Contents
- DORA Hibernation: 12 Months in a Sleep-Like State
- How IT Leadership With Governance Responsibility Drifted Into Regulatory Complacency
- The Illusion of Motion: Activity Without Direction
- Why IT Leadership Slipped Into Hibernation
- What Auditors Will Reconstruct From the Hibernation Phase
- The Governance Failure Hidden in Plain Sight
- Why This Matters Now (And Not Later)
- How IT Leadership Can Exit Hibernation — Fast
- The Personal Dimension for IT Leaders
- Final Thought
DORA Hibernation: 12 Months in a Sleep-Like State
How IT Leadership With Governance Responsibility Drifted Into Regulatory Complacency
For many financial institutions, the first year of DORA applicability did not trigger urgency, transformation or decisive governance action.
Instead, it produced something far more dangerous: hibernation.
Policies were written, programme decks were presented, responsibilities were nominally assigned — and then the organisation went to sleep.
For IT leaders with governance responsibility, this hibernation phase is not a neutral pause.
It is a recorded period of inaction that will be reconstructed in detail once auditors and supervisors begin asking a simple question:
What exactly did you do during the first 12 months of DORA?
The Illusion of Motion: Activity Without Direction
From the outside, many institutions appeared active:
- DORA programmes were launched
- frameworks were “aligned”
- inventories were initiated
- policies were approved
From a governance perspective, however, little actually moved.
Key decisions were postponed:
- What is truly critical?
- Where do we accept risk?
- Which dependencies are non-negotiable?
- What would we shut down first in a crisis?
For IT leadership, this is the most dangerous state: operational busyness combined with strategic silence.
Why IT Leadership Slipped Into Hibernation
Delegation Without Oversight
DORA was widely treated as a programme problem, not a governance obligation.
Responsibility drifted downward:
- to project teams,
- to risk functions,
- to external advisers.
Yet under DORA, accountability remains firmly at management level.
Delegation does not dilute responsibility — it concentrates it.
The Comfort of Familiar Frameworks
Many institutions recycled:
- BAIT,
- ISO controls,
- existing BCM artefacts.
This created comfort, not compliance.
DORA is not a checklist upgrade.
It is a decision-forcing regulation that requires IT leadership to define priorities, tolerances and failure points explicitly.
Re-labelling old artefacts delayed those decisions.
Fear of Irreversible Decisions
Declaring something critical under DORA is uncomfortable:
- it creates obligations,
- it exposes weaknesses,
- it limits flexibility.
As a result, many institutions chose ambiguity — and entered hibernation.
What Auditors Will Reconstruct From the Hibernation Phase
Auditors do not ask whether workstreams existed.
They ask whether governance decisions were taken.
They will reconstruct:
- board reporting content,
- management minutes,
- risk acceptance records,
- prioritisation logic.
And they will notice long periods where:
- nothing was escalated,
- nothing was decided,
- nothing materially changed.
In audit language, this is not “phasing”.
It is a lack of active governance.
The Governance Failure Hidden in Plain Sight
The core failure of the hibernation phase is not technical.
It is organisational.
IT leadership often believed:
“We are waiting for clarity.”
Supervisors will respond:
“You were expected to create it.”
DORA assumes uncertainty.
It expects leadership to act despite incomplete information — not to wait for it.
Why This Matters Now (And Not Later)
The first audit cycle will not judge you against perfection.
It will judge you against credible effort and traceable decision-making.
Institutions that hibernated will struggle to demonstrate:
- learning,
- iteration,
- prioritisation,
- improvement.
Institutions that acted — even imperfectly — can show evolution.
How IT Leadership Can Exit Hibernation — Fast
This is not about launching another programme.
It is about re-asserting governance.
Force Criticality Decisions
Every major ICT service must be forced into one of three states:
- critical,
- important,
- tolerable failure.
Ambiguity is no longer defensible.
Make Risk Acceptance Explicit
Unaddressed weaknesses are not neutral.
They are implicit risk acceptances.
Under DORA, implicit acceptance is indefensible.
Re-centre Board-Level Dialogue
If DORA is not discussed at board level in concrete terms — scenarios, impacts, trade-offs — governance has not occurred.
The Personal Dimension for IT Leaders
When audits begin, IT leaders will not be asked:
- how busy their teams were,
- how many controls were mapped.
They will be asked:
- what they decided,
- what they escalated,
- what they accepted,
- and what they delayed — knowingly.
Hibernation feels safe.
In hindsight, it is the most exposed position of all.
Final Thought
DORA does not punish honest imperfection.
It punishes sleepwalking.
The institutions now waking up will not be judged for moving slowly.
They will be judged for not having been awake at all.