Discovering DORA change management through Dora the explorer.

I’ve always wanted to write about Dora and DORA as I have found the resilience acronyms fascinating; don’t get me started on IBSs. As organisations gear up to comply with the Digital Operational Resilience Act (DORA), Dora the Explorer, a beloved children’s character, offers surprising yet valuable lessons in tackling regulatory compliance and enhancing digital resilience.

What is DORA in simple terms?

DORA, which stands for the Digital Operational Resilience Act, is a new regulation from the European Union aimed at making financial institutions more resilient to digital risks and cyber threats. It sets out rules and standards to ensure these organisations can withstand and recover from ICT (Information and Communication Technology) disruptions and cyber incidents. It aims to create a safer and more secure European financial sector by making sure that all financial institutions and their ICT providers (even if based outside of the EU) adhere to these standards. Organisations need to:

1. Have robust measures in place to protect their IT systems from cyber and other digital threats.
2. Manage risks associated with their IT systems, including robust business continuity plans
3. Ensure any of their external IT service providers are secure and resilient.
4. Regularly test their systems to ensure they can handle disruptions and recover quickly.
5. Report any major cyber incident to the regulators promptly.

What are the key timelines?

DORA came into force in January 2023 with a full application of DORA requirements expected by January 2025. This includes defining and implementing necessary ICT risk management frameworks, policies, procedures and reporting.

Seven lessons from Dora on DORA and Change

1. Dora always plans: You need to have a strategic plan and roadmap

Dora never embarks on an adventure without consulting her map. Similarly, DORA mandates that financial institutions develop comprehensive ICT business continuity policies as part of their ICT Risk Management framework. These policies should include procedures for ICT project and change management to ensure system continuity and resilience.

Change Management Implications:

• Strategic planning helps organisations stay on course and achieve compliance efficiently.
• A well-defined roadmap is crucial for navigating the complexities of ICT risks and ensuring all potential vulnerabilities are identified and addressed.
• Implementing a new risk management framework requires significant organisational change.
• Clear communication of the new strategic plan, training sessions for employees to understand their roles within this plan, and regular updates to keep everyone informed of progress and adjustments are essential.

2. Dora leads the way: the Board and Executive need to lead with clarity

DORA places significant emphasis on the roles of executives and board members. The Board of Directors, referred to as the “Management Body,” is responsible for overseeing the entity’s adherence to digital operational resilience standards. This includes ensuring robust oversight, control, and input on policies and procedures, even within complex group structures. Board members must maintain and update their knowledge on ICT risks, necessitating regular, specific training to ensure they understand ICT security, the entity’s specific ICT risks, and the strategies in place to mitigate these risks.

3. Dora uses her map for navigation: Use the standards as a guide

Just as Dora uses her map to navigate through various challenges, financial institutions must integrate the following regulatory standards as a guide, to ensure smooth and secure operations.

• Comprehensive ICT Risk Management Framework: DORA requires a robust framework for managing ICT risks, covering the full project lifecycle and including a change management procedure to maintain resilience and prevent vulnerabilities.
• ICT Third-Party Risk Management: Institutions must review third-party service changes to ensure they don’t compromise operational resilience, updating contracts to align with DORA’s change management requirements.
• Digital Operational Resilience Testing: Financial entities must perform regular testing to evaluate change impacts and ensure rapid recovery from ICT disruptions, including thorough impact assessments prior to changes.

Change Management Implications:

• Integrating these standards is akin to Dora’s meticulous planning and problem-solving.
• Financial institutions must adopt a similar approach by thoroughly assessing risks, engaging all stakeholders, and ensuring all systems and processes are resilient and compliant with regulatory standards.

4. Dora protects herself from swipers: Establish a robust and proactive defence framework: Swiper, No Swiping

In Dora’s world, Swiper the Fox represents unforeseen challenges. For us, cyber threats are the “Swipers” we must guard against. DORA’s stringent security measures emphasise the importance of proactive defences. By implementing robust cybersecurity protocols, organisations can prevent malicious actors from compromising their systems, ensuring data integrity and operational continuity.

Change Management Implications:

• Enhancing cybersecurity protocols involves changes in daily operations and behaviour.
• Employees need to be trained on new security measures, and there must be a cultural shift towards vigilance and responsibility.
• Regular testing and simulations can help embed these practices into the organisational fabric.

5. Dora collaborates: Identify and engage internal and external stakeholders

Dora’s adventures are successful because of her collaboration with Boots, her trusted companion. Similarly, DORA compliance necessitates active engagement with stakeholders, including internal teams, partners, and regulators. Effective communication and collaboration ensure that all parties are aligned and committed to enhancing digital resilience, fostering a unified approach to compliance.

Change Management Implication:

• Stakeholder engagement is key to successful change management.
• Identifying all relevant stakeholders, understanding their concerns and expectations, and keeping them informed and involved throughout the compliance process is vital.
• Regular meetings, feedback sessions, and transparent reporting can facilitate this engagement.

6. Dora is always ready: What’s in Your Backpack?

Dora’s backpack is always equipped with essential tools for her journey. For financial institutions, DORA requires an array of tools and policies to ensure digital resilience. This includes updated ICT systems, robust incident response plans, and continuous monitoring mechanisms. Being well-equipped ensures organisations can meet regulatory requirements and swiftly address any disruptions.

Change Management Implications:

• Introducing new tools and systems can be disruptive.
• Effective change management involves planning the deployment of these tools, providing thorough training to all users, and offering ongoing support.
• Additionally, feedback mechanisms should be in place to address any issues or improvements needed post-implementation.

7. Dora Achieves and Celebrates Milestones: We Did It!

Each of Dora’s adventures concludes with a celebration of success. Achieving DORA compliance is a significant milestone that reflects a cultural shift towards prioritising digital resilience. Celebrating these milestones acknowledges the hard work and dedication of all involved, reinforcing the importance of continuous improvement and adherence to best practices.

Change Management Implications:

• Recognising and celebrating achievements boosts morale and reinforces positive behaviour.
• Regularly acknowledging milestones in the DORA compliance journey through team meetings, newsletters, and awards can motivate employees and sustain momentum towards continuous improvement.

Conclusion

The objectives of DORA are not isolated but form an integral part of the broader operational framework of the financial sector. It is as much about regulatory compliance, as it is about people, their conduct and behaviours. To align with DORA’s change management requirements, financial institutions should:

1. Understand and plan for people impacts; adopting creative methods to embed the requisite cultural and behavioural change across the organisation.
2. Create a change management process with risk assessment, testing, approval, and documentation.
3. Continuously monitor your ICT environment for changes that may result in new risks
4. Perform thorough impact assessments before making changes to the ICT environment
5. Update third-party contracts for DORA compliance and clauses that address change management

By adopting a holistic approach to change management, senior members of the financial sector can ensure not only compliance with DORA but also enhance their institution’s overall resilience and agility.