Mitigating people risk for DORA compliance

DORA is about Digital Operational Resilience. But what happens when people undermine digital resilience?

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

You may have the most robust digital systems, but still require someone to manage, maintain, support, and access them. People go on holiday, get sick, leave, are compromised; they are uncertain and hard to control.

So, what happens when your SME disappears? What if their knowledge is lost? The system still functions in principle, but in reality, you have no way of using the capabilities or outputs due to the loss of an individual.

People possess critical knowledge of the digital infrastructure and processes. Their absence means a service or system becomes inoperable or inefficient, undermining DORA compliance.

Mitigation

The human risk to DORA compliance can be mitigated with process mapping and automation.

Process mapping

By clearly defining and mapping your processes, you are ensuring consistent, consolidated knowledge of key processes and the systems, tasks, and stakeholders required to successfully complete the function. 

In the event of staff loss, you can refer to the process map and requirements to understand how it works for the desired control and outcomes. This includes documenting the data required to progress the process, and rules for how and where the data should be stored and used.

For some processes, this may be the first time they are documented beyond word of mouth. This is a very valuable task, even prior to automating. These documents remove dependence on an individual for their knowledge.

We recommend automating once you have clearly defined your process requirements and scope.

Process automation

With your processes clearly mapped, and scope defined, you can start to automate.

Options include full or partial automation. Partial, or guided, processes provide clear steps and checklists for ‘gifted amateurs’ to follow whilst maintaining control of the process and ensuring all tasks are complete before moving on. Knowledge is maintained within the process.

This method also helps capture the process and provides a foundation for iterative or agile refinement.

Fully automated processes may still require human intervention, but on the whole will complete tasks automatically. These processes are controlled by the system, ensuring tasks are completed as and when expected with the right systems and resources.

They can create reports, access portals, share data, raise alerts, and escalate tasks if there is an issue or delay, and so much more.

Security

Privileged users account for the top three most frequent and/or costly data breach attack vectors. This risk is inherent of people; even those you ‘trust’.

Process automation can mitigate this human risk by limiting human interaction and direct access to data and systems. People no longer require access to passwords or credentials, meaning they cannot be compromised or hacked for this information. Bonus: bots cannot respond to phishing attacks.

Automation can also improve the consistency of access management, by automating how and when users are granted rights to different data and systems. This also means streamlining the removal of permissions in line with policy.
Find Out More

We believe that addressing operational human vulnerability is a critical dimension to ensuring DORA compliance. Join Responsiv and UK Finance to explore the human aspect of DORA.

Click here to register for our webinar.

Alternatively, click here to read more about DORA.