How pioneering integrated tools are helping companies to manage unforeseen operational risks

Operational risk is a significant challenge for business, but with the right tools, these can be tackled robustly

Server Room

A war on the European Union’s borders, a cost of living crisis, global energy security challenges and bottlenecks in supply chains are just some of the hurdles that the world’s leading financial institutions must negotiate in a post-pandemic world. But there are also other hidden threats that must be identified, assessed and mitigated. 

Take cyberattacks, for example. According to Check Point, a provider of cybersecurity solutions to corporate enterprises and governments, weekly global cyberattacks rose by 7% in the first three months of this year compared to the first quarter of 2022.

According to the European Union (EU) Agency for Cybersecurity (ENISA), third-party risk – the risk posed by suppliers operating in an organisation’s supply chain ecosystem – is a major source of cyberattacks.

ENISA says that third-party incidents accounted for 17% of breaches in 2021 compared to less than 1% in 2020. ENISA also notes that 62% of attacks on customers took advantage of their trust in suppliers because of those attacks, nearly 60% were to gain access to data, while 16% targeted people.

Research, such as that from AAG IT, which revealed that data breaches “cost businesses an average of USD 4.35 million” last year, prompted the EU to take action to ensure that those operating in its complex financial system have the tools to reduce such attacks. 

In 2025, the Digital Operational Resilience Act (DORA), will come into force. Its aim is to ensure that the European financial sector “is able to stay resilient through a severe operational disruption”.

Robust regulatory framework

The enormous challenge faced by financial service firms operating in the EU is to ensure that their information and communications technologies (ICT) risk management policies, procedures and regulatory frameworks meet the DORA requirements.

This won’t be an easy hurdle to negotiate, says Patrick Potter, who works as a risk strategist for Archer, a provider of integrated risk management (IRM) solutions. This, he says, is because, in addition to setting requirements for managing ICT third-party risk, the DORA contains four more pillars, “which set a robust regulatory framework for information and intelligence sharing, digital operational resilience testing, incident reporting and risk management”. 

Luciano Veronese, Archer’s principal sales engineer, who, in his role, is responsible for positioning Archer’s IRM portfolio in Europe, says that “the DORA is creating an enormous sea-change in ICT management”.

He explains, “The DORA has put a much greater emphasis on the work that cyber risk teams do. The spotlight is now firmly on them. Under the DORA rules, cyber teams will now be expected to report to the board of directors and will no longer be part of the operational risk team, but an organisation in its own right. That means that financial service companies, who haven’t already done so, will have to build this new cyber function from scratch – and a reporting structure to match.”

Potter, who has over 30 years’ experience in risk management, says that the DORA “requires companies to look much further than their individual internal reporting structures”. 

He says, “Financial service organisations operating in the EU will also need to think in coherent terms how to empower third-party teams and internal management to work effectively in addressing all of the DORA requirements.”

But how do these companies navigate the complex and nuanced maze of the DORA regulations, which are both specific and prescriptive? On one hand, says Patrick Potter, international banks who have the time, the people and the resources, “may already have instilled a mature risk management culture and capabilities within their organisations”. 

On the other hand, he says, smaller entities such as credit rating agencies or third-party service providers, “may not have the capability to do so”.

Risk registers reveal impact tolerances

However, by using Archer’s IRM solution, which includes leading-edge Operation Resilience, Third Party Risk Management, and IT Risk Security Risk Management tools – all built into one single platform – organisations can implement consistent, sustainable processes across their entire business ecosystem.

Says Potter, “Our platform enables organisations across the world to set up threat and risk registers, to determine their impact tolerances and to forensically document their supply chain dependencies. Using this knowledge they glean from Archer, they can review and re-evaluate their business processes, document resilience measures and controls, while at the same time, build recovery and continuity plans.”

Perhaps the greatest benefit of Archer’s integrated platform, says Luciano Veronese, is that it provides its clients with the building blocks to support the DORA’s five pillars, and for financial service companies operating in the UK, the policies and procedures set out in the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) regulations.

Veronese explains, “Companies who use our software don’t have to spend time and resources picking apart the DORA, the FCA or PRA regulations, as their requirements are built into Archer’s workflows. However, Archer’s solution recognises that every company is different and provides organisations with the option to customise the solution to their needs.

To properly comply with the DORA, Veronese says that financial service companies “must develop a robust Information Security Management System”. This, he says, requires organisations to not only “be able to identify threats, but to monitor those risk indicators in real-time”. 

He adds, “In short, this means, identifying vulnerabilities across the supply chain, developing preparedness plans and then fixing them when they surface.”

By harnessing Archer’s ability “to powerfully and seamlessly integrate with a raft of different systems across the vast supply chains”, financial service companies “can comply with this aspect of DORA”, says Potter.

He explains, “A lot of control and testing infrastructure - such as source code reviews, network security assessments and open-source analysis – happen outside of Archer. But Archer has very strong integration capabilities. Information from different sources can be easily brought into the Archer platform, enabling companies to see elements such as the asset, the risk, the test results, and any gaps. The result? Archer becomes that single pane of glass giving organisations a holistic picture of their entire value chain…”

But to comply with the DORA, companies must not only have full visibility across their supply chain, but demonstrate full transparency, governance, and accountability as to how information is shared throughout their supply chain ecosystem.

At the very heart of the DORA, says Luciano Veronese, is a requirement to eliminate silos and to share knowledge and experience with the entire cyber risk team across the supply chain. However, Veronese says that it is a pillar, “which is not well formalised”.

He notes, “Cyber cultures within organisations are often well organised and efficient, but when the information and intelligence sharing pillar comes into force in early 2025, it will greatly increase the standard for the organisations and their third-party suppliers to mitigate cyber threats. This will make the ecosystem much safer.”

But, with the information and intelligence sharing pillar not yet properly defined, Veronese says that Archer’s platform, which offers clients “real-time flexibility, really comes into its own”.

Inspections made easier

He explains, “The platform works very well in situations where the individual specifics of regulation are not clear because it enables clients to experiment by building prototypes.”

Helping clients to navigate both the ‘known knowns’ and the ‘unknown knowns’ gives companies the peace of mind and confidence to negotiate complex regulation. But it is not enough for financial service organisations to be satisfied that they are complying with regulation. At some point, they must satisfy an auditing team, independent of their organisation, that they are meeting the stringent requirements set by the DORA, as well as the PRA / FCA.

Archer provides its clients’ auditors and regulators with the ability to carry out audits, inspections and reviews, which Potter says, “makes inspections so much easier”.

He explains, “We understand that companies need to be able to prove they are compliant to the regulator or an auditor. Pillar by pillar, Archer provides organisations with all the data to justify the historical processes that they have put in place – in one single repository. 

“This means that at a touch of a button, an auditor can see every step a company has taken on its compliance journey. That is a game-changer for financial service companies.”