Concentration Risk: What Lessons Can We Learn from the Californian Wildfires?
Pluralizing Risk: Craig Spielmann looks at why multi-event risk needs to be completely reimagined
Targeting the Mules:
Gareth Dothie examines how better education can help to reverse the spread of money mules
Technology Opportunities: Naresh Singhani looks at how technology advances can rejuvenate RCSA processes
Policing the Police: Penny Cagan makes the case for more ownership of accountability in risk management
www.cefpro.com/magazine
The views and opinions expressed in this publication are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
FOREWORD: THE POWER OF A SIMPLE IDEA
Craig Spielmann is Risk Intelligence Leader at CNM and founder and CEO at RiskTao 05
January’s guest editor Craig Spielmann looks back at how the birth of RCSA changed the way we think about risk management, and where its evolution has left us in meeting future challenges
NAVIGATING 2025: THREATS AND OPPORTUNITIES FOR THE FINANCIAL SERVICES INDUSTRY
CeFPro’s Alice Kelly explores some of the key themes that are likely to be front of mind for our industry as we journey through 2025 06
08
RISK AND CONTROL SELF-ASSESSMENT – THIS TIME IT’S PERSONAL
Guest editor Craig Spielmann charts the evolution of JP Morgan’s Horizon system – a systematic approach to risk assessment that transformed the way the financial services industry approached RCAS.
Craig Spielmann is Risk Intelligence Leader at CNM and founder and CEO at RiskTao
RCSA: THE CHANGING DYNAMICS OF SELF-POLICING RISK
Nearly 40 years on from its introduction, how has RCSA changed the way we think about and manage risk?
Penny Cagan is Senior Risk Adviser
in Enterprise Risk Management at Columbia University in New York 16
PwC and a
20
FOLLOWING THE CASH TRAIL – THE WAR ON MONEY MULES
How organized crime groups target the financially vulnerable to front their money laundering activity – and why education is at the heart of the war on the recruitment of money mules.
Gareth Dothie is the Head of Fraud Operations with the City of London Police service
24
STAYING AHEAD OF THE GAME: THE EVOLVING FIGHT AGAINST FINANCIAL THREATS
Shameela Miah, CeFPro Researcher and Event Program Director 22
CeFPro research sheds light on how current and future technology is helping risk managers to take the fight to financial crime prevention
28
32
RCSA: HOW FIRMS CAN LEVERAGE TODAY’S TECHNOLOGY IN RISK MANAGEMENT
Naresh Singhani looks at how modern technology can take some of the pain out of periodic risk management processes, and help enterprise risk teams mitigate the shortcomings of legacy analog systems.
Naresh Singhani is Director Internal Audit Data Analytics at First Citizens Bank 12
THE LOS ANGELES WILDFIRES: WHAT CAN WE LEARN ABOUT SIMULTANEOUS EVENT RISK PLANNING?
In the aftermath of the Los Angeles wildfires, Mark Norman asks Guest Editor
Craig Spielmann why we need to build multi-event scenarios into risk planning
Mark Norman, Head of Content, CeFPro
THIRD-PARTY RISK MANAGEMENT - COMPLIANCE, CHALLENGES, AND THE FUTURE
Anne McGowan shares her insight on the need for an adaptive and responsive approach to Third Party Risk Management in a fast-moving regulatory landscape
Anne McGowan, Head of Supplier Management, Governance & Risk with Lloyds Banking Group, and a member of the CeFPro Advisory Board
THE CLOCK’S TICKINGMONITORING RISK IN REAL TIME
As technology evolves at pace, financial organizations have to be more proactive and innovative in their approach to monitoring exposure in real time
Ellie Dowsett, Assistant Editor, Connect Magazine
with
lecturer
Challenge your thinking. Lead with vision.
Delivering insights that elevate decision-making,broaden your expertise, and transform yourself into the professional your organization needs.
Magazine team
Publisher
Andreas Simou
Managing Director CeFPro andreas.simou@cefpro.com
Marketing
Editor
Mark Norman Head of Content CeFPro mark.norman@cefpro.com
Ellie Dowsett Content and Media Marketing Manager CeFPro ellie.dowsett@cefpro.com
Sales & Advertising
Chris Simou Head of Sales CeFPro chris.simou@cefpro.com
Design
Natasha Marino Head of Design CeFPro natasha@cefpro.com
The Power of a Simple Idea – Risk & Control Self-Assessment
Guest Editor
Craig Spielmann, Risk Intelligence Leader, CNM and founder and CEO, RiskTao
Happy New Year. And welcome to Issue 4 of Connect Magazine.
The Risk and Control Self-Assessment (RCSA) has turned approximately 38 years old and has been one of the most unique and yet simple concepts in risk management.
It basically created the concept that ‘business owns the risk’ and should know more about it than auditors who are taking a brief snapshot.
Just think of the courage it took to develop a risk methodology that relied on people telling the truth and being transparent in attesting to the state of their risk and controls. I’m sure many people laughed at them and had negative comments. Thank God we didn’t have social media then!
doubt that the people from Gulf Canada – and especially its auditor Bruce McCuaig, who is credited with creating the RCSA concept – would have imagined it would develop into one of the most leveraged risk methodologies in the world across many industries and government agencies.
