Contact us
Contact us
Case study

Implementing a risk-targeted Digital Operational Resilience Act (DORA) compliance plan

Matt N
Lead partnerMatt Neill
Lead partnerMatt Neill

A global insurer faced a substantial compliance challenge, with just six months to prepare for the Digital Operational Resilience Act (DORA) coming into force in January 2025. 

With few available internal resources, tight budget constraints, and a sizeable gap in core controls such as Third-Party Risk Management (TPRM), the organisation found itself underprepared. 

Recognising that achieving 100% compliance by the deadline was unrealistic, the insurer opted for a risk-based approach to prioritise high-impact requirements and defer lower-priority initiatives. They engaged BeyondFS to lead this phased implementation, aiming to meet immediate regulatory expectations while working within budgetary limits and available resources.

  • Industry segment

    Global Insurer

  • Function

    Operational Resilience

  • Core capabilities

    Operational Resilience, DORA

Key outcomes delivered

  • Delivered risk-targeted plan within a compressed timeframe

  • Avoided need for 700 FTE, focusing on critical areas without overstretching resources
  • Reduced project costs while covering essential requirements

Results

Timeline

0

Project completed in 6 months

Resource

-0 FTE

Risk-based approach avoided need for 700 FTE

Support

0 People

No big battalions - we did the job with 2 expert consultants.

Approach

BeyondFS established a structured DORA compliance programme with a Red-Amber-Green (RAG) framework for transparent tracking. We formed a small dedicated team to work alongside the insurer’s senior stakeholders. Key elements of our approach included:

  • Prioritisation: We took a risk-based approach tackling essential requirements first. Non-urgent items were moved to phased implementation after the deadline, reducing the immediate workload.

  • Minimum viable product approach: We prioritised practical outcomes that met minimum regulatory expectations. Instead of creating entirely new documents, we modified existing policies (e.g., the ICT Project Management Policy) to align with DORA principles.

  • Biggest bang actions: We leveraged the time and resources available to strategically hit the highest impact items. This was done through a detailed planning phase to ensure the insurer achieved as much as possible within the time and budget allocated.
Office flood-1
Outcome

Through this structured, risk-based implementation, the insurer gained a clear understanding of its current DORA compliance status, allowing them to address critical areas immediately while tracking deferred initiatives for later phases. This provided senior leadership with transparency on compliance progress and confidence in ongoing risk management efforts.

By the project’s end, the insurer was ‘design compliant’, with policies aligned to DORA and a clear understanding of required actions to reach full ‘operational compliance’, enabling them to embed these processes and manage ongoing compliance independently.