S3E07: Exploring DORA

Episode Description

‍
In this episode, our podcast host, Matthew O’Neill takes us on a deep dive “Exploring DORA”, Europe’s new Digital Operational Resilience Act which is being suggested, will be as significant for Financial Services as GDPR has been to the rest of us.

Matthew discusses the key provisions of DORA and how it aims to ensure the robustness and resilience of the financial system in the digital age. We'll uncover Matthew’s take on the motivations behind the act, its implications for financial institutions, IT service provider partners, and even the regulators, all with the aim of providing protection for consumers.

From cyber threats to operational disruptions, DORA's framework addresses a wide range of risks and sets new standards for digital operational resilience. Matthew makes it clear that regulators from other jurisdictions are watching with interest.

In addition, we learn of Matthew’s unprecedented journey in the financial sector; from an office junior at a local bank in the UK to becoming the Head of Infrastructure and Operations in Asia and then the Global Head of Data centres and IT Service Management at one of the world’s largest banks, and then on to his landing here at VMware.

Matthew’s take on DORA gives you a true insider’s perspective. It’s a must-listen!

3 Takeaways:

1. DORA emphasizes that operational resilience is not limited to financial services firms alone. The entire ecosystem supporting critical services must be considered. This means mapping out end-to-end processes, understanding who and what is involved, and ensuring full observability to keep things running optimally.
2. DORA introduces a significant shift in regulatory testing. Supervisors will now conduct tests on production systems especially where these are sharing cloud infrastructure with multiple firms. Stress testing operational resilience will become a priority, moving away from a mere tick-box exercise.
3. To comply with DORA's requirements, both financial service providers and their partner firms should invest in regulatory risk professionals and banking risk specialists. The act will challenge existing assumptions and practices. It might reveal whether claims of regulatory constraints are genuine or merely used as an excuse for avoiding technological advancements. This suggests that firms will need to navigate a potentially uncomfortable period of reevaluation and adaptation.

Key Quotes:

• It's not just about the financial services firm.It's also about, the whole ecosystem that supports you in the provision of what are deemed as critical or important services. So, if you have one of those types of service, you've really got to map out end to end, how that operates, who operates through, who's touching what part of it and making sure that you're not just monitoring it, but you've got like full observability as to what's going on, who's doing what, where, when, and why, and if anything goes wrong, how quickly you can bring that back.
• The big differences now though, is that there will now be testing performed and you've got to perform tests, but it's also the supervisors are likely to be performing tests and they'll be performing tests on production systems that are potentially running on the same cloud infrastructures as many other [financial service] firms and many other firms. So, there's going to be much more stress testing of that operational resilience than it ever being a kind of a governance, tick box exercise. So I think that's one thing that's got folks concerned.
• What's going to happen here is there's going to be an increased level of transparency. I can kind of say maybe an implicit increase in levels of trust between FSI firms and their supplier partners, because the supplier partners are going to be held to account for what's running. And if they don't know what's running,that's a little bit of a hard position to be in. So, I think an unintended consequence of this is actually going to be a greater amount of visibility. for the firms that are uncomfortable with that, and there will be some, then their risk appetites might take them back to, ‘Oh, actually now we need to be doing more on prem or we now need to move some of that workload away from public clouds and into colo facilities or back into data centers.’ Or vice versa, ‘actually, we've got such a great relationship with this.Hyperscaler, we need to put more with them.’”
• The more critical service providers and partner firms that we work with need to seriously think about employing some banking risk managers and regulatory risk professionals to help them navigate the potential of where this could go. I think it's going to be a little bit uncomfortable for a little bit of the time. One of the objections that often comes up talking with a customer about implementation or the potential to, to consume more technology is, ‘Oh yeah, the regulator won't let me do that’.or, ‘that's against our regulatory stance’. Or ‘the regulator is used in that way.’ We and our supplier partners are about to experience, well, what does that, what does that really mean? Is that something you're literally hiding behind or is it something that there is, um, there's a lot of truth in?

About the Hosts

Matthew O'Neill is a husband, dad, geek, and Industry Managing Director, Advanced Technology Group in the Office of the CTO at VMware.

You can find Matthew on LinkedIn and Twitter.

Brian Hayes is an audiophile, dad, builder of sheds, maker of mirth, world traveler and EMEA Financial Services Industry Lead at VMware.

You can find Brian on LinkedIn.

BIO:

Matthew is a Financial Services Industry thought leader, helping VMware customers and partners get the most from their technology investments. He is one of the senior leaders in VMware's GTM Strategic Ecosystem & Industry Solutions team. He works with customers, partners, the media and industry analysts to differentiate VMware's capabilities.  

Matthew works closely with the Strategic Ecosystem of partners, ISVs, Hyperscalers and Global Systems Integrators to develop industry-specific solutions to fulfil Financial Services customers' requirements.

Within the Industry Solutions team, Matthew is at the forefront of the new ways of working, driving delivery of industry solutions from ideation through GTM to adoption and improving VMware's industry relevance.

Matthew is a former Managing Director from HSBC, where he was the Global Head of Data Centres & IT Service Management. he spent five years in Hong Kong running IT Infrastructure & Operations across the Asia Pacific region and, before that, was responsible for HSBC's EUC & Telecoms globally.

Matthew brings this extensive Financial Services Executive expertise to share lessons, insights and opportunities with customers, partners and colleagues on their Cloud Journeys, Employee Experience and Digitisation/Digitalisation Transformations. He is called upon to provide opinion and actionable insight on the breadth of Financial Services, from the role of Artificial intelligence to Operational Resilience and even emerging regulations.

‍