ICT Risk Management Framework | International Marine Insurer

The Challenge

An international insurer operating across multiple jurisdictions lacked a centralised and comprehensive ICT Risk Management Framework. As a result:

ICT risks were not identified, assessed, or managed consistently across functions
Risk ownership and control alignment varied in maturity across teams
Leadership reporting lacked clear linkage between ICT risk exposure and strategic decision-making at an Exec / Board level

Regulatory pressure intensified following DORA requirements, which mandated that ICT risk management and resilience be evidenced in measurable terms. This left the organisation exposed to operational disruption, regulatory scrutiny, and insufficient risk visibility at Board level.

Our Approach

Working closely with the CIO and leveraging insights from prior Enterprise Resilience mapping (prioritising critical services and “crown jewel” assets), we designed and operationalised a proportionate, integrated ICT Risk Management capability.

Key elements included:

Design and implementation of a comprehensive ICT Risk Management Framework
Development of aligned ICT policies underpinning the framework
Refresh of ICT (Cyber and IT) risk controls library
Explicit linkage between:
- Critical business services (IBS / CIF / CO)
- Critical ICT and data assets
- Risk controls
- Recovery and resilience protocols

To support effective governance and strategic oversight, we also developed a Board level thought paper (at COO request) on Risk Acceptance practices. Throughout and in keeping with management steer, the work was delivered proportionately to the organisation’s size and risk profile, leveraging existing artefacts wherever possible to ensure sustainability and adoption.

The Outcome

Fully operational ICT Risk Management Framework
Structured ICT (Cyber & IT) Controls Library aligned to critical services
Clear linkage between ICT risk exposure, resilience posture, and recovery capability
Formalised Board-level risk acceptance and reporting practices
Enhanced regulatory readiness and measurable DORA alignment
Improved executive visibility of ICT risk to inform strategic investment

The organisation now operates with a cohesive, regulator-ready ICT risk capability that strengthens resilience, improves governance maturity, and enables informed, risk-based decision-making at leadership level.

Testimonials

A collaborative and valuable engagement. Stratiformis helped break down a complex regulatory subject matter into clear, actionable plans and business outcomes, and supported the end-to-end shaping and implementation of the program over 18 months. Having a trusted advisor and SME alongside our team meant a more efficient and focused delivery overall.

Global Marine Insurer

DORA Implementation

Stratiformis engaged in a focussed and accelerated manner to develop a comprehensive operating model capability breakdown, along with identification of the firm’s critical business processes Given the breadth of stakeholders and the inherent complexity of the processes, this work required both rigor and strong business insight — all of which Stratiformis delivered with diligence and professionalism.

Global Asset Management Company

ToM & Capability Breakdown

ICT Risk Management Framework | International Marine Insurer

Testimonials

About Stratiformis Consulting

Contact Us