It has also generated billions of dollars in revenue for advisory, technology, consulting and internal staff positions.
It is for this reason that as guest editor for this edition of Connect Magazine I chose to put some editorial focus on the RCSA.
decided to ask people who made major contributions to RCSA to share their thoughts. specifically thought of Penny Cagan and Naresh Singhani, both of whom have extensive experience in this field, to share their knowledge with you.
In 1998, together with myself, Joel Klein and Maria Hutter, Naresh built Horizon – one of the first commercial GRC systems to be rolled out at JP Morgan and later globally patented and commercialized. You can find out more about its evolution elsewhere in this edition of Connect.
Also in this issue, and among other topics, we take an in-depth look at what the terrible wildfires in Los Angeles can teach us about the need for why there is a need for multi-event simultaneous scenario risk planning and a move away from individualistic event assessment in our work.
You’ll also find articles on crypto assets and their impact on AML risk management, how technology is being used to win the war on financial crime, and how law enforcement agencies are following the cash to starve organized crime of money mules.
From this month onward, your organization will also be able to get its message out to the industry through monthly and annual advertising and advertorial opportunities.
To find out more about opportunities on Connect, the magazine, our members hub and our newsletters, or if you’d like to guest edit a future edition of the magazine, please contact any member of our editorial, marketing and sales teams. Their contact details are all included here.
hope you enjoy this edition. I, and this month’s contributors, wish you every success for the year ahead. It’s certainly going to be interesting!
Craig Spielmann
Navigating 2025: Threats & Opportunities for the Financial Services Industry
By Alice Kelly, Program Director, CeFPro
As we move further into 2025, the global financial services industry faces a unique blend of threats and opportunities. As political tensions continue to unfold, climate disasters rock certain geographies and technology continues to develop, 2025 holds potential for a range of advances and setbacks.
Key Threats in 2025
Economic Uncertainty and Inflation Pressures
The global economy continues to grapple with ongoing inflationary pressures, particularly as central banks globally maintain elevated interest rates. Inflation has somewhat stabilized in comparison to the peaks of 2023, but long-term issues—such as energy supply constraints and labor shortages—continue to drive volatility. For financial institutions, these factors bring a reduction in consumer spending, increased loan defaults, and shrinking profit margins.
Institutions must adopt proactive measures to mitigate these risks, as central banks continue to weigh up approaches and the speed at which they can ease policy. The Bank for International Settlements said in its 2024 annual report that “a premature easing could reignite inflationary pressures and force a costly policy reversal – all the costlier because credibility would be undermined”.
Collaborative efforts between financial institutions and policymakers could also play a crucial role in stabilizing market conditions and driving economic resilience.
Regulatory Overhauls and Compliance Costs
A wave of regulatory reform is anticipated across key markets, including updates that may impact data privacy laws and stricter enforcement of ESG (Environmental, Social, and Governance) standards. The U.S. Securities and Exchange Commission (SEC) has highlighted its intent to focus on digital assets and cryptocurrency, which could raise industry-wide compliance costs significantly. With President Trump hinting at plans for the U.S. to be a “bitcoin superpower” under his leadership, alongside his SEC chair pick, all signs point towards a shift in policy.
In the United States, further shifts in government priorities are also driving new regulatory landscapes. Renewed emphasis on consumer protection, antitrust enforcement, and systemic risk is reshaping how institutions operate. Deloitte’s EMEA Centre for
Regulatory Strategy’s annual report predicts data quality, model risk management and governance of AI as likely areas to emerge globally.
Cybersecurity Risks
As financial services increasingly rely on digital platforms, cyber threats continue to escalate. The European Cybersecurity Agency reports a significant rise in ransomware attacks targeting financial institutions, reflecting the growing sophistication of cybercriminals. Traditional defenses are no longer sufficient, and institutions must proactively adopt advanced cybersecurity frameworks.
An assessment by the National Cyber Security Centre (NCSC) highlights expectations of AI also heightening the global threat. The report titled ‘The near-term impact of AI on cyber threat’ concludes that AI is already used as a tool in malicious cyber activity and ‘almost certainly’ will increase the volume and impact of cyber-attacks. NCSC CEO Lindy Cameron commented “We must ensure that we both harness AI technology for its vast potential and manage its risks –including its implications on the cyber threat”.
Cutting-edge technologies are increasingly becoming essential. Equally critical is fostering a culture of cybersecurity awareness among employees to reduce vulnerabilities arising from human error and education to customers.
Geopolitical Instability and Policy Shifts
The financial services sector must also contend with increasing geopolitical tensions and policy shifts. Trade disputes, sanctions, and shifting alliances between major economies continue to impact global markets. In Europe, uncertainties surrounding post-Brexit economic agreements and energy dependencies continue to pose challenges, while in North America, evolving U.S.-China relations add complexity to cross-border financial operations, alongside uncertainty with the imminent regime change.
Opportunities on he Horizon
Artificial Intelligence
AI is revolutionizing financial services, enabling institutions to process vast amounts of data for improved decision-making. Applications in predictive analytics, fraud detection, and personalized financial services are transforming the industry. In an interview with CBS in 2023, Sundar Pichai, CEO of Alphabet, highlighted AI’s potential, saying, “I’ve always thought of AI as the most profound technology humanity is working on – more profound than fire or electricity, or anything we’ve done in the past”.
