About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Operational Resilience Testing for DORA with Fusion Risk Management

Subscribe to our newsletter

The Digital Operational Resilience Act (DORA), an EU regulation aimed at strengthening the IT security of financial entities is now ‘live’ and fully applicable as of January 17. This legislation mandates that financial institutions, including banks, insurance companies, and investment firms, ensure they can withstand, respond to, and recover from all types of Information and Communication Technology (ICT) related disruptions and threats.

DORA introduces five key pillars: ICT risk management, incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. To dig deeper into operational resilience scenario testing, we caught up with Davis DeRodes, Lead Data Scientist at operational resilience specialists Fusion Risk Management.

“Regarding scenario testing, start with the basics,” says DeRodes. “Many organizations only test once or twice a year, but regulations demand more frequent testing. AI can help you test more often. It also acts as an unbiased party in proposing scenarios, especially for regulated clients who need scenarios that are severe yet plausible. AI can show plausibility by referencing historical examples, which is incredibly helpful,” he says.

Fusion’s Scenario Simulation and Intelligence suite allows organizations to run thousands of “severe but plausible” operational risk scenarios concurrently, unveiling hidden vulnerabilities in systems, processes, and resilience plans. By leveraging fusion’s proprietary AI combined with internal and external historical event data—for example vendor services outages like last year’s CrowdStrike incident or cyber security incidents—teams can prioritize the most impactful gaps, reduce human bias, and gain clarity on what to fix or plan for, ensuring optimal preparation for any disruption.

These capabilities also address incomplete or untrusted data by highlighting information gaps and prioritizing which issues to resolve first. Additionally, they improve engagement in tabletop exercises by identifying relevant scenarios and the right departments and specific roles in advance, helping organizations save time and resources. All of this is seamlessly managed within the same Fusion platform that teams will rely on to handle real incidents, creating a cohesive and efficient resilience framework.

Compliance with DORA requires firms to capture and report on data they previously did not need to collect—e.g. third-party supply chain dependencies—often necessitating a shift in data ownership and accountability within organizations. Initially perceived as a security issue managed by Chief Information Security Officers (CISOs), the responsibility for DORA compliance has increasingly moved to Chief Operating Officers (COOs), reflecting its broader operational impact.

Published regulatory frameworks, such as those from the Basel Committee on Banking Supervision (BCBS) follow a principles-based approach. In contrast, DORA stands out for its detailed prescriptive obligations. This specificity, whilst providing clarity on regulatory expectations actually risks encouraging firms to adopt a tactical box-checking approach, rather than a strategic evaluation of the firms digital supply chains.

Tom Henshaw, Fusion’s Head of Platform Go to Market for EMEA shared some perspectives on how the regulatory divergence between the EU and Post-Brexit UK’s more principles-based approach. “I guess ultimately, it would probably come down to the way in which the regulation is governed, because it [DORA] is so prescriptive about what needs to be done, how, when, and that sort of thing,” he says, suggesting “The ESA and the European regulators, may be slightly missing the mark by moving resilience to a compliance-driven activity, rather than a value creation or a competitive advantage activity.

“Resilience is a value creation activity because it enables firms to provide their services or products to the market over a longer duration because they’ll have more uptime and their customers will be stickier because ultimately, resilience is about protecting the customer and fulfilling the obligations made to the customers. So, I think the focus should always be on achieving those outcomes from a regulatory standpoint,” he says.

Subscribe to our newsletter

Related content

WEBINAR

Upcoming Webinar: Managing Non-Financial Misconduct Under SMCR

9 October 2025 11:00am ET | 3:00pm London | 4:00pm CET Duration: 50 Minutes Non-financial misconduct—encompassing behaviours such as bullying, sexual harassment, and discrimination is a key focus of the Senior Managers and Certification Regime (SMCR). The Financial Conduct Authority (FCA) has underscored that such misconduct is not only unethical but also poses significant risks...

BLOG

FCA AI Innovation Lab – Corlytics Joins AI Spotlight

In October 2024, the UK’s Financial Conduct Authority (FCA) launched its Artificial Intelligence (AI) Lab, marking a significant regulatory initiative for integrating AI within financial services. The initiative underscores the FCA’s commitment to fostering responsible AI innovation while ensuring consumer protection and market integrity. The AI Lab serves as a collaborative platform, bringing together regulators,...

EVENT

TradingTech Briefing New York

Our TradingTech Briefing in New York is aimed at senior-level decision makers in trading technology, electronic execution, trading architecture and offers a day packed with insight from practitioners and from innovative suppliers happy to share their experiences in dealing with the enterprise challenges facing our marketplace.

GUIDE

The DORA Implementation Playbook: A Practitioner’s Guide to Demonstrating Resilience Beyond the Deadline

The Digital Operational Resilience Act (DORA) has fundamentally reshaped the European Union’s financial regulatory landscape, with its full application beginning on January 17, 2025. This regulation goes beyond traditional risk management, explicitly acknowledging that digital incidents can threaten the stability of the entire financial system. As the deadline has passed, the focus is now shifting...