Part 5. Operational efficiency, unlocking budget for innovation

How striving for DORA compliance could be your efficiency game changer

Overview

As the Financial Services Industry transforms to Digital or Digital First, there is an ever more pressing need to safeguard system availability, security and data to preserve trust and confidence. Unlike the quest to be Digital, the safeguarding steps are no longer discretionary. Regulations now enforce this shift with considerable consequences for non-compliance. The new rules are in legislation like the EU Digital Operational and Resiliency Act (DORA) and, in this case, are intended to make network and information security a legal requirement across all EU member states.

From January 2025, Financial Services Institutions (FSIs) and ICT third-party providers (TPPs) must operate a resilience framework that can withstand, respond to, and recover from all types of disruption and threat. Unlike former directives and principle-based approaches, a paper-based exercise will no longer suffice. Instead, testing will be performed on production systems by both the FSI and the Competent Authority (Regulator) regularly.?

With the deadline looming, firms need to ask themselves how they will demonstrate they are operating within their risk tolerances for their Critical and Important services, that they have tested the effectiveness of their remediation plans, and their ICT third-party service provider exit strategies.

DORA has specific technical requirements across five main pillars:

• ICT risk management framework – establishing a set of principles and requirements
• ICT-related incident reporting – harmonised and streamlined reporting obligations to all financial entities
• Digital operational resilience testing – subjecting financial entities to real-world scenarios and not just tabletop exercises
• ICT third-party risk – rules for monitoring third-party risk, key contractual provisions and direct oversight for ICT TPPs that are deemed critical
• Information sharing – Voluntary exchange of information and intelligence on cyber threats

Multi-cloud thinking

With compliance an increasingly arduous undertaking, financial services firms have been looking at clouds, yes plural, as a more resilient and cost-effective ICT approach than concentrating everything on a single resource.

The future is often portrayed as a world of interconnected cloud-agnostic microservices, but today's reality is very different. Clouds are increasingly selected to host specific apps or for specialist purposes.

Very few businesses are at the stage where they have architected solutions to embrace the full potential of multi-cloud. There is no question that there is still an appetite for the advantages of multi-cloud, such as contingency in the face of cloud failure, autonomous elasticity for demand spikes such as the peak of peaks, proven protection or fail-over due to cyber events or other disasters requiring unparalleled levels of continuity.

What has happened on the ground is that most FSIs have increased complexity and cost by using multiple cloud providers. They have done this directly with IaaS and PaaS or indirectly when using SaaS applications for services like Salesforce, SAP, ServiceNow, etc.?

This complexity has recreated the multiple platform teams of past computing eras, this time for each cloud utilised. Being operationally efficient requires a high level of consolidation, including, you guessed it, people, process, and technology.

At this point, it is worth highlighting that VMware’s multi-cloud approach maintains a consistent architecture across private, public, sovereign, and edge environments to enable workload migration and provide disaster recovery capabilities. This approach to application and infrastructure platform layering helps customers to balance their needs for agility and resilience whilst enjoying reduced retraining, improved productivity and avoidance of increased staffing levels brought by cloud-specific tooling.

Gaining operational efficiency

I have mentioned many times in my blogs and podcasts, that the intent?is always to minimise the run-the-business (RTB) spending and redirect funding toward change-the-business (CTB) activity . Despite the move to the cloud, DevSecOps, and microservices, RTB still represents between 65% and 95% of the overall IT budget. Remember today's fresh code is tomorrow’s RTB/Legacy. We also need to remember that operational resilience done correctly will cost RTB money, but optimising and pursuing operational efficiency can contribute massively to shifting more budget toward CTB and innovation.

?I'm not talking about just sweating your suppliers – although that seems to be the easy path that many try to take – I’m talking about eliminating old and costly platforms, making more of existing tech, upskilling teams and revisiting processes, eliminating first, then automating what we can and optimising the rest.

As we do this, we must be mindful that demonstrating risk management by eliminating out-of-support systems or optimising reporting and observability to increase resilience will significantly improve your operational agility, DORA compliance and your systems availability scorecard.

While this is all useful, you don’t have to do all this in one step today. However, you do need to make a start, so determine where there are quick gains to reinvest in speeding up your efficiency programme.

I am also not advocating the introduction of expensive new systems or new software contracts (but please see me afterwards if this is something you are considering) instead consolidate what you already have and find ways to improve operations so more money can start to find its way over to CTB.

Critically, this isn’t a one-time thing; completion of an efficiency program is only the beginning. To continuously improve, you must continually (re)design processes, manage change, monitor, analyse your metrics, identify further opportunities, and then start again.?

Operational efficiency is about doing things right first time without duplication of effort and completing the task immediately, with no hanging around in workflow queues, and no waiting until tomorrow when it can be completed today. My former boss called this "Today's Work Today". It’s making what you have work better. As?On The Mark makes clear , it’s ensuring workflows are error-free; it’s about preventing delays and cost increases from rework; it’s preventing below-spec services and/or products from reaching the customer.

Yet, efficiency can sometimes be seen as a cost-cutting exercise and I know I’ve talked repeatedly about how, ultimately, efficiency can help you to run the business more cost-effectively freeing up the budget for investment in innovation and change. However, saving money isn’t the goal, it’s the consequence. Operational efficiency should always be about?how?work gets done. It’s about productivity, process, economic stability, and volume growth.

Let me try a sporting analogy; football (the soccer kind) embodies the need for continuous improvement and operational efficiency. Teams need practice just as ICT systems need to be tuned up. In ICT, we do this through improving people, processes, and technology. Likewise, football isn't static; new tactics emerge, the competition gets more challenging, and teams adapt.

Similarly, running, and optimising IT services against increased demand and fresh strategies might align with the existing team's strengths, requiring minimal adjustments, but, at other times, these tactics may demand extensive coaching or even a reshuffling of roles, much like a football coach might need to reposition players or bring in new talent to fit a novel game plan.

In both fields, success hinges on belief in the mission and a blend of innovation, adaptation, and seamless teamwork.

?

Conclusion - Aiming for Operational Excellence

In the end, operational efficiency is just ensuring customers and colleagues get what they need in the most timely and orderly way. It can mean operating applications across multiple cloud providers – and even on-premises – to ensure the delivery of agile, scalable, and seamless experiences. It demands a focus on removing complexity wherever possible and concentrating on getting the basics right – the right people, processes, and fit-for?purpose solutions.

When combined with Operational Resilience (the basic underpinning of running IT services), Operational Efficiency can fuel Operational Effectiveness. The three elements running optimally together put you on the path to Operational Excellence and the stuff case studies and white papers are made of.

For those who have been following my updates on the impact of DORA on financial services, third-party ICT providers, and even regulators, you’ll probably know about my?blog series ?looking at the various impacts and opportunities around the legislation. For those of you coming in fresh, you can find them?here .

If are you a financial entity, a service provider, or part of the VMware ecosystem with concerns about DORA’s impacts, I’d love to hear from you. I’m always happy to talk through your priorities, share ideas, and even get into the details. Let’s talk!

??