In October 2020, torrential rains in Hyderabad, India, triggered catastrophic flooding, displacing over 37,000 families and bringing business operations in the region to a standstill. For many, it was a humanitarian crisis; for others, it exposed an uncomfortable truth about global supply chains. Hyderabad, a bustling tech hub, hosts numerous IT service providers critical to the financial sector. Banks around the world faced ripple effects as their operations, reliant on vendors and data centres located in the flooded region, came under strain.
It brought to light the need for financial institutions to rethink how they manage and monitor supply chain risks. It also highlights an important relationship between ESG (Environmental, Social, and Governance) considerations and the operational resilience mandates set forth by DORA (Digital Operational Resilience Act). Even for Financial Institutions who are not on the hook for European Regulations are looking at this closely.
Climate-related events, from floods to wildfires, are a key component of ESG strategies, and they’re becoming impossible to ignore. But these events are more than an environmental issue; they’re a digital one. Financial institutions increasingly rely on third-party IT providers located in high-risk regions.
Under DORA, firms are required to map out these relationships and understand their vulnerabilities. A vendor with servers in a flood-prone area represents not just a business continuity risk but also an ESG consideration—are institutions relying on suppliers that lack proper disaster preparedness or sustainable practices?
At their core, both ESG and DORA are about resilience—ensuring businesses can withstand disruptions, whether they’re triggered by natural disasters, social unrest, or governance failures. But while ESG takes a broader, values-driven approach to sustainability, DORA focuses on the financial sector’s ability to maintain stability in a digitized and interconnected world.
So, how can financial institutions address the convergence of these two frameworks? And, more importantly, how can CTOs and Operational Resilience Managers ensure that their services remain secure and functional, even when the nth party in their supply chain is underwater—literally or figuratively?
Understanding ESG and DORA Through a Resilience Lens
ESG and DORA may seem distinct at first glance, but they share overlapping priorities that make them complementary in practice. Let’s break it down:
1. Environmental Risks and Digital Stability
Climate-related events, from floods to wildfires, are a key component of ESG strategies, and they’re becoming impossible to ignore. But these events are more than an environmental issue; they’re a digital one. Financial institutions increasingly rely on third-party IT providers located in high-risk regions.
Operational resilience tools such as ServiceNow ServiceNow (www.servicenow.com ), Fusion Risk Management Fusion Risk Management (www.fusionrm.com ), and Archer (RSA) Archer Integrated Risk Management (www.Archerirm.com ) can assist in monitoring and responding to these risks by centralizing supplier risk data and automating workflows for issue remediation.
2. Social and Governance Intersections
Social and governance failures can cascade into operational disasters. For example, a supplier that underpays its workforce or fails to adhere to cybersecurity best practices can introduce systemic risks into the supply chain. Both ESG and DORA frameworks encourage institutions to evaluate the broader practices of their vendors, looking beyond contracts to assess their resilience and responsibility.
For ESG compliance and monitoring, tools like EcoVadis EcoVadis (www.ecovadis.com ), Sustainalytics SustainAnalytics (www.Sustainalytics.com ), and GRESB GRESB (www.GRESB.com ) provide actionable insights into a vendor’s sustainability practices and help assess the alignment of suppliers with ESG goals. These tools are instrumental in understanding social impacts and governance quality across supply chains.
3. The Data Imperative
Both ESG and DORA demand robust data collection and monitoring. ESG requires institutions to track sustainability metrics, while DORA mandates detailed mapping of third-party dependencies and incident reporting. The two frameworks push financial institutions toward a future where data-driven insights play a central role in decision-making.
Hyderabad and the Need for End-to-End Visibility
The Hyderabad floods serve as a vivid example of what happens when institutions lack visibility into their extended supply chains. A bank might know its third-party vendor, but what about the fourth party—the vendor’s vendor? Or the fifth party? These nth-party relationships often exist in the shadows, unmonitored until a crisis exposes them.
For instance, a bank relying on a cloud-based provider in Hyderabad might discover, too late, that the provider’s critical infrastructure is underwater. The bank’s customers, meanwhile, experience disruptions that tarnish trust and loyalty.
End-to-end visibility is the answer. Financial institutions need tools that allow them to map their supply chains in detail, identify risk hotspots, and proactively mitigate vulnerabilities. This is why Financial Institutions are turning to TechPassport’s Supply Chain Network Mapping module.
What CTOs and Operational Resilience Managers Must Do
To build resilience into their operations, CTOs and Operational Resilience Managers must tackle two critical challenges: understanding their supply chain dependencies and integrating ESG and DORA considerations into their risk management frameworks.
1. Map the Ecosystem Beyond the Obvious
It’s not enough to know your third-party providers; you need to map the entire chain. Tools like TechPassport, which allow institutions to visualize their third, fourth, and fifth parties, are becoming indispensable. By identifying vulnerabilities deep in the supply chain, institutions can mitigate risks before they escalate.
2. Plan for Environmental and Social Disruptions
Operational resilience isn’t just about technology; it’s about people and places. Evaluate vendors’ disaster recovery plans, ESG practices, and governance frameworks. Ensure they have the resources to weather disruptions, from natural disasters to social unrest.
3. Bridge ESG and DORA Mandates
By integrating ESG assessments with DORA compliance processes, financial institutions can create a unified risk management framework. For example, a supplier’s ESG scorecard can include factors like disaster preparedness and governance quality—metrics that align closely with DORA’s focus on operational resilience.
4. Connect the dots and manage your risks better than ever with best in breed technology providers
Leveraging a tool like TechPassport will enable the full alignment of both ESG and Operational Resilience technology and data providers across your entire supply chain.
Building Resilience for a Complex Future
The convergence of ESG and DORA is not just a regulatory burden—it’s an opportunity. Financial institutions that embrace both frameworks can future-proof their operations while aligning with global calls for sustainability and responsibility.
The Hyderabad floods were a wake-up call, but they don’t have to be a recurring nightmare. By adopting an end-to-end view of supply chains and integrating ESG and DORA principles, financial institutions can ensure their services remain stable, secure, and sustainable—even when the unexpected strikes.
For CTOs and Operational Resilience Managers, the path forward is clear: resilience starts with visibility, and responsibility must extend across the entire supply chain. In a world where the next crisis is always just around the corner, those who prepare today will lead tomorrow.
