Case Studies

DORA Implementation for Global Insurance Company

SITUATION

A global insurance company was preparing for the imminent implementation of the EU Digital Operational Resilience Act (DORA) and UK Operational Resilience requirements, facing significant challenges to achieve compliance within tight deadlines. To meet these requirements, the insurer needed to:

  • Define and classify their Important Business Services (IBS),
  • Develop and implement Impact Tolerance Statements for each IBS,
  • Conduct rigorous testing against these tolerances, and
  • Produce comprehensive framework documentation and forward-looking plans to demonstrate their operational resilience capabilities.

This created a substantial, multi-disciplinary workload, requiring careful coordination and execution within a highly compressed timeframe.

OUR ROLE

FTI Consulting was retained to help the client define their enterprise Operational Resilience approach. This included working with executive and key business line leaders, cybersecurity teams, business continuity and disaster recovery teams, and other key stakeholders to define and implement a holistic, integrated approach to Operational Resilience. This approach was designed to consider the business itself, consumers of their services, and the broader financial markets and society.

OUR IMPACT

FTI Consulting defined a programme that brought together ICT risk management, third-party management, testing, incident response, and information sharing to both enhance the client’s resilience capabilities where required, and ensure that even during major outages, their IBS could continue to operate and service consumers. This included the definition of a full testing regime that covered offensive security, scenario testing and exercising, integration into market-wide and regulator-led exercises, and associated reporting and governance activities.  As a consequence of the FTI Consulting work, the client was able to satisfactorily demonstrate to multiple regulators within the UK and the EU that their programme met expectations and that they were evidencing strong resilience outcomes from their programme.