Navigating Technical Debt to Meet DORA Compliance
- Rupert Colbourne, CTO at Orbus Software
- 04.11.2024 01:15 pm #TechnicalDebt #DORACompliance
The financial services and banking (FS&B) sector are home to many convoluted IT estates following years of extensive industry digital transformation – from cloud migration to data analytics and the integration of new AI and machine learning applications.
Managing these IT estates has subsequently become more difficult. This often leads to FS&B IT teams taking shortcuts in technology deployment, service delivery and feature rollout – accumulating “technical debt.” Additionally, many FS&B firms continue to run legacy IT solutions which aren’t compatible with modern data privacy or resilience standards, acting as further sources of tech debt given the increased likelihood of these solutions breaking and requiring fixes that take up the time of IT teams.
Tech debt is amassed slowly by nature, which makes it easy to deprioritise or ignore outright. Incoming regulation impacting FS&B institutions, however, removes that luxury. The EU’s Digital Operational Resilience Act (DORA) legislation puts all new requirements on such firms with EU operations to demonstrably strengthen resilience to IT-related incidents. Tech debt is likely to cause many in-scope firms to comply with DORA because it hinders the pace of IT operational change and limits the scope for establishing visibility of the risk profile of IT assets.
Faced with this challenge, FS&B firms are badly in need of a holistic view of their IT estate – should they not already possess this – to map and understand tech debt and its underlying causes. This is going to help firms manage tech debt optimally. Before considering how such a view can be established, it’s worth exploring the unique problem of tech debt in FS&B further.
Breaking down technical debt
Legacy systems are a significant drain on FS&B, and the problem is widespread. Illustrating this, the FCA has previously found that 92% of the UK’s financial services firms still relied on legacy technology.
Legacy systems store and process important historical data and are used to serve core functions on the basis that they remain functional. However, as technology advances, these systems are becoming increasingly obsolete and are significant drivers of risk.
The build-up of legacy systems has been particularly severe in banks, where workflows tend to run in siloes across isolated business domains. For example, a legacy system that performs batch data uploads is now being incorporated into modern data workflows which weren’t designed for such interoperability.
With these systems in place – stretched IT teams often opt for short-term fixes when strains inevitably show, and things break, rather than address the heart of the tech debt at hand and modernise. This status quo can’t hold given the requirements of new regulations for hyper-resilient IT systems – like DORA.
Taking a step back
Tackling technical debt will clearly be central to DORA compliance, but where FS&B firms deploy typical approaches to solving tech debt – their efforts risk falling flat. That’s because these typical, but flawed, approaches are reactive, focusing on short-term implications like the basic cost of fixing or not fixing tech debt.
This simplistic view risks overlooking tech debt’s implications for resilience as well as drags on modernisation and capability. Tech debt must therefore be assessed more proactively, rather than waiting to remedy issues only when problems arise as could be the case where a purely “cost basis” lens is applied.
Modern enterprise architecture platforms provide a unique ability to map both IT assets and processes to help guide IT strategy towards this longer-term, strategic approach to managing tech debt. By establishing a ‘digital blueprint’ of their organisation through such platforms, FS&B firms can measure beyond conventional financial metrics and establish a comprehensive view of the enterprise, helping to map tech debt, but also process debt. In practice, this means identifying with confidence where legacy technology is causing problems and taking steps to retire old solutions in favour of modern, compliant technologies and processes that are more strategically aligned with business goals.
By mapping their organisation this way, firms can transform attempts to tackle tech debt from a reactive effort to a proactive, more balanced and sustainable approach. This can translate directly to enhanced transformation initiatives, reduced IT budget spend and support for FS&B firms to meet DORA requirements.
Building resilient foundations
Today, innovation must be balanced with regulatory compliance and FS&B firms should use DORA as an opportunity to assess their IT estate and address tech debt to drive operational improvements that will ensure their compliance. Instilling best practice IT processes and data governance is not easy by any means, but a ‘digital blueprint’ can guide the way. DORA is a crossroads, and FS&B firms would be wise to go down the path of treating preparation for compliance as a golden opportunity to get a grip on tech debt to run a more nimble and resilient operation.