Digital Operational Resilience Act (DORA) in a graph and a spreadsheet

May 31, 2024 by Glen Stokes

 

  

In brief

  • The DORA regulation demands end-to-end visibility across people, processes and technology. It provides a detailed set of targets for financial organizations that must be addressed from January 17, 2025. Zoreza Global is partnering with companies like Asana to help structure and manage this work 
  • Zoreza Global is helping global financial organizations face two challenges: Intensify governance while increasing the speed of innovation. We begin by creating a real-time digital twin that includes people, processes and technology in a graph model. There’s no need to establish a complete enterprise model before you start — that’s the beauty of graph models  
  • An automatically maintained graph platform, delivering real-time visibility of people, processes and technology, must be a primary governance and AI investment for the enterprise. Being able to model potential risks dynamically and the blast radii of outages are potential benefits of having a digital twin in place, with possibly significant cost savings in resilience testing and “what-if” modeling 

  

Zoreza Global is helping financial companies simultaneously increase the speed of innovation and satisfy the demand for greater governance and compliance.  

The latest EU regulatory requirement, the Digital Operational Resilience Act (DORA), addresses issues of systemic and concentration risk in the global financial system.  

DORA comes into effect on January 17, 2025 and holds the management team directly responsible for ICT management. Detailed act stipulations affect the people, processes and technology of every large financial organization.  

Board members, executive leaders and other senior managers are expected to define appropriate risk management strategies, actively assist in executing them and stay current on their knowledge of the ICT risk landscape, including third-party providers.  

Leaders can be held personally accountable for an entity's failure to comply 

 

Article 8: Digital Operational Resilience Act

  

I spent a weekend copying and pasting the entire act line-by-line into a spreadsheet (from 79 pages to 234 line items).  

 

Screenshot shows a section of the DORA regulation copied line-by-line into a spreadsheet

Filter and sort DORA chapters and articles

 

A Zoreza Global colleague, Jorge Alberto Iduma Valdez, then loaded the spreadsheet into a Neo4j graph (available on a public GitHub repository).  

DORA in a spreadsheet 

DORA has implications for people, processes and technology, so I sorted each of the 234 items according to my personal category assessments: People (21), process (156) and technology (57). 

 

Chart shows the DORA implications for people, processes and technology; the 234 items sorted according to the author’s personal category assessments

People, process and technology in DORA

 

The count of items per article is no indication of the time, cost or impact of implementation and will differ for each organization, but it gives you an idea of the spread of thinking in the document. 

The table below shows the chapter and article headings and the number of items under each. You can filter and sort on each of these to focus on areas of key importance to you. 

Note to the regulator: Elements of the paragraph structure in the DORA document are not particularly data friendly. 

 

Screenshot shows DORA’s chapter and article headings and the number of items under each

Summary of DORA requirements by chapter and article heading

 

Even if only used for quick reference, this is much easier than scanning the DORA regulation. It provides a sound basis for tracking and running a DORA project in your organization, so feel free to use it or contact Zoreza Global; with our partner Asana, we can help create and run a program of work with your team. 

DORA in a graph 

The graph is extensive, but the model is not complicated.  

In the diagram below, the term “Domain refers to the people/process/technology dimension. Additionally, there are interconnected relationships between items, where articles refer to each other. 

The graph is available on this GitHub repository. 

 

DORA as an Neo4J graph 

 

Why are we doing this?

 

Digital governance at speed. Global financial organizations face two challenges: Intensify governance while increasing the speed of innovation. 

Companies can do both and should begin by creating a real-time digital twin that includes people, processes and technology in a graph model.  

There’s no need to establish a complete enterprise model before you start — thats the beauty of graph models. Just begin by modeling what you know, or use this DORA model.  

1. Meet the regulatory demand for maturity in digital governance 

The DORA regulation demands end-to-end visibility across people, processes and technology.  

It provides a detailed set of targets for financial organizations that must be addressed from January 17, 2025. We’re partnering with companies like Asana to help structure and manage this work. 

Please get in touch if you’re unclear about your DORA position. 

Future iterations of DORA requirements are likely as the regulator digs deeper into the control and governance of complex cloud and on-premises deployments. In my opinion, addressing these digital requirements with existing reporting solutions will become less and less effective.  

An automatically maintained graph platform, delivering real-time visibility of people, processes and technology, must be a primary governance and AI investment for the enterprise.  

Being able to model potential risks dynamically and the blast radii of outages are potential benefits of having a digital twin in place, with possibly significant cost savings in resilience testing and what-if modeling. 

 

Digital Operational Resilience Act (DORA)

Zoreza Global can help you achieve DORA’s detailed targets

TALK TO AN EXPERT
cta banner

 

2. Faster innovation by creating a network of AI metadata 

Graphs provide context for AI. 

As Tony Seale has constantly pointed out, AI needs connected data. Although the accuracy of LLMs still needs to improve, Gartner and others have already recognized the centrality of knowledge graphs for GenAI. 

 

Source: Gartner 

  

My vision is for an executive to type in a question about value, risk or performance and get an immediate model response directly relevant to their organization.  

 

What’s the cost of answering a question?

 

I believe organizations must begin this initiative now. Companies like JPMC are hiring intensively in this space. The cost of asking a question will only increase and at some point, those with graph-enabled, enterprise-wide AI solutions will simply have too much of a competitive advantage.  

 

Find out more

 

Zoreza Global has teams at low-cost, global locations, linking LLMs into graphs and demonstrating the value and speed of this approach. 

If you’re as excited about the possibilities of graph-enabled, company-wide AI solutions as we are and you’d like to learn more about DORA’s implications for your organization, contact us. 

    

 

Glen Stokes , Solution Architect

Glen Stokes author linkedin

Solution Architect

Glen has worked in the technology consulting field for more than 30 years. With a strong focus on data and business intelligence (BI), he has substantial hands-on experience, having previously founded and run an open-source technology company. Glen is currently working on a graph technology solution to deliver real-time governance across people, processes and technology while enabling faster innovation for our global financial services customers.