Have you noticed that, sometimes, we get so caught up in our top of mind priorities at work that we lose sight of the fact that people outside our company or industry, people outside the world we live and work in… may very well live in a world totally devoid of… whatever it is we spend all our time thinking about? Have you?
Because, I often find, it is good to remember that.
It is sobering.
It gives perspective.
It helps get better at explaining why things are important, without assuming everyone already knows, and getting frustrated if they don’t.
My partner is a graphic designer. He had no idea what T+2 was and why it mattered to me so much. And although I don’t think he will… ever… lose sleep over the lack of regulatory harmonisation timelines, he understands why it matters. Because I took the time to explain and he took the time to listen. I promise I kept it short and snappy… but the point is: It was my job to explain and his good grace to show an interest.
How much of your day-to-day work do you ‘sanity check’ with the world out there?
Out of interest.
How much of the stuff you live and breathe all day do you talk about with people who… don’t?
I am asking that because we all often assume, in life and at work, that what is important to us is important full stop. That could not be further from the truth, even with the best intentions in the world. First of all, with billions of people on the planet and an indefinite number of… things… that can be potentially deemed important, it is mad to assume you may be on the same page with anyone by default.
But even if the context suggests that maybe, actually, there should be alignment here… you should absolutely check.
I am saying this as someone who has spent a lot of time thinking about DORA and assuming that everyone else is too.
Why am I assuming that?
Well.
Because DORA, the Digital Operational Resiliency Act, is a mammoth piece of regulation putting a huge amount of new demands on 22,000 organisations across three verticals:
Firstly, observability and reporting. You need to declare an incident or outage across your estate within 4 hours of it happening… are you even able to know that you had an incident let alone know enough to report? This is a thing.
Secondly, it puts operational resiliency front and centre in your relationship with the regulator. It’s not something you just do as good hygiene for your business anymore. It is now something you have to do well and, equally importantly, be seen to be doing consistently.
And thirdly, you are responsible for doing all of this and a lot more across your entire estate. That means all your relationships, all your suppliers, all the third party bits in your extended ecosystem and supply chain.
So, yes, I am assuming if you are one of the 22,000 organisations affected you will be thinking about DORA.
Even if it is just to work out if you can risk-accept it for now and see what gives.
You can imagine my surprise when a colleague casually mentioned that the internet search volume around OpRes on the internet is…. Loooooooooow. People’s top of mind considerations aren’t exclusively linked to their internet search history but, let’s face it, it’s a pretty good indicator. If you look at my recent search history you can guess pretty accurately what TV show we are currently watching, what recipe we experimented with last week, where my next business trip is taking me, and what I am working on at the moment. It won’t tell you everything I am doing, but it will give you a pretty good sense of what my week has been like.
So it matters that people don’t seem to be searching the things I was assuming they would be losing sleep over.
Monthly searches for operational resilience are around the 1400 mark in the UK… down to a third of that in the US… Half of that for business resilience searches in the UK, a measly 320 searches per month.
And although the number looks a little better when you look at search numbers for DORA itself… 27,100 monthly hits in the UK… it turns out that’s a false positive because it’s not DORA itself that people are searching for, but Dora herself, the explorer of cartoonish cuteness and fame.
Do the search numbers tell the whole truth?
Of course not.
Most senior decision makers don’t do their own googling. They have analysts to do the googling for them and then read the highlights of the reports by the analysts and their expert advisors. But the search numbers are indicative of the fact that those of us who think that operational resilience is top of mind for everyone are wrong…
And, frankly, so are those people who are not worried about operational resilience in general and DORA in particular. They are wrong not to be thinking about it. Because it matters.
Meanwhile there seems to be a weird bidding war for attention in this space.
The cost per click for ads on the lowest searched items is high… and the search volume… measly. So, essentially, consultants are out-spending each other for fewer than 50 people per month searching.
Why do they do that? They are not stupid.
They do it because they know those of you not thinking about this are wrong and you will come round to thinking about it sooner or later. And the later you come round to thinking about it, the more frantic the searching.
They know that when the 22,000 affected organisations wake up and panic sets in, when they realise that this is important… it affects them… and it’s big… there will be a scramble, so the potential ROI of those clicks is potentially huge.
So… they are not stupid.
And neither are the people who haven’t yet clocked this matters to them. This is life. There is a lot happening, a lot clamouring for your attention.
So this is one of those moments when it is incumbent upon us to explain, and incumbent upon those not hitherto interested to give us the grace of listening. And hopefully we can convince you that this matters without waiting for your world to be on fire.
Are you ready?
This is not going to be long.
This matters for 3 reasons:
- The world is digital. System to system to person connectivity is ubiquitous and foundational to everything. Your ability to be online… or get back online after an incident, failure or malicious act… is absolutely vital and your awareness of that ability is key. Whether the regulator asks for it or not.
- The world is connected, your third party risk is not removed because it’s third party. That’s a mindset change, so I will wait for you to re-read and digest. Again. This matters whether the regulator asks for it or not.
- The direction of travel for the world is interconnected and interdependent. The regulators are pointing that way. Business is charging ahead that way. This is the way. You got it: whether the regulator asks for it or not. But also: because the regulator is asking for it and will only be asking for it more insistently with every passing year.
Whether DORA affects you or not, the world that DORA is trying to prepare the economy for does.
And it’s scary, don’t get me wrong.
All the building blocks of the digital economy are ipso facto potential vulnerabilities. Everything we do, comes with a potential risk footprint not to mention governance and business viability implications.
Even if this doesn’t affect you right now, do you really think it doesn’t impact you?
Even if the regulator doesn’t demand that you know right now, don’t you think they may soon?
And either way… wouldn’t you want to know? Don’t you want to know where your vulnerabilities are in a world that is occasionally hostile, often turbulently dangerous and always connected.
I would.
With the support of The Disruption House, you can start preparing for DORA today. Simply reach out to our team.
