Richard Rivett is a seasoned software and technology professional with over 26 years of experience spanning vendors, client-side roles, and consultancy across multiple domains and geographies. Specialising in the Governance, Risk, and Compliance (GRC) sector for the 15 years, Richard has performed a multitude of roles including Market Development role at MetricStream, where he leverages his diverse expertise in product, sales, delivery, and customer success to drive impactful business outcomes. His views are his own.  

With the holiday season just around the corner for those in the Banking, Financial Services and Insurance industry, it’s not only Christmas presents and New Year celebrations grabbing everyone’s attention. On the 17th of January, the Digital Operational Resilience Act (DORA) comes into effect. For the uninitiated DORA regulations have been introduced by EU legislators to strengthen the resilience of institutions against IT failures, cyber threats, and related risks. 

Covering a broad range of financial institutions and ICT providers in the EU, the goal of DORA is to unify resilience standards, creating a more secure and stable financial ecosystem while building trust among consumers and markets. 

While the focus often falls on maintaining compliance and satisfying regulators, operational resilience in today’s interconnected world is more than just a regulatory requirement—it’s a positive and necessary development. It benefits not only the financial services industry but also consumers, shareholders, and investors. 

An additional goal of DORA is to encourage collaboration between traditionally siloed functions within organisations. It seeks to unite risk management, third-party risk management, operations, and security teams. However, this approach introduces its own challenges. More stakeholders mean greater complexity, often making coordination feel like herding cats. We’ve seen similar situations before, such as when GDPR was introduced in 2018, which also spanned risk, compliance, operations, and more. 

Much like with GDPR, many organisations is still experiencing "ostrich syndrome," unsure of how or where DORA will affect them, and procrastinating on the necessary steps to ensure compliance. Confirmation bias often follows, with people disregarding risks until they become unavoidable. 

This presents a significant opportunity for technology and data providers, who offer solutions claiming to address all these challenges. However, DORA’s unique nature—due to the many touchpoints across an organisation—makes it difficult to rely on a single platform to meet all requirements.  

It’s crucial for organisations to review the tools, platforms, and solutions they already have in place to manage DORA. Ensuring preparedness for regulatory requirements is key. There’s often a tendency to focus primarily on cybersecurity, driven by the tech community. Ask any Chief Risk Officer or CEO what their number one business risk is, and the answer will overwhelmingly be cyber risk. For years, cybersecurity has been regarded as the premier risk. While there was a brief period when sustainability risk took precedence, cybersecurity has since regained its position as the top concern. It’s no surprise that, when digital resilience is discussed, the focus often shifts to cyber threats such as attacks from rogue sovereign nations and criminal gangs. 

However, this focus is incomplete. Cybersecurity is a critical part of DORA compliance, but it’s not the full picture. Resilience isn’t just about defending against phishing, cyber hacks, or denial-of-service attacks. It also depends on the robustness of the infrastructure and the software supporting it. For instance, the massive outage at CrowdStrike earlier this year, billed as the largest IT outage in human history, wasn’t caused by a nation-state or criminal group, but by a defect in a software update. While software bugs and defects may not grab headlines, they pose a significant threat and shouldn’t be ignored. Often, these more mundane issues lead to the largest business disruptions. 

The impact of service outages is real. I recently spoke with the Head of Operational Resilience at a leading UK financial services organisation, who highlighted the risk of service unavailability. They had conducted a study measuring customer sentiment and found that when an outage occurs, platforms like DownDetector report the issue in near real-time and often faster than the company’s own operations team. This triggers a flurry of negative social media posts, which harms the company’s reputation, invites increased regulatory scrutiny, and leads to customer dissatisfaction. 

The reality is that while we should never underestimate cybersecurity, it’s only one part of the bigger picture. You can secure your house with deadlocks, infrared sensors, locking bolts, CCTV, and even barbed wire, but if you forget to lock the back door, you’ve left an entry point for disruption, making all other security measures irrelevant. 

In conclusion, effective risk management goes beyond addressing the visible challenges—it’s about identifying and mitigating hidden threats that can disrupt organisational operations. Vendor operational bugs, often overlooked or poorly organised, fall into this category of unseen risks that can be as critical to resilience as cyberattacks. Bringing structure and clarity to these issues is essential for ensuring operational stability and maintaining trust among customers, employees, boards, and investors, all while meeting the expectations of regulators who are quick to act when resilience is compromised. 

The stakes are high, and the cost of inaction will far exceed the price of preparedness.