According to research, the spend on AI is projected to increase substantially with an estimated $35 billion in 2023 rising to $97 billion in 2027. JP Morgan Chase alone anticipates AI use cases delivering up to $2 billion in value, with fraud identified as the key beneficiary by JPMorgan Chase’s President Daniel Pinto in 2024.
Expanding Green Finance and ESG Investments
Sustainable finance remains a major growth area as investors continue to demand greater accountability and impact from their portfolios. The European Commission’s Green Deal and the U.S. Inflation Reduction Act have increased investments in renewable energy, clean technology, and sustainable infrastructure. Green finance continues to move towards the mainstream and will become embedded in future planning.
The Bank for International Settlements (BIS) Innovation Hub announced its 2025/2026 work program which included Project Gaia, seeking to build on a current climate related risk analysis and ‘extending it to other use cases within and beyond the theme of green finance’. The World Economic Forum also has 2025 earmarked as the year to take advantage of the increased focus on nature and biodiversity.
Scaling Digital Transformation
Digital transformation continues to reshape the financial services landscape. Cloud computing,
blockchain, and advanced analytics, among others, enable firms to streamline operations, reduce costs, and enhance customer engagement. Satya Nadella, CEO of Microsoft, noted, “Every company is now a digital company, and those that embrace this will thrive.”
Digital transformation is prominent in every aspect of daily life, including the banking and financial services industry. Although substantial steps have been taken within the industry towards digitalization, 2025 is set to be no different as customer expectations continue to evolve and the competitive environment heats up.
IBM’s What is digital transformation in banking and financial services highlighted the five key factors steering digital transformation in banking:
• Customer journey: Taking a customer-led approach using data and technology to tailor services.
• Modernized infrastructure: Leveraging AI and automation to streamline operations.
• Data analytics: Adopting advanced analytics tools for informed and strategic decision-making.
• Security measure: Adopting advanced cybersecurity measures to better protect customers and data.
• Digitization: Taking a digital forward approach to expand services.
2025 offers a range of opportunities and threats, many of which continue from 2024 including geopolitical risk and economic volatility. With interest rates slowly lowering and volatility reducing, opportunities arise for increased investment in technology to stay ahead, and green initiatives to further foster a sustainable industry. Operational efficiency will be key as the industry faces continued pressure on operating costs.
Balancing efficiency and innovation will remain a challenge across the industry as pressure intensifies to remain competitive and reduce expenses in a lower rate environment.
Risk and Control Self-Assessment – This Time it’s Personal
Guest Editor,
Craig Spielmann, Risk Intelligence
Leader
at CNM and founder and CEO at RiskTao. In a long and distinguished career spanning multiple organizations, he has also held senior roles at RBS and Citi.
My journey with RCSA began almost 30 years ago, in 1996, when I was promoted to create and lead JP Morgan’s Information Technology Risk Management function. was in the job a week when I was asked to go to a ‘special meeting’.
As we gathered in a large meeting hall at 60 Wall Street – at the time JP Morgan’s global headquarters –the speaker explained that due to JPM and several other large financial institutions’ involvements in the Sumitomo copper trading scandal, we had to improve our internal controls by performing an RCSA for just about every process we had.
For younger readers or the uninitiated, the Sumitomo copper trading scandal involved rogue trader Yasuo Hamanaka, who manipulated global copper markets for a decade.
Using unauthorized trades and price-fixing, Hamanaka caused Sumitomo to lose $2.6 billion. The scandal highlighted inadequate oversight, shook investor confidence, and led to stricter regulations in commodities trading to prevent similar abuses.
Basically, we were told, if it moved or didn’t move at JPM, you had to do an RCSA.
They gave us a simple template and said we had a year to get it done. That was not an option but a mandate.
I had no idea what it was, and when the presenter told us that we would be asking people to volunteer to point out their control weakness and risk, we thought it was like asking inmates if they were interested in running the whole prison.
I hired a few close friends from JPM Audit, and we went out and facilitated about 200+ sessions and educated everyone on what it was and what our expectations were to complete the tasks. It was a grueling process and since we were a major global bank, that meant traveling around the world to get it done.
We finished ahead of schedule and met the company’s expectations. And in truth, we could have stopped there and settled for what had been deemed to be adequate. But JPM’s CIO, Peter Miller, and thought it could be better.
So, we went about changing the methodology – and in the process of doing that, we created the very first RCSA templates.
Instead of asking people what their risk and controls were, we invited them to consider and reach a verdict on the state of those controls.
Armed with that information, we gathered all the experts from BCP/DR, Information Security, HR, Technology, Operations and Audit and agreed that these were the risk and expected controls that we wanted measured.
As we started rolling out the new methodology in year 2, we designed a system –Horizon – to make it easier to capture the data and present it to
management in graphical format. We introduced special algorithms to weigh risk and controls to get as close to a realistic measurement as we could. Once patented and released more widely, Horizon made completing an RCSA much easier, and gave management a better view of their portfolio of material risk.
Suffice to say, Horizon became an instant internal hit. The internal businesses quickly adopted it and we started helping with the firmwide rollout. It didn’t take long for then-CEO Sandy Warner to get wind of the RCSA revolution going on inside the business, and about a heartbeat later he suggested we commercialize the Horizon system.
