The case: insurer with 6 labels and a DORA deadline
A mid-sized insurer has grown through acquisitions into a group with 6 labels. Different brands, different systems, different maturity levels. Due to its scale, the organisation is reaching the point where the AFM will impose DORA compliance requirements. An Internal Audit Function (IAF) is needed.
Management is willing — but recognises that the organisation is not yet mature enough to fully embrace the three-lines model. The first line is still being built. Risk management is fragmented across the labels. Compliance is reactive and sometimes absent. And now a third line is needed that independently reviews. That will only create "friction", thinks management. A legitimate concern.
The dilemma
- A full-time CAE is disproportionate — there is insufficient work for a permanent function, and the organisation is not yet culturally ready
- A junior auditor (because they "can do it") lacks the C-level credibility to conduct conversations with the board, supervisory board and regulator
- An external advisory engagement delivers an assessment with PowerPoint presentations and lengthy documents but no working function. And costs a multiple more
- Doing nothing is not an option — the AFM expects substance
The pragmatic approach
Audirium is engaged as a fractional Internal Audit Function. Not with a theoretical implementation plan, but with a pragmatic approach that takes into account where the organisation stands now. The core: 20 days of engagement to see what comes out. Not a large open-ended project but a defined first phase that delivers immediate value.
Three tracks, one approach
| Track | What | Why pragmatic |
|---|---|---|
| 1. Road to Compliance | Map the DORA compliance path for the AFM: what needs to be in place, when, and who is the owner? | Not everything at once. Focus on what the AFM expects — not an ideal picture the organisation cannot deliver. Growth phases and ambition must lead. |
| 2. 6 labels, different risk profiles | Determine per label: how material is it? What risk profiles apply? Where is the greatest exposure and need? Where can we achieve quick wins? | Not every label requires the same audit intensity. Proportionality: the biggest risks get the most attention. Start where there is willingness — create pockets of success. |
| 3. Align the audit approach | Baseline, gap analysis and quality assurance aligned to the Road to Compliance. An audit plan that grows with the organisation, focused on continuous improvement rather than declaring what is wrong. 'Done' is a concept the business will not reach for some time. | The audit plan is not a static document but a living instrument that moves with the DORA roadmap. Agile concepts introduce a rhythm that moves with the business rather than creating an alternative reality. |
How it worked: 20 days
Weeks 1–2: Orientation and baseline
- Stakeholder conversations with board, compliance, IT and operations per label
- DORA baseline: where does the organisation stand on the five DORA pillars (ICT risk management, incident reporting, digital resilience testing, third-party risk, information sharing)? Per entity and across the group.
- Materiality assessment per label: which 6 entities are most relevant for the AFM? And where does management itself have needs? How does this fit within the acquisition and limited integration strategy?
Deliverables after 20 days
| Deliverable | Status |
|---|---|
| DORA baseline (per pillar, per label) | Completed and discussed with board |
| Materiality assessment labels | Validated — 3 labels high, 1 medium, 2 low |
| Road to Compliance (DORA/AFM) | Delivered with timeline and owners |
| Gap analysis | Per label and at group level. Per DORA pillar, including prioritisation |
| Risk-based audit plan year 1 | Endorsed by board |
| IAF charter (proportionate) | Established — appropriate to current maturity |
| QA framework | Base version operational |
Why this works
After 20 days the organisation does not have a report about how things should be. It has a working starting point: an IAF that fits the current maturity, a road to compliance that is realistic, and an audit plan that grows as the organisation matures. No focus on reports that say things are not yet right, but action-driven communication aimed at growth and improvement.
No over-engineered three-lines model that nobody understands. No 200-page DORA assessment that ends up in a drawer. But a pragmatic foundation that passes the AFM test and on which the organisation can build.
The director: "We did not need to be perfect. We needed to show that we understand where we stand and where we need to go. That is now in place."
The difference
| Audirium (20 days) | Traditional advisory engagement | |
|---|---|---|
| Duration | 4 weeks | 12–16 weeks |
| Output | Working IAF + road to compliance | Assessment report + recommendations |
| Implementation | Immediately usable | Separate follow-up engagement |
| Proportionality | Aligned to current maturity | Based on best practice (ideal picture) |
| Costs | Fixed upfront | Open-ended, scope creep common |
| Follow-up | Flexibly scalable up and down | New project per phase |
We did not need a perfect model. We needed something that worked now and could grow. That is exactly what Audirium delivered.
— CEO, Insurance Group