How firms can meet the challenges of compliance and complexity
QA Financial invited senior quality engineering and DevOps leaders to a lunchtime seminar in central London on the impact of the EU’s new Digital Operational Resilience Act. The focus of the discussion was on how DORA is changing software risk management and – in particular – the service level agreements that financial firms have with their technology vendors. Critically, DORA requires firms to be accountable not only for their in-house technology, but their third-party vendor technology.
While DORA became law in January, we heard how most financial firms have so far only “ticked the boxes” on key requirements. The next wave of compliance (DORA 2.0, if you like!) will be focused on audits of critical vendors and their service level agreements, and on internal processes.
Some key takeaways from the presentations at the seminar:
• Dhritiman Mukherjee of DXC Technology provided an overview of the impact of DORA on the management of IT and software resilience at financial firms. DORA has been law since January this year and “The requirement for pure business readiness assessments is reducing,” he said. “However, we are seeing increasing demand for more in-depth, technical assessments, especially around security.”
Questions and comments by our seminar delegates highlighted the inconsistent approach financial firms take to reporting ICT problems and security breaches: this clearly going to be a focus topic for large firms and regulators alike over coming months.
• Sally Samadi, a partner at leading City law firm Stephenson Harwood LLP, explained why compliance with DORA will not automatically mean compliance with FCA and PRA resilience tests; or for that matter US or Singapore compliance standards. The workload will only increase!
• Ronald Tetteroo of Tricentis demonstrated a risk-based approach to testing as a keystone of compliance, with a special focus on the importance of testing for contingent risks in a firm’s software ecosystem. How does a SAP upgrade affect the resilience of other services, for example? The challenge firms face is maintaining the speed of their testing in the face of growing complexity.