We had no idea how to do that and decided to work with a partner. We chose E&Y to help us and developed a commercial relationship with them. Carmine Di Sibio and Dan Mckinney were my main partners in bringing it to market, and we had many major banks, regulators and government entities as our clients.
We started to evolve the product and methodology to a point that it became a major force in identifying risk and the state of controls. We also added Loss Data Events and Audit Modules to give everything balance and create a ‘triangle’ that leveraged each component to either support or refute RCSA responses.
As time grew on, we developed more sophisticated approaches, and moved away from red, yellow and green boxes to actual loss exposures, which gave management a clearer picture of their risks.
Our clients, who represented some of the best run companies in the world and had strong risk talent, gave us a great perspective on state of the risk management techniques.
The best approach that I encountered was at a bank where the CEO had a very forward view of risk and business management. We worked with him on selecting a focused goal and strategy by simplifying it in line with our approach of ‘The five things you can do to a business’.
Those five things, in short, are to
• Increase market share
• Increase profitability
• Improve risk profile
• Increase capacity, or
• Sell the business
These goals are projected for 18-36 months and may change based on internal or external factors.
We then assessed all the entities against the goal and strategy to rate their potential impact. We scheduled RCSA training sessions in which discussions on implementing the business strategy were the focus.
Perhaps unsurprisingly, once the businesses realized we were talking about how they could get bigger bonuses, they completely took over the discussions.
As a result, we then listed the processes for the entire firm, built risk and control templates based on a common taxonomy, followed by business process maps, and started the actual assessments.
The CEO didn’t want to use residual risk measurements, which he believed could be arbitrary on the basis that asking people the probability of an event occurring had the potential to merely cloud the analysis, since no one can seriously predict events given the myriad factors that needed to be considered.
As we’ve seen with so many ‘1 in 100-year events’ occurring with great frequency, there will always be wildcards in play.
Instead, he preferred an exposure-based approach that asked the business what its exposure was if its underlying assets were impacted by the chosen risk categories.
Their controls were evaluated and tested, and there was no attempt to combine the exposure and the control strength into a formula. It was viewed separately.
Using this approach, the business exposure ‘X’, and its control strength was ‘Y’. The weak controls were assessed for their impact on the exposure, and the resulting decisions on cost benefit vs. risk mitigation were openly discussed.
The businesses appreciated this approach since it helped them to make smart investment decisions based on where they were going and what they wanted to achieve.
In conclusion, the RCSA process is still evolving and I’m sure there are other best practices out there.
It’s been a great journey to see the RCSA evolution over the last 28 years. I’ve seen it evolve to many flavors and practical uses in everything from banking to military, energy to high school, college, and career selections.
For anyone starting on the RCSA path, patience and fortitude are required to get it right.
Put the time in, do your homework on business goals, strategy, processes, business process maps, risk and control taxonomies, and expected controls. Educate people on exactly what this is going to produce by planning the reporting and the required inputs.
Lastly, sell the long-term benefits. People need to see the vision and what it means to them before they give you their valuable time.
This effort and time will be worth it, giving you the best chance of making the investment pay off and reaching RCSA nirvana.
RCSA: How Firms Can Leverage Today’s Technology in Risk Management
For decades, top firms across the globe have been performing Risk Control Self-Assessment (RCSA) across their firm to identify and assess risks, and to evaluate the effectiveness of their controls.
With a constant barrage of cybersecurity threats, competitive threats to their moat, frequent process changes, and an evolving regulatory landscape are firms using the latest technology most optimally to conduct their RCSA?
Experiencing the maturity process of RCSA and technology throughout my career, and having my boots on the ground assisting them, my perspective would be that firms can derive major advantages leveraging the current and most advanced technology available to them at their discretion for streamlining their RCSAs.
The importance of RCSA for any sized firm cannot be understated in identifying potential risks, whether they are strategic, operational, financial, or compliance related.
The likelihood and impact of risks assessed using qualitative or quantitative methods can quickly highlight their weak and strong areas.
Each Legal Entity (LE) or Business Unit (BU) within the firm should be mandated to perform their RCSA periodically. However, the fact of the matter is that most risk management stakeholders and respective BU experts detest conducting the RCSA, especially occasionally.
Perhaps we can lay the blame on the usage of time-consuming and archaic tools with a poor graphical user interface (GUI). It wouldn’t be a far stretch for some to still use Excel to do their RCSAs. Making RCSA fun and taking out the drudgery of conducting them with the advent of the latest available technologies and tools, along with a smart AI-driven GUI, should be the ideal goal.
An additional technical hurdle faced is how efficiently and timely are the results documented after assessment inputs are completed. Proper action plans to address any control gaps or weaknesses along with advanced reporting and charting tools are crucial to their success.
Many sophisticated tools do exist for charting (e.g., Tableau) and building sophisticated reports by assembling them with simpler data collection tools with no programming skills (e.g., Alteryx).
collect and report on, is on a silo basis. Quite often we see that second line (i.e., Risk Areas) struggling to have complete unfettered access to data across different regions, risk areas, and dimensions.
Furthermore, even the third line (i.e., Internal Audit) surprisingly faces such challenges even during the process of auditing a specific business area. The payroll department, for example, even with certain key fields masked is hesitant to share their information.
