About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Operational Resilience Testing for DORA with Fusion Risk Management

Subscribe to our newsletter

The Digital Operational Resilience Act (DORA), an EU regulation aimed at strengthening the IT security of financial entities is now ‘live’ and fully applicable as of January 17. This legislation mandates that financial institutions, including banks, insurance companies, and investment firms, ensure they can withstand, respond to, and recover from all types of Information and Communication Technology (ICT) related disruptions and threats.

DORA introduces five key pillars: ICT risk management, incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. To dig deeper into operational resilience scenario testing, we caught up with Davis DeRodes, Lead Data Scientist at operational resilience specialists Fusion Risk Management.

“Regarding scenario testing, start with the basics,” says DeRodes. “Many organizations only test once or twice a year, but regulations demand more frequent testing. AI can help you test more often. It also acts as an unbiased party in proposing scenarios, especially for regulated clients who need scenarios that are severe yet plausible. AI can show plausibility by referencing historical examples, which is incredibly helpful,” he says.

Fusion’s Scenario Simulation and Intelligence suite allows organizations to run thousands of “severe but plausible” operational risk scenarios concurrently, unveiling hidden vulnerabilities in systems, processes, and resilience plans. By leveraging fusion’s proprietary AI combined with internal and external historical event data—for example vendor services outages like last year’s CrowdStrike incident or cyber security incidents—teams can prioritize the most impactful gaps, reduce human bias, and gain clarity on what to fix or plan for, ensuring optimal preparation for any disruption.

These capabilities also address incomplete or untrusted data by highlighting information gaps and prioritizing which issues to resolve first. Additionally, they improve engagement in tabletop exercises by identifying relevant scenarios and the right departments and specific roles in advance, helping organizations save time and resources. All of this is seamlessly managed within the same Fusion platform that teams will rely on to handle real incidents, creating a cohesive and efficient resilience framework.

Compliance with DORA requires firms to capture and report on data they previously did not need to collect—e.g. third-party supply chain dependencies—often necessitating a shift in data ownership and accountability within organizations. Initially perceived as a security issue managed by Chief Information Security Officers (CISOs), the responsibility for DORA compliance has increasingly moved to Chief Operating Officers (COOs), reflecting its broader operational impact.

Published regulatory frameworks, such as those from the Basel Committee on Banking Supervision (BCBS) follow a principles-based approach. In contrast, DORA stands out for its detailed prescriptive obligations. This specificity, whilst providing clarity on regulatory expectations actually risks encouraging firms to adopt a tactical box-checking approach, rather than a strategic evaluation of the firms digital supply chains.

Tom Henshaw, Fusion’s Head of Platform Go to Market for EMEA shared some perspectives on how the regulatory divergence between the EU and Post-Brexit UK’s more principles-based approach. “I guess ultimately, it would probably come down to the way in which the regulation is governed, because it [DORA] is so prescriptive about what needs to be done, how, when, and that sort of thing,” he says, suggesting “The ESA and the European regulators, may be slightly missing the mark by moving resilience to a compliance-driven activity, rather than a value creation or a competitive advantage activity.

“Resilience is a value creation activity because it enables firms to provide their services or products to the market over a longer duration because they’ll have more uptime and their customers will be stickier because ultimately, resilience is about protecting the customer and fulfilling the obligations made to the customers. So, I think the focus should always be on achieving those outcomes from a regulatory standpoint,” he says.

Subscribe to our newsletter

Related content

WEBINAR

Upcoming Webinar: Managing Non-Financial Misconduct Under SMCR

9 October 2025 11:00am ET | 3:00pm London | 4:00pm CET Duration: 50 Minutes Non-financial misconduct—encompassing behaviours such as bullying, sexual harassment, and discrimination is a key focus of the Senior Managers and Certification Regime (SMCR). The Financial Conduct Authority (FCA) has underscored that such misconduct is not only unethical but also poses significant risks...

BLOG

Navigating Divergent AI Regulation – Can Standards Bring Clarity?

Artificial intelligence is transforming financial services, from automating credit assessments to streamlining compliance processes. But while AI capabilities are developing at pace, regulatory frameworks are struggling to keep up. Nowhere is this more apparent than in the contrasting approaches taken by the European Union and the United Kingdom. The EU has opted for a rules-heavy,...

EVENT

ESG Data & Tech Briefing London

The ESG Data & Tech Briefing will explore challenges around assembling and evaluating ESG data for reporting and the impact of regulatory measures and industry collaboration on transparency and standardisation efforts. Expert speakers will address how the evolving market infrastructure is developing and the role of new technologies and alternative data in improving insight and filling data gaps.

GUIDE

AI in Capital Markets: Practical Insight for a Transforming Industry – Free Handbook

AI is no longer on the horizon – it’s embedded in the infrastructure of modern capital markets. But separating real impact from inflated promises requires a grounded, practical understanding. The AI in Capital Markets Handbook 2025 provides exactly that. Designed for data-driven professionals across the trade life-cycle, compliance, infrastructure, and strategy, this handbook goes beyond...