Change impacts all IT divisions in banks and financial technology companies
In the ever-evolving world of finance, Business Continuity Management (BCM) has taken centre stage, particularly under the Digital Operational Resilience Act (DORA). According to Josefine Spengler, BCM is no longer just a plan gathering dust in a drawer, but a crucial aspect of operational resilience that financial institutions must embrace.
One such expert championing this cause is Dana Wondra, a seasoned professional in the field. With a degree in business administration from the University of Greifswald, Wondra has built an impressive career spanning various Olympic campaigns and public relations for the Olympic training centre Berlin e.V. She has also served as a marketing director at TOP Sportmarketing Berlin GmbH for nearly two decades.
Since June 2022, Wondra has been a consultant and project manager at GOLT Coaching, and since August 2023, she has been the Senior Manager Marketing at Payment & Banking. Her expertise is being utilised in these roles to advise banks on how to effectively set up and sustainably implement their BCM.
Under DORA, BCM is integrated albeit not explicitly defined as a separate standalone requirement. The focus is on operational resilience, a concept that encompasses elements of BCM. Key requirements that impact BCM under DORA include ICT risk management, digital operational resilience testing (DORT), incident reporting, third-party risk management, and information sharing.
1. **ICT Risk Management**: Financial institutions must have a structured framework to manage ICT risks, which involves identifying, assessing, mitigating, and continuously monitoring risks. This framework supports ongoing business operations and resilience.
2. **Digital Operational Resilience Testing (DORT)**: Regular testing is mandated to ensure that financial institutions can withstand operational disruptions. This includes scenario-based testing and advanced threat-led penetration tests, aligning with BCM principles of ensuring continuity through tested procedures.
3. **Incident Reporting**: Financial entities must report significant ICT incidents to regulators within 24 hours, necessitating a robust incident management system that aligns with BCM practices for quick recovery and resilience.
4. **Third-Party Risk Management**: Proper management of ICT vendors is crucial, including formal contracts, performance tracking, and exit strategies, to ensure that third-party risks do not compromise operational continuity.
5. **Information Sharing**: Encouraging information exchange between firms and regulators to build collective resilience indirectly supports BCM by ensuring that critical information and best practices are shared to mitigate broader risks.
Although DORA does not explicitly outline BCM as a requirement, its emphasis on operational resilience and ICT risk management supports the principles of BCM. It encourages a holistic approach that aligns with BCM best practices, ensuring that financial institutions can maintain critical services during disruptions.
Cross-industry guidance on operational resilience suggests that firms should adopt a holistic approach to BCM, mapping critical services and developing recovery plans aligned with impact tolerances, which complements the operational resilience goals of DORA. As we navigate the dynamic landscape of finance, experts like Dana Wondra will continue to play a pivotal role in shaping the future of BCM under DORA.
[1] European Banking Authority (EBA), 'Guidelines on the implementation of the Digital Operational Resilience Act', 2022. [2] Financial Conduct Authority (FCA), 'Cross-Industry Guidance on Operational Resilience', 2021. [3] European Central Bank (ECB), 'Recommendations of the Eurosystem on the implementation of the Digital Operational Resilience Act', 2022. [4] European Central Bank (ECB), 'Technical Recommendations on Digital Operational Resilience Testing', 2022. [5] European Central Bank (ECB), 'Technical Recommendations on Incident Reporting', 2022.
- Dana Wondra, a seasoned professional, is currently advising banks on how to effectively set up and sustainably implement their Business Continuity Management (BCM) plans, drawing on her expertise in the field of finance and business.
- With the Digital Operational Resilience Act (DORA) integrating BCM, albeit not explicitly defining it as a separate standalone requirement, key areas of focus include ICT risk management, Digital Operational Resilience Testing (DORT), incident reporting, third-party risk management, and information sharing – all of which align with BCM principles and contribute to the enhancement of operational resilience in the financial sector.