RCSA process as we know isn’t a one-time exercise and stakeholders responsible for inputs sometimes wish it was, or that it simply not be part of their task list.
The Enterprise Risk Management (ERM) department plays an important role in managing RCSA as it’s an integral success factor to the organization’s risk strategy. This allows senior executives to take appropriate action proactively when some process, control, or risk event has a high probability of failure.
Given that we could leverage the latest technologies and tools, one may reconsider the human resources allocated to inputting RCSA. Utilizing Robotic Process Automation (RPA) tools along with AI inferencing logic, dynamic inputs of such content will produce meaningful results in a real-time fashion.
Reimagining the whole activity of evaluating existing processes and controls within the RCSA framework, rapidly identifying weak controls, and mitigating identified risks with near real-time triggers is a possibility.
By leveraging the latest AI-driven technology, forward-looking firms can catapult to the next level of competitiveness. In such an environment, the people and process efficiencies with measured and manageable risks can bring about higher revenue generation capabilities with minimal operational risk events and operational losses.
First and foremost, ERM has to overcome the data collection challenges. Multiple software vendors and in-house systems with different architecture and data models across different risks such as Credit, Market, Liquidity, Operational Risk, etc. create a constant problem of data feeds and/or data quality (DQ) errors.
Naresh Singhani is currently Director of Internal Audit Data Analytics at First Citizen Bank, but is writing for this edition of Connect Magazine in a personal capacity. He is a risk technology innovator and risk management solutions professional with more than 35 years’ experience of leveraging cutting-edge technology to enhance risk management frameworks.
However, the challenge that developers of such graphs and reports face is that many times the data they have access to, or are allowed to
Correcting data feeds and/or DQ errors at source often becomes a time-consuming process. Identifying and correcting DQ errors on target does not reflect an accurate picture of the relationship between source and target systems.
So, critical reporting periods, such as the end of the quarter, make accurate reporting a difficult endeavor. Building timely exception reports and triggering notifications does help, but when data feeds are involved Murphy’s Law holds at the most inopportune time.
Fortunately, with the advent of AI and advanced digital tools available now, Enterprise Risk Management frameworks that RCSA is a subset of can be reshaped.
Some larger firms I presume are already on their way to incorporating AI and robotic tools or are in the investment stages and scoping out such projects.
A large language model (LLM)– and as risk professionals we can take the liberty of calling it a risk language model (RLM) – can be dedicated to ingesting all the data across different risk domains.
LLMs or RLMs are good at ingesting CSV files (i.e., text files) and statistical learning powered by complex neural network architectures can be trained on vast amounts of Enterprise Risk Data (ERD).
Overcoming DQ errors and getting a buy-in from all departments to provide timely and accurate data feeds can go a long way in making this effort a reality. Imagine the possibility of utilizing such golden data, and the beauty such RLMs
would bring knowing that such model(s) will constantly get smarter over time via AI inferencing capabilities.
In today’s digital landscape, cybersecurity risk is a top concern. Inquire from a CRO or Senior Executive what risks keep them up at night, and bet cybersecurity and credit risk are probably on top of their list.
So, how does RCSA help organizations assess and mitigate cybersecurity threats? Today we are fully aware that such threats are increasingly becoming complex and pervasive. The good news here is that most if not all cybersecurity software is applying AI inferencing or is in the advanced stages of making use of its capability.
Since organizations are already working with such vendors (e.g., Zscaler, Palo Alto Networks, Crowd Strike) by deploying their cybersecurity software, dynamic data feeds from such systems can be ingested by our RLM or integrated via application programming interfaces (APIs).
With such tightly coupled integration, a holistic real-time risk matrix can be built providing a clear picture of current cybersecurity risk(s).
Regulatory compliance is another huge challenge as it is constantly evolving in a globally competitive and political landscape. Keeping up with compliance rules and
regulations deltas over time is a massive data effort not to mention the human resources allocated to maintaining it.
RCSA certainly helps here by identifying risks related to regulatory requirements. These could include risks arising from changes in regulations, non-compliance with laws, or potential exposure to fines and penalties.
For example, in a financial institution, RCSA can help identify the risks of non-compliance with anti-money laundering (AML) regulations if certain controls around transaction monitoring are insufficient. AML and Regulatory systems can feed their data to RLM, and statistical inferencing can be made about potential violations or risks of non-compliance.
So, let’s imagine we were successful in implementing such a Risk Language Model (RLM). How do we make use of it? A ChatGPT-like Q&A tool can be deployed. Let’s call it RiskGPT.
RiskGPT with proper security access controls within a firm can become a compelling tool for RCSA and Enterprise Risk Management in general.
For example, risk management professionals can easily identify the weakest control in the Credit Risk area. What is Internal Audit’s lowestrated business process? What cybersecurity
threat is currently evolving? Instruct it to build a bar graph showing the top 10 risks or build a detailed report of the weakest controls by LEs.
As Risk Management professionals we can now visualize how this can be a game changer. Such a system can produce instant results in graphs and detailed report formats using the most current data.
Most ERM software vendors may already be working to incorporate such advanced technologies for inputs and reporting, and firms looking forward to leveraging it to their advantage.
If not, software procurement and/or software license renewal teams within a firm can use it as a bargaining chip to go about it on your own with internal staff, risk management data experts, and AI consultants.
