resilience is crucial for maintaining business stability, it poses significant challenges for organisations. One of the most substantial challenges is the need for continuous testing of recovery capabilities.
The business environment is in a state of constant flux, with updates and changes occurring daily, and as a result, the frequency of recovery testing must increase to ensure that the system can be restored in any situation.
Continuous testing is resource-intensive, demanding time, manpower, and financial commitments, making it impractical for many organisations to perform manually.
This is where automation becomes invaluable.
Automation as the Solution
The solution to the resource-intensive nature of continuous testing lies in automation.
Intelligent solutions exist to streamline the process using tools that can intelligently and proactively test stored data, run recovery scenarios, and conduct virus scanning seamlessly in the background.
By employing automation, businesses can ensure the ongoing integrity of their data and recovery processes without incurring excessive costs or burdening their teams.
It’s a practical and efficient approach to meet the demands of the impending DORA regulations.
By embracing automation and proactively testing their recovery capabilities, organisations can navigate the challenges of operational resilience and emerge stronger, more resilient, and better prepared for whatever the future may hold.