Risk and compliance

These may be the result of employee misconduct or error, malicious external factors such as cyber-attacks, regulatory intervention in areas such as financial crime, or fast-evolving ESG requirements.  

We help our clients identify, manage, and mitigate these risks. Having effective and well-governed risk and compliance management arrangements in place is essential to operating a business successfully. Those arrangements include: 

• Board and executive oversight of risk and compliance 
• Risk and compliance framework, appetite, and strategy 
• Risk and compliance taxonomy, controls, and assessment process 
• “Three lines of defense” (3LoD) 
• Obligation management arrangements across jurisdictions 
• Operational resilience (cyber risk, data privacy, outsourcing/supplier management) frameworks 
• Front office and first-line supervisory frameworks 
• Horizon scanning for risks, regulatory reform, change, and shifting expectations. 
• Training in operational resilience and control 
• Financial crime compliance and risk management 

These are critical components for firms to deliver their business strategy and protect their customers and corporate interests. 

We support our clients to establish and enhance their approach to risk management at every level of their organization.  

Our integrated approach means we support both the legal and practical aspects of threat identification and mitigation. 

Representative matters 

• Supporting a CRO with enterprise risk management . We supported a global asset manager to enhance its enterprise risk management (ERM) framework in preparation for an independent review to be delivered to its regulator. This included reviewing and recommending updates to all supporting policies, procedures, management information reporting, and KPIs, including risk appetite statements and risk governance. Our work focused on the effectiveness of the organization’s second line of defense and included consideration of all operational risks. This review and enhancement of the ERM framework and the three lines of defense model enhanced the organization’s risk awareness, accountability, and governance and improved its decision-making, performance, and resilience. 
• Transforming a financial crime compliance function . A regulatory inspection identified weaknesses in the AML and sanctions compliance framework of a large European asset manager. We were engaged to assist with the remediation of the issues and the transformation of its overall financial crime compliance function. We supported the client to conduct a compliance assessment and root cause analysis, which led to us designing and implementing new financial crime compliance frameworks. We helped design a multi-year strategic plan, considering the responsibilities and risks relevant to their operation. We executed an update of the organization’s policies and procedures, conducted training and awareness sessions, reviewed its systems and controls, and liaised with regulators on the progress and outcomes of the remediation. 
• Transforming regulatory obligations management . We assisted a global asset manager with a large-scale regulatory obligations management program, covering multiple jurisdictions and regulations. We provided technology advisory services to help it select and implement a Regtech solution that covered obligations management, horizon scanning, and compliance monitoring. We also helped the client develop and populate an obligations register, covering more than 20 regulations across ten jurisdictions. We mapped the obligations to the client’s risk taxonomy, policies, processes, and assigned owners. We did so with reference to regulatory requirements and industry best practice, identifying gaps and opportunities for improvement. We are supporting the client with ongoing compliance, assurance, and monitoring activities and providing breach and remediation advice where needed. 

• Enhancing our clients’ cyber resilience . We helped a leading financial services firm assess and enhance its cyber resilience capabilities in line with regulatory expectations and industry best practices. We conducted a comprehensive review of the firm’s cyber risk governance, management, and reporting processes, as well as its operational resilience arrangements and testing capabilities. We performed a qualitative scenario analysis to identify and quantify the potential impact of cyber incidents on the firm’s critical business services and customers. Based on our findings, we provided the firm with a prioritized roadmap of recommendations and actions to improve its cyber resilience posture and readiness. 
• Implementing a front office control framework . We supported a global banking client to design and implement a comprehensive first-line risk and control framework across its global markets business, covering all asset classes and regions. We engaged with senior stakeholders, conducted a gap analysis, developed policies and procedures, designed and delivered training and communication materials for employees, and provided quality assurance and project management. As a result of our work, the client enhanced its risk culture, improved its compliance with regulatory expectations, and reduced its operational risk exposure. We are providing ongoing guidance in monitoring and evaluating the effectiveness of the framework and addressing any remediation required.