This article is a call to action for technologists and risk stakeholders emphasizing that risk management and its technologies is an ongoing journey.
It not only requires continuous attention and evolutionary adaptation of the latest available technologies and tools but also realizing that RCSA is an integral component of overall Enterprise Risk Management.
RCSA: The Changing Dynamics of Self-Policing Risk
Penny Cagan is Senior Risk Adviser with PwC and a lecturer in Enterprise Risk Management at Columbia University in New York. She was previously Managing Director, Americas Head of Operational Risk at UBS, and is a Women Creating Change board member.
RCSA – or Risk Control and SelfAssessment – has been around for a while now and is part of the accepted fabric of the risk function.
It’s a technique used almost universally since its introduction in 1987 – an innovation widely credited to Gulf Canada’s General Auditor at the time, Bruce McCuaig – and allows organizations including corporations, charities and government departments, to assess the effectiveness of their risk management and control processes.
But nearly 40 years on, technology and new thinking has reshaped the way we perceive, mitigate and manage risk.
Here we ask Penny Cagan, Senior Risk Adviser with PwC and a lecturer in Enterprise Risk Management at Columbia University in New York, to look at how the shifting sands of the risk landscape have impacted on the way we self-police our systems and processes.
How does the RCSA differ today from when you were first involved in it?
RCSA has migrated for the most part from a once a year exercise to a more real time program, that is based on defining triggers.
For the most part, most institutions have created their baseline RCSAs, which means they have gone through at least one cycle for each of their assessment units.
Many organizations have moved to a process based approach and made connections with the processes in their organizations, such as linking the RCSA processes to the customer journey and the identified critical processes in the organization.
This approach allows for an end to end view of how risks and controls flow through the system, where they are vulnerable, such as the handoff points, and if controls are in fact being executed in the right stage of the operation. When a process approach is appointed, it allows for end to end accountability across a process that might cross functions.
It also allows the RCSA program to align more completely with strategy and business processes.
What was the most effective design and implementation of the RCSA? What made it special?
Years ago, when I was hired to restructure a RCSA program in a global bank, I introduced the concept of top down workshops with senior management. At the time, sensed a disconnect between a RCSA program that had become mostly a testing and ‘check the box’ exercise with what senior management most cared about.
kicked off the redesigned RCSA program with workshops held with each of the direct reports to the CEO and their teams, and simply asked them what concerned them most. I then sat with their risk and control executives and mapped out a more bottom up approach that incorporated their concerns.
After that, I made sure there were touchpoints with these executives – and they were not easy to get hold of! – along the way, as RCSA was being executed.
also changed the dialog with them so that we were discussing their concerns, rather than speaking ‘taxonomy talk’ – and don’t get me wrong, I love taxonomies and worked on one of the first ones in the industry. But it’s not how you talk to senior executives.
Ultimately, the most effective implementation of RCSA is one where it is used to manage the business, and is integrated into the overall operational risk or non-financial risk framework, such as New Business Assessments, Third Party Assessments, CCAR and quantification, governance, metrics, and issue management.
How do you see the RCSA evolving in the future, possibly with the use of AI?
Once the baseline is built, and an organization is mature enough to move to a trigger based approach, then the use of AI can add great benefit.
The first step in moving to a trigger based approach is defining how you’re going to monitor losses, near misses, incidents, control breakdowns and external peer events and stressors.
These triggers can be monitored through the development of metrics and of course, AI can assist with monitoring anomalies, themes, trends, and threats.
As RCSA becomes more trigger based, and in tangent, more metrics based, there is a huge opportunity to leverage AI. And hopefully, the days of manually sifting through hundreds of issues in order to understand themes are behind us, or soon will be.
How do you see the use of loss data and scenario analysis working to rationalize RCSA ratings?
Loss data and scenario analysis are important inputs into RCSA. Events should be used, along with issues and identified control deficiencies, as triggers that necessitate the update of a RCSA.
Scenario Analysis is a critical tool in understand emerging risks, rather than just looking backwards and should be integrated into the assessment of inherent risk and controls.
The criticism of RCSA is that it’s often backward looking and tells us what we already know. Scenarios are an important tool to understand emerging and forwardlooking risks.
This leads to another important consideration - all the elements of an operational risk or non-financial risk framework should be interconnected and feed into each other.
For instance, while scenarios are an important input into RCSAs, RCSAs are also an important input into scenarios. As an example, one strategy is to stress the controls that are identified through RCSA to understand how they would respond in critical circumstances and to use that information to help understand the severity of scenarios.
North America’s Premier Risk & Innovation Convention is Back
Get ready for the ultimate experience in risk management! Join us at Risk Americas 2025, the flagship event redefining the future of financial services. As we bring together the brightest minds in the industry, experience an immersive, multi-stream convention designed to elevate your career and revolutionize your approach to risk.
Innovation Meets Excellence
Four Dynamic Streams to Propel your Expertise Where
Regulations & Technology
What to Expect
Enterprise & Operational Risk
Volatility & Macroeconomic Environment
Liquidity & Treasury Risks
Risk Americas isn’t just about listening; it’s about learning, interacting, and transforming. With more than 100 senior industry leaders sharing their insights, you’ll gain exclusive access to the strategies and tools shaping the future of risk management. Engage directly with experts in interactive Q&A sessions, and take advantage of networking breaks designed to foster meaningful connections.
