DORA vs. DORA!
There was recently some confusion in the office that I thought was worth researching and addressing. Depending on who you are talking to, you may hear the acronym DORA in one of two contexts. (OK, three if you’re talking to a preschooler!)
It might be in relation to DORA metrics–that is, a set of metrics associated with DevOps Research and Assessment. Alternatively, and particularly in a Financial Services (FS) scenario, you’ll hear about DORA–the Digital Operational Resilience Act–which is a part of the European Union (EU) Digital Finance Package. This aims to help and support the digital transformation and innovation of firms and organizations in the FS sector.
For sure, DORA and DORA(!) cover very different topics and yet, PagerDuty has a role to play in both… Let me explain.
DORA metrics–those metrics associated with DevOps Research and Assessment–are gathered for your department or organization and will help you assess your DevOps maturity and efficiency in terms of:
- Your ability to deploy frequently
- How long it takes for a feature to go from creation to deployment in production
- The Mean Time to Restore (MTTR)
- Time taken to recover from a failure
- And lastly, how frequently deployments fail
Metrics such as these are important as, once you understand your baseline, you have something to measure and improve against.
A DORA report is produced annually that delves into these metrics and associated research and, on reading this year’s report, it’s evident to me that PagerDuty can play an active part in helping firms improve their position and digital maturity. For example, employee well-being and a healthy culture feature heavily, as does balancing delivery speed with operational performance.
The report dives into employee burnout and how people who take on frequent, repetitive work are most likely to experience this. PagerDuty’s Incident Management, AIOps and Automation capabilities are specifically intended to improve your MTTR, reduce toil, help you find the critical incident amidst the noise, focus on-call response to the most appropriate individuals (to avoid ‘swarming’) and, wherever possible, automate, automate, automate – your incident response, incident remediation and repetitive tasks.
When you distribute work fairly and return time (one of the most valuable commodities you can give) to your engineering teams, morale and culture will invariably improve as will focus on delivery and operational performance and resilience. These are all critical competitive differentiators in today’s market and the PagerDuty Operations Cloud is there to support you.
So that’s DORA, now let’s cover, err, DORA…
If you work in the financial sector or are a supplier to this sector, you cannot have failed to hear about the Digital Operational Resilience Act (or, if you are in the UK, the regulators’ requirements covered in the Financial Conduct Authority (FCA) policy statement PS21/3 and the Prudential Regulation Authority (PRA) policy statement PS6/21). The former came into force in 2023, the latter in 2022.
The details of these Acts are far too complex to unpack in a brief blog like this but they have caused FS firms to examine the risks posed by their digital transformation. In essence, the regulators require FS firms to increase their Operational Resilience (OR) which will improve the resilience of the financial sector as a whole and hence protect consumers and preserve market integrity. The FCA defines OR as “the ability of firms, financial market intermediaries (FMIs), and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.”
Of course, FS firms were already on this path–OR helps them deliver their business in a consistent way, gives them competitive advantage and maintains their reputation. Resiliency, availability and reputation directly impact the bottom line.
FS firms are required to identify their most important business services–services which, if disrupted, could potentially cause ‘intolerable harm’ to consumers of those services. For example, the ability of a banking customer to access their bank balance immediately via a mobile app or for clients of a brokerage firm to be able to make trades against the market. The FS firm must reassess these important services regularly and also whenever there is a significant change to their business or the market in which they operate.
The next step is for firms to set impact tolerances for these business services–what level of disruption can be tolerated and what is a reasonable time in which to restore the service? These impact tolerances must be demonstrated and tested, at least annually.
Finally, FS firms must show they have an Incident Management process capable of restoring service as quickly as possible, and able to report the nature, extent, duration and criticality of the issue.
So… a Financial Service firm must anticipate digital risks and disruptions to their business and, through the creation of risk management frameworks, show how they would respond and restore services within the specified and agreed timescales (tolerances).
DORA will apply directly to all EU member states from 17th January, 2025–the UK regulations come fully into force a little later on 31st March 2025.
PagerDuty can play a critical role in any FS firms OR framework and response strategy. The PagerDuty Operations Cloud is built with operational resiliency at its core and would be an invaluable weapon in the arsenal of any FS firm when considering how they will acknowledge, respond and restore a critical business service within the agreed tolerance for that service. The PagerDuty Service Graph is tailor made for this application, the Analytics and Reporting capabilities are ideal to help FS firms report the chronology of actions taken during the response, and, crucially (and in common with DevOps DORA) the AIOps and Automation capabilities are essential in reducing or avoiding the impact of an outage and accelerating the time to restore normal service.
Firms in the EU now have less than a year to finish their preparations and to conform to the requirements laid out under DORA –firms in the UK have slightly longer. But it’s clear that the time to act is NOW. The PagerDuty team and offerings can help and we’d love to engage with you and show you how.
References: