The Digital Operational Resilience Act (DORA) may have begun as a regulatory requirement, but for many resilience professionals, it has become a timely catalyst for transformation.
In a recent discussion with Colm Gayton, Operational Resilience Manager at AXA, we explored how organizations are navigating the evolving demands of DORA – shifting from compliance-focused activity towards building more strategic, adaptive resilience. Colm’s contributions throughout this piece offer valuable insight into the real-world challenges and opportunities involved in operationalizing DORA, drawn from his experience leading operational resilience initiatives within the financial services and technology sectors.
Rather than treating DORA as a box-ticking exercise, forward-thinking organizations are using it to reframe how they prepare for disruption both operationally and strategically.
DORA: A Catalyst for Connection
For organizations with robust disaster recovery, business continuity, and third-party risk practices, DORA may feel like a refinement. But for others, it has revealed long-standing blind spots, particularly in integrating technology, operational processes, and business priorities.
As Colm Gayton noted:
“DORA is just connecting the technology side of the house with other areas that are critical, to understand where you might have gaps, where you might have vulnerabilities, and shine a light on the information you don’t yet have.”
That visibility is encouraging teams to align their business services with critical functions and take a more integrated approach to resilience.
DORA means knowing the mechanics of your organization well enough to anticipate where cracks will form.
From Testing to Capability-Building
Testing is one of the most complex and resource-intensive elements of DORA.
The regulation calls for rigorous end-to-end testing across IT, disaster recovery, business continuity, and crisis management.
Some organizations have found that a single DORA-aligned test can take weeks to plan and execute, requiring cross-functional coordination and the management of significant volumes of data.
As Gayton observed:
“The end-to-end test is almost death by a thousand cuts. There’s so much information to be managed and so many moving parts.”
The real opportunity lies in using testing to build organizational muscle memory: creating scenarios that are complex, realistic, and challenging enough to expose both strengths and vulnerabilities.
Three Sample Scenarios for DORA Testing
To assist organizations in operationalizing DORA’s testing requirements, here are three sample scenarios that reflect common pain points in financial services and beyond – shaped by Gayton’s practical insight.
Scenario 1: The Vendor You Forgot
Audience:
Third-party risk, operations, IT, business unit leads, regulatory/compliance teams
Learning Objectives:
- Uncover hidden dependencies in critical services
- Explore ambiguity in vendor classification and ownership
- Stress-test third-party response protocols under unclear accountability
- Clarify what “critical” truly means in context
Scenario:
On a routine Thursday morning, a productivity platform used across multiple departments goes offline. It does not appear on the critical third-party list. Yet, within an hour, customer SLAs are affected, and internal teams escalate to senior leadership.
Tasks:
- Reconstruct the hidden dependencies of the platform
- Identify who owns the relationship – and the associated risk
- Simulate a regulatory decision: is this incident DORA-reportable?
- Activate appropriate continuity or workaround plans
- Initiate internal and external communications
- Explore potential legal or reputational ramifications retrospectively
Learning Loop Questions:
- Why was this vendor not classified as critical?
- How did the organization respond in the absence of system prompts?
- If this wasn’t on the register what else might be missing?
- Did roles and responsibilities become clearer or more confused under pressure?
Scenario 2: The Clock Is Ticking (But on What?)
Audience:
IT security, crisis management, legal, executive leadership, compliance, customer success
Learning Objectives:
- Operate effectively under uncertainty and contradictory information
- Navigate the tension between internal and regulatory clocks
- Explore trade-offs between transparency and precision
- Develop comfort in acting early despite incomplete data
Scenario:
A cyber alert is raised at 5:07am. Malicious activity is detected across internal systems, but diagnostics are conflicting. No data is confirmed as compromised. No services have failed. Nevertheless, by 7:15am, leaders are asking, “Should this be reported?”
Tasks:
- Clarify what is known versus what is assumed
- Decide when and how to classify the incident
- Draft a preliminary regulatory statement
- Simulate the tension between legal caution and operational urgency
- Navigate board expectations concurrently
Learning Loop Questions:
- When did we truly recognise that action was required?
- Did we delay in pursuit of certainty, or act to fulfil compliance?
- Who felt empowered to make a decision and who hesitated?
- Would a quicker response have improved the outcome, or made it worse?
Scenario 3: The Strategic Trade-Off No One Wants to Make
Audience:
Executive leadership, finance, operations, regulatory affairs, strategic planning, business continuity
Learning Objectives:
- Examine how financial pressures affect cross-functional decisions
- Balance regulatory obligations with commercial realities
- Understand how small risks can cascade into significant disruptions
- Evaluate long-term implications of short-term cost-saving measures
Scenario:
Amid economic downturn, currency instability, and global unrest, a strategic decision is taken to pause investment in a regional technology upgrade – including disaster recovery enhancements. The move preserves cashflow but introduces known risk. One month later, a failure occurs.
Tasks:
- Walk through the original decision and reassess its validity
- Simulate a regulatory inquiry into the event
- Trace downstream effects on customer service and data access
- Revisit whether the risk was reflected in the BIA
- Coordinate a comprehensive communications response
Learning Loop Questions:
- How clearly were the trade-offs communicated and to whom?
- Could we publicly defend this decision, if necessary?
- What have we learned about our actual versus stated risk appetite?
Each of these scenarios may be run as a full end-to-end test or scaled into shorter Microsimulations to reinforce team readiness over time.
iluminr Vendor Outage – System Down Microsimulation Scenario Video
How iluminr Supports DORA and Strategic Resilience
This is where platforms like iluminr are redefining modern resilience. Rather than acting as a static document repository, iluminr serves as an interactive environment where teams can simulate, rehearse, and adapt in real time.
With capabilities such as crisis event rooms, Microsimulations, and digital playbooks, iluminr enables teams to:
-
Execute DORA-aligned end-to-end testing across technical and business functions
-
Comply with strict regulatory timeframes for incident reporting
-
Track decisions and their rationale in a central, auditable space
-
Develop and embed preparedness as a routine practice rather than a one-off
As Gayton described:
“The ability to stand up multiple event rooms – for IT response, business response, and even spin-off tiger teams – is a gamechanger. And having everything captured, time-stamped, and accessible from any device is invaluable for fast-moving incidents.”
The Future of Resilience Platforms
Colm notes, “Risk does not sit neatly on a register. It evolves. It has legs. It travels throughout the organization.”
The future belongs to tools that help leaders make sense of that movement – systems that are intuitive, immersive, and intelligent. Platforms like iluminr, which bring resilience to life through scenario-based thinking, habit-forming training, and dynamic decision support.
Because in today’s world, the goal is not merely to survive disruption.
It is to anticipate it. And lead through it.
Want to discover how iluminr can support your DORA journey?
iluminr provides a purpose-built platform to help you move from compliance to confidence.
Discover how iluminr can help you operationalize resilience, empower your teams, and stay ahead of disruption.
Get in touch to learn more.