Experience the Transformation
Imagine walking away not just with notes, but with actionable strategies and a renewed sense of direction. This is your chance to elevate your career, armed with knowledge and insights from the best in the business. From dynamic sessions to hands-on learning, Risk Americas is your gateway to the next level of your professional journey.
Ready to take your place at the forefront of risk innovation?
www.risk-americas.com
Following the Cash Trail – The War on Money Mules
and terrorism inquests.
As technology and media changes the world at an increasingly rapid pace, the challenges associated with combating financial crime become more complex and the organized crime groups behind money laundering activity become more sophisticated.
At our recent Financial Crime Europe event we caught up with Gareth Dothie, Head of Fraud Operations at City of London Police to get his insight to one particular area of financial crime – the technologybased strategies used to recruit unsuspecting money mules.
We started by asking him to outline the specific challenges he faces in identifying and tracking recruiters.
I think one of the things we find, particularly with organized crime and organized crime groups, is they’re very sophisticated, and they’ll deliberately use money mules to hide their own identities, as well as to facilitate their money laundering activity.
For example, if you’re trying to follow money from the victim of a crime, what you want is to see that the money is going into the hands of your suspect. But actually, what is more likely is that it goes onto a money mule account, and then gets moved on.
And the more it gets moved on, particularly between different jurisdictions or into crypto assets, the more difficult it is to actually identify the people behind the frauds or the other criminality in the first place.
So, how has the role of social media impacted or enabled these activities?
We see a lot more recruitment of money mules online, and particularly on social media sites. And sometimes it’s really brazened, you know? You can go onto these sites and type in phrases like ‘easy money’ or ‘quick cash, and you’ll get posts coming up with pictures of wads of cash and bank cards and so on.
So it’s very easy for people to advertise for money mules and target people who might be in financial distress – people who are maybe impacted by the cost of living crisis or have other difficulties – and try to exploit their position in order to get them involved in the money laundering network.
I’m guessing that also happens more to the younger generation?
Yes, it does. Certainly the online and social media side is targeting that demographic – say 25 and below. But what we see is that money mule recruiters might use different scams to target different demographics.
So while it might be that recruiting mules are using social media or recruitment scams to lure in younger people, they might be exploiting romance fraud victims within an older demographic.
So there are lots of different scams and different ways of approaching people to recruit them as money mules, depending on what their situation in life is and maybe what their vulnerabilities are, as well.
With international boundaries often involved in money mule operations, how effective is current collaboration between police services and financial institutions across borders?
think we’re in a quite lucky position in the UK. We’ve got a good relationship with a lot of different countries, and we certainly do joint operations with the US, with EU.
We did a joint operation between the UK and Ghana recently around romance fraud, for example. So, we find it quite easy to set up these joint operations across borders and it’s really essential, because we often see the money being moved from the UK to other states.
For example, if it’s an international organized crime group, the real beneficiaries – the heads of those groups – are often overseas. So, we do need to try to follow that money to the source –and you can’t do that in one country alone.
What improvements or resources would enhance these partnerships across borders, and what are the challenges involved in achieving that?
For me, what would be useful would be speeding it up, and that requires agreements between countries. It requires the right sort of legislation, and so on, so it’s quite high level.
Quite often if you’re following illicit money, what you want is to be able to follow it really quickly, be able to freeze those assets, and then get them back to victims. But if there are administrative hurdles, it can take a long time going through different departments and lawyers.
And then, there’s the challenge that in some jurisdictions you don’t even know if they’re going to open your email or not. So, there’s no guarantee that you’re going to get assistance on the other side. Making that as smooth as possible would make things a lot easier for us.
How does your team approach in preventative education to deter potential money mules, especially those potential recruits who might be unaware of the criminal implications?
So education is a big thing, and certainly City of London police is engaged in that, as are UK finance and Europol and lots of other organizations that that provide education that particularly focuses on those ‘at risk’ groups.
Those might include students, people just starting university, people newly arrived from other countries, and also those people mentioned before who might be in financial distress and may become vulnerable to money mule recruiters.
So it’s about trying to educate people - alerting them to the warning signs, letting them know that dealing with organized crime could make themselves really vulnerable to having their bank accounts closed down and potentially getting a
knock on the door from law enforcement. People need to be made aware that being involved in this type of activity could have real consequences. So it’s about trying to educate people and let them know what the risks and warning signs are.
Are there any recent examples or strategies that have shown significant success in this area?
We were talking about social media earlier, and think what’s useful is looking for different mediums of communication.
Along with emails and other communication from banks and the police, we need to consider all the different ways that we can communicate the same message and make sure we get to as many corners of society as possible, so we don’t leave anyone out.
What role does technology play in both the detection and prevention of money mule activities?
There’s always a lot of talk around AI and machine learning these days and I think there’s definitely a role around that.
think that’s particularly the case for frontline financial institutions and other big organizations that are dealing with a lot of data and want to understand the patterns and changes and help and support investigators and compliance professionals.
That’s not about taking their role away, but instead about giving them the tools they need to have in order to identify those real threats. So I think that’s probably the big area where there are gains to be made.
How useful is it in terms of finding ways to deal with issues like these for people to attend industry events like CeFPro’s?
think they’re really useful. Obviously I have a police background and it’s really useful for me to see and hear what the current concerns and trends are in financial sector – you know, what is it that law firms are looking at? What is it that investigators in different sectors are looking at and identifying?
It means we can all not only understand what the current trends and concerns are and think about how we could apply that to our own practice, but also get some insight into the potential threats coming down the line that we might need to react to more urgently.
Gareth Dothie is Head of Fraud Operations at City of London Police, where he has worked for the last 16 years. Gareth has led functions that include financial crime, bribery & corruption, human traficking
Staying Ahead of the Game: The Evolving Fight Against Financial Threats
Shameela Miah, Researcher and Program Director, CeFPro
However, due to the associated risks, unknown consequences, and lack of clear regulations or directives from authorities, it is crucial for organizations to stay ahead of emerging risks.
As part of CeFPro’s ongoing research in this critical space, and through our financial crime and anti-fraud initiatives, CeFPro Research conducted more than 30 one-on-one calls with industry professionals.
Collectively, these experts highlighted the threats facing financial institutions, and the best practices that can be deployed to mitigate challenges.
Here, we highlight just a few of the important challenges and considerations that are front of mind for senior risk managers, including the Financial Crimes Enforcement Network (FinCEN) and enhanced regulations, AML, data management, and cybersecurity.
The Challenges Ahead
Under FinCEN, evolving regulations require financial institutions to update legacy systems and ensure compliance with AML and counter-terrorism measures, which begs the question: how prepared is your organization for the changes ahead?
As FinCEN prepares to roll out its revised policy under the AML Act of 2020, which is designed to modernize and strengthen AML programs, financial institutions are grappling with effective implementation strategies.
Research has shown that the prioritization of risk assessment and data collection is essential for compliance, but obtaining the necessary resources and technology has proven difficult.
The need to comply has forced financial institutions to overcome obstacles in updating legacy systems and future-proofing strategies. However, the need to stay ahead is greater than ever.
Additionally, with enhanced regulatory requirements, growing concerns among risk experts center on data management and privacy.
but this raises questions across the industry.
The use of AI in data management presents risks, such as unintended biases and hallucinations, making it crucial to govern AI effectively for data management strategies and overall risk management.
Cybersecurity remains a clear challenge for the industry in managing financial crime. As the landscape evolves, financial institutions are implementing additional measures to prevent attacks and breaches.
Geopolitics and cybercrime underline need for best practice model
The need to enhance resilience and best practices intensifies as geopolitical tensions rise and cybercriminals grow more sophisticated.
With the lack of data integrity and challenges in regulatory compliance, the industry faces the consequences of becoming prime targets for cyber threats.
CeFPro has dedicated hours of research with industry professionals through webinars, reports, and events, all of which indicate the challenges faced in financial crime.
If you would like to contribute to shaping the future of the industry, CeFPro offers a platform to share your thought leadership and best practices.
Interested in attending an event that addresses the challenges of implementing technology, AI, and innovation into your financial crime practices? We are proudly launching our 7th Annual FinCrime: Tech, AI, and Innovation Conference, taking place March 25-26 in New York, which will bring thought leaders together to discuss captivating ideas and share knowledge.
If you’re unable to join this event but would still like to be part of the community, our newly launched platform, CeFPro Connect, gives you the chance to get involved, share your insight and hear the latest news and views from influential senior figures across the financial services sector.
Master the Art of Financial Crime Prevention at Financial Crime USA 2025
Step into the forefront of financial crime prevention at Financial Crime USA 2025, where cutting-edge innovation meets critical insights. This isn’t just a conference—it’s a comprehensive training ground designed to equip you with the tools and strategies needed to combat the evolving landscape of financial crime.
From AI and machine learning to sanctions and geopolitical risks, every session is crafted to elevate your expertise and empower you to implement transformative changes in your organization. This is your chance to gain direct access to the minds shaping the future of financial crime prevention.
Beyond the sessions, Financial Crime USA 2025 offers unparalleled opportunities to build lasting connections with peers and industry experts. These two days are an investment in your professional growth, providing you with practical knowledge and innovative solutions to drive your organization forward. Unlock your future this
The Los Angeles Wildfires: What Can We Learn About Simultaneous Event
Risk
Planning?
Mark Norman, Head of Content at CeFPro, quizzes Guest Editor Craig Spielmann on the subject of Multi-Event Simultaneous Scenario planning
To an outsider, and on the surface of things, the average Joe might struggle to see how this month’s devastating wildfires in Los Angeles could influence the impact of the global financial sector on day-to-day life.
But taken to extremes, it’s not entirely fantastical to see how climate change and financial institutions’ reaction to it might lead to a dystopian future of social migration and a seismic shift in how we define community.
Historically we’ve always planned for individual events, whether those are environmental – hurricanes, snow, wind, flooding, and so on – or geopolitical change through civil war or cross-border conflict and/or changes in government.
But it is the absence of planning for a perfect storm of simultaneous individual events that perhaps offers the greatest lesson we can learn from the LA wildfires’ hellish destruction of life and property.
In this interview, CeFPro Head of Content Mark Norman asks Connect guest editor Craig Spielmann for his take on