The future of compliance: How financial institutions can build a DORA-ready culture

The Digital Operations Resilience Act (DORA) comes into force for financial institutions and information and communications technology (ICT) service providers on 17 January 2025. It is a looming deadline, and companies impacted by it must act to ensure compliance. There are practical steps to take, not least on existing and new contracts, which Conga’s guide to DORA can help with. However, complying with DORA—in fact with any regulation—is about more than a ‘to do’ list, it requires a cultural and organisational shift.

What is DORA?

DORA is EU regulation that aims to improve cybersecurity and operational resilience in financial services. UK organisations providing financial services to EU-based entities, or operating within EU financial markets, must also comply with DORA.

DORA was passed to reduce the risks caused by using digital services such as cyberattacks, data leaks and technology outages. It covers areas such as ICT risk management, incident reporting and operational resilience testing. The requirements are binding for banks, payment service providers, credit institutions, investment companies, insurance companies, crypto providers and others.

How does DORA affect corporate culture and organisation?

DORA aims to help financial companies resist, respond to, and recover from operational disruption related to ICT. Companies should embrace its impact on culture and organisation because employees must think proactively about risk and how they can help protect the company, its data and customers. 

The ethos of DORA can bring about positive cultural change, shifting individual mindsets that may have focused on siloed, independent activities, to ones that are:

1. Proactive on risk

DORA shines a spotlight on the risks of what could happen whilst ICT and digital supplier relationships are in the earliest stages of being formed. Employees should—indeed must—strive to understand risks, manage them and establish mitigation strategies. It is everybody’s job to be responsible for and proactive about risk, so employees should adopt a mindset that queries:

• What IT security and data protection a third-party provider has
• Where customer data is stored
• How that data would be returned in the event of insolvency or company closure
• If the third-party’s own providers comply with DORA and if they’re covered in the agreement
• To what extent services can be audited.

2. Cyber aware

There might once have been a time when just IT workers concerned themselves with cybersecurity but if there was, it is long gone. All employees must be cyber savvy, at least to understand cyber risks and the importance of tackling these head-on. 

Regulatory compliance is a ‘must do’ but organisations should also grasp the opportunity that DORA, and other mandates, represent to shape their organisations according to ‘what good looks like’. ‘Good’, as far as DORA is concerned, looks like employees being alive to the risks, as well as the benefits, of digital technologies and acting accordingly.  

3. Focused on business continuity

Resilience is in DORA’s name; the Act is all about improving cybersecurity and operational resilience. Employees need to understand and mitigate risks, but they must also plan for business continuity and disaster recovery in the event of a risk becoming reality. This makes organisations more resilient. 

Not so long ago, financial services were among the multiple industries affected by the CrowdStrike outage. This demonstrates that unforeseen issues will continue to cause disruption, despite the best risk management, the question is how well organisations can reduce the impact, maintain services during a crisis and restore normal operations. 

4. Collaborative

DORA compliance is a collaborative effort across organisations’ functions including IT, legal, procurement, risk management and compliance. Financial institutions must foster collaboration across departments to ensure a holistic approach to resilience. 

Collaboration shares knowledge across organisations to maximise opportunities and minimise risks. Independent, siloed working increases the possibility of risk factors becoming reality because skilled professionals in different disciplines will identify different risks. Equally, they will also spot different opportunities for cost savings or revenue generation.  

DORA and contract lifecycle management

DORA covers five distinct areas of ICT risk management. Financial organisations must risk-assess new contracts, review existing ones and negotiate amendments if required, update templates and contracting standards, and report new ICT service provider agreements.

Compliance can be challenging, given the critical volume of data and contracts financial entities must manage. To meet the challenge, organisations should consider automated contract lifecycle management (CLM) solutions and contract intelligence solutions. These support a cross-functional effort for financial institutions to provide transparency and efficiency in lifecycle management. 

How Conga can help

Conga CLM maps the entire contract lifecycle from negotiation and signature through execution and fulfillment, to renewal or termination, and shows changes over time to contracts, clauses and related documents.

Conga Contract Intelligence, supported by artificial intelligence (AI) and machine learning, used in combination with Conga CLM, provides a way to accurately uncover contract insights to meet obligations, manage risk and optimise revenue. Contract intelligence can digitise contracts, and automatically extract and transform legal language into actionable data. Once tagged in the CLM system, the data can be used efficiently in searches, reporting, risk analysis and alerts. A risk score can indicate where and by how much a contract deviates from requirements so that legal experts can revise them.

Together, Conga Contract Intelligence and Conga CLM can help financial services companies manage contracts, extract key data points, gain insights into contractual obligations and identify and mitigate risk for regulatory compliance.

For more information

Conga’s guide Digital Operations Resilience Act (DORA) contract review: minimising risks with CLM and AI-led contract intelligence explores what DORA is, how it applies in the UK and how CLM and AI-led contract intelligence solutions can help. 

You can also read Conga’s blog on Strengthening Digital Resilience with CLM and Contract Intelligence in the Era of DORA.

 

Contact us to discover how Conga can support you with DORA requirements.