Managing operational resilience at AXA IM in the DORA era

AXA IM, affiliated with the AXA Group, is an asset management company founded in 1994. With over 2,700 employees across more than 20 locations, it manages a wide range of assets, including alternative investments. As an international financial institution, it is subject to strict regulations. 

The discussion highlighted the growing importance of operational resilience in the hyper-digital financial industry, amid a surge in cyberattacks and stricter regulatory requirements, especially since the release of DORA. 

DORA requires companies like AXA IM to clearly and comprehensively map their organization, from IT applications to strategic processes. You can’t protect what you don’t know, which is why having a 360° view of all the interdependencies between business processes and IT systems is essential to identify and manage potential risks. 

AXA IM strengthens its cyber resilience with HOPEX to address DORA and NIS2 regulations. 

AXA IM shared how those challenges are addressed using the HOPEX solution, allowing proactive risk management and business continuity amid cyber threats. The company chose HOPEX because it enables a complete mapping of the organization, from technology infrastructure to business processes. 

This approach is especially recommended by DORA and NIS2. With one cyberattack occurring every 39 seconds and increasing in sophistication, cyber risk has become a top concern for risk managers, controllers, and internal auditors. As those threats continue to pose risks to the global financial system, regulators around the world are mandating that financial players strengthen their digital operational resilience, most notably through frameworks like DORA and NIS2. 

As highlighted by the CESIN (the French Club of Information and Digital Security Experts), “Every cyber risk is now a business risk.” In this context, 2024 marks a pivotal year for cybersecurity regulation. In this context, digital operational resilience is paramount: according to the European Union, it refers to an organization’s ability to withstand, respond to, and recover from a disruption involving Information and Communication Technologies (ICT). HOPEX addresses these requirements by providing a clear and exhaustive view of IT systems, processes, and risks. 

AXA IM: A Comprehensive approach to operational resilience 

At AXA IM, operational resilience goes beyond the digital aspect: it aims to protect the company, its operations, and its clients against any major incident that could disrupt its operations. This also includes market preservation – a key concern for regulators looking to limit the overall impact of crises. Rather than simply restoring activity after an incident, the goal is to anticipate, adapt to, and mitigate the effects of a crisis by implementing effective mitigation mechanisms. 

This approach relies on three core pillars: 

1. Business continuity to ensure the sustainability of critical processes.
2. Incident and crisis management through a structured framework enabling rapid and coordinated response.
3. Information system security that integrates cyber resilience and IT service continuity, in compliance with DORA.

An iterative approach for enhanced resilience 

AXA IM has implemented an operational resilience program based on a continuous improvement cycle. Each year, the company re-evaluates and strengthens its framework through four key steps: 

1. Anticipate and assess risks: identify potential threats through in-depth risk and impact analysis. HOPEX plays a key role in structuring and centralizing this information.
2. Define protection strategies: develop business continuity and recovery plans at both IT and operational levels, ensuring their relevance and implementation.
3. Test and validate the resilience framework: regularly conduct exercises involving business, technical, and cyber teams to ensure the effectiveness of measures.
4. Continuously improve: collect and analyze feedback to adjust and enhance the framework to meet new threats. 

Under DORA, one of the major challenges is the identification of Critical Functions (CIFs) and all their technological and third-party dependencies. At AXA IM, this involves detailed mapping of processes, IT systems, and external providers. 

Optimizing operational resilience and regulatory compliance with HOPEX 

As part of their Business Impact Analysis (BIA), every component essential to AXA IM’s critical processes is identified:

• Information systems used
• Third-party providers and external dependencies
• Key personnel and sites : All this data is centralized in the HOPEX solution, providing a consolidated view and effective monitoring. 

The tool also indicates the criticality of each process: AXA IM manages over 500 identified processes, which must be prioritized to ensure rapid recovery in case of an incident. 

A collaborative tool for enhanced resilience 

Digital operational resilience is no longer just an IT or cyber issue. It’s a shared responsibility across AXA IM. A user-oriented solution like HOPEX engages all stakeholders:

• IT Dept, the primary data contributors for applications
• Business teams (third-party management, compliance, risk management, audit, internal control, cybersecurity, data), who use and enrich this data 

The more collaborative the repository, the more reliable and relevant it becomes. This allows each actor to contribute while reducing errors and improving data quality. 

A Solution that evolves with needs 

Originally, HOPEX was used as an IT tool by technical and functional architects to structure IT system data. Over time, its use expanded to meet the needs of other teams, particularly for regulatory compliance. 

Previously, BIA and continuity plans were managed using Excel, Word, and PowerPoint files. The need to centralize this information in a structured tool became obvious, especially with new regulatory requirements. 

Thanks to HOPEX’s continuous evolution and scalability, AXA IM manages its compliance with regulations like DORA by automating monitoring and generating reports required by regulators. 

Tips for a successful DORA compliance 

For organizations looking to embark on a DORA or NIS2 compliance journey, here are four key recommendations from AXA IM operational resilience team: 

1. Build a solid repository and evolve the tool progressively according to needs and regulations.
2. Choose a scalable, modular solution to avoid the challenges of a rigid, difficult-to-evolve system.
3. Facilitate data access and extraction so each team can quickly and efficiently use it.
4. Promote a collaborative approach to continually enrich the repository and improve the company’s overall resilience. 

AXA IM has successfully transformed its operational resilience management into a structured, scalable, and collaborative process, ensuring better risk management and compliance with applicable regulations.