DORA IMPLEMENTATION
Implementing a risk-targeted Digital Operational Resilience Act (DORA) compliance plan
With few available internal resources, tight budget constraints, and a sizeable gap in core controls such as Third-Party Risk Management (TPRM), the organisation found itself underprepared.
Recognising that achieving 100% compliance by the deadline was unrealistic, the insurer opted for a risk-based approach to prioritise high-impact requirements and defer lower-priority initiatives. They engaged BeyondFS to lead this phased implementation, aiming to meet immediate regulatory expectations while working within budgetary limits and available resources.
- Industry Segment Global Insurer
- Function
Operational Resilience- CORE CAPABILITIES
Risk-Based Prioritisation; Policy modification; PlanningKey outcomes delivered
Delivered risk-targeted plan within a compressed timeframe
- Avoided need for 700 FTE, focusing on critical areas without overstretching resources
- Reduced project costs while covering essential requirements
Results
Timeline
6
Project completed in 6 months
Resource
-700FTE
Risk-based approach avoided need for 700 FTE
Support
2People
No big battalions - we did the job with 2 expert consultants.
Approach
BeyondFS established a structured DORA compliance programme with a Red-Amber-Green (RAG) framework for transparent tracking. We formed a small dedicated team to work alongside the insurer’s senior stakeholders. Key elements of our approach included:
- Prioritisation: We took a risk-based approach tackling essential requirements first. Non-urgent items were moved to phased implementation after the deadline, reducing the immediate workload.
- Minimum viable product approach: We prioritised practical outcomes that met minimum regulatory expectations. Instead of creating entirely new documents, we modified existing policies (e.g., the ICT Project Management Policy) to align with DORA principles.
- Biggest bang actions: We leveraged the time and resources available to strategically hit the highest impact items. This was done through a detailed planning phase to ensure the insurer achieved as much as possible within the time and budget allocated.
The Successful outcome
Through this structured, risk-based implementation, the insurer gained a clear understanding of its current DORA compliance status, allowing them to address critical areas immediately while tracking deferred initiatives for later phases. This provided senior leadership with transparency on compliance progress and confidence in ongoing risk management efforts.
By the project’s end, the insurer was ‘design compliant’, with policies aligned to DORA and a clear understanding of required actions to reach full ‘operational compliance’, enabling them to embed these processes and manage ongoing compliance independently.