Prepared for the Unexpected: How a Pension Fund is Building Resilience
Introduction
The world around us is changing and that means what once seemed unlikely can suddenly become very real. For pension funds, cybersecurity, supply-chain complexity and increasing regulation all demand alertness, decisiveness and, above all, preparation. With the introduction of DORA (the Digital Operational Resilience Act), this preparation has also become a formal board-level responsibility. Organisations are required to demonstrate resilience- not only on paper, but in practice.
Together with Avida, the board and executive team of a small pension fund engaged in a realistic crisis simulation based on several hypothetical hacking incidents: one involving a fiduciary asset manager and one involving the pension administrator. The aim was not only to test existing plans, but also to experience how the team makesdecisions, communicates, and collaborates under pressure - precisely the elements that DORA explicitly requires.
According to one of the board members, such an exercise was far from a luxury. “We deliberately choose a down-to-earth, pragmatic approach, that fits our way of working: common sense and a shared focus on what is best for our members” he said during the debrief.
A Day of Realism and Reflection
Morning: A Hacking Scenario That Unfolds Step by Step
The morning was entirely dedicated to a cyber crisis scenario. Participants were confronted with a realistic simulation of a hack at the fiduciary asset manager. The scenario unfolded in phases, with increasing uncertainty and urgency- exactly as happens in real life when information arrives in fragments.
The first question was: When does something qualify as an incident, and when does it become a crisis?
This immediately led to a rich discussion about responsibility, the impact on members and the role of the board. The group experienced how important it is to escalate early, precisely when the facts are still incomplete. Under DORA, this is no longer a discretionary judgement call, but a core component of operational resilience: knowing when to act, who is authorised to decide, and on what basis.
The second key element of the morning was collaboration with supply-chain partners. The scenario immediately highlighted how dependent a fund is on external parties, such as the fiduciary manager and IT providers. Participants explored which questions to ask, what information is needed, and how to act jointly when multiple clients might be affected.
This led to a central insight: a crisis is never ‘just the fund’s problem’ It is always a chain crisis - and this is exactly one of DORA’s core principles. Operational resilience does not stop at organisational boundaries: it requires clear roles, strong relationships and mutual expectations that are defined before a crisis occurs.
Afternoon: Communication, Trust and Unexpected Elements
In the afternoon, the focus shifted to communication, which is often the most delicate aspect of crisis management. This scenario involved a hack at the pension administrator. What do you say when the facts are still unclear? How do you safeguard the trust of members, employers and regulators?
This is precisely why the unannounced phone call from a retired journalist had such an impact. No one knew this element was part of the exercise- it was designed to be a complete surprise. And it worked.
According to a board member, the moment felt “so recognisable as in a real crisis, a journalist always calls just when you think you can finally catch your breath”. A single unexpected question was enough to change the dynamic and tested whether the core messaging was clear, whether the spokesperson felt empowered, and whether the team truly supported one another.
Moments like these make tangible what DORA is really about: not whether you have a plan, but whether it works when it truly matters.
Reflection on the Collaboration: “Avida Asks the Right Questions”
During the debrief, the fund emphasised that Avida’s guidance had been a crucial part of the learning process.
“Avida asks the right questions,” he said. “You pinpoint exactly where things can go wrong in a way that invites openness and self-reflection.”
This combination of substantive expertise and an accessible format created a safe and productive learning environment - essential when observing a team under pressure. These kinds of learning processes are indispensable if DORA is not to become a mere compliance exercise, but instead a catalyst for genuine resilience.
What Did It Deliver and What Are the Next Steps?
The exercise provided the pension fund with several concrete insights:
Sharper, shared understanding of what constitutes a crisis and when escalation is required.
Clearer agreements on who communicates when, with whom and with what core message.
Greater awareness of group dynamics: listening, role clarity and decision-making under pressure.
But just as important were the agreements on the next steps, which emerged directly from the debrief:
1. The crisis plan will be further refined
Not completely rewritten, but made more concrete in areas where ambiguity surfaced, such as the escalation lines and the initial communication framework.
2. Roles and mandates will be explicitly defined
Who is the first spokesperson? Who can make decisions with incomplete information? Who safeguards the flow of facts? This clarity creates calm when it matters most and aligns directly with DORA’s governance requirements.
3. Collaboration with supply-chain partners will be discussed proactively
The fund intends to update agreements with the administrator and IT partners on who shares what information, when, and how joint action is taken in the event of a cyber incident.
4. Practising will become a structural part of the cycle
The workshop is not seen as a one-off exercise, but as something that needs to be repeated regularly to remain agile. The fund therefore wants to build in an annual crisis moment or scenario test.
As a result, the pension fund is now stronger than before. The risks have not disappeared, but rather the team now knows how to stay on course together when things get tense.
Ready to Practise Too?
Avida International supports pension funds with realistic crisis workshops and scenario training, focused on decision-making, communication and collaboration under pressure. Not as a box-ticking compliance exercise, but as a foundation for genuine operational resilience.
Curious what such an exercise could mean for your fund?
We’d be happy to think along with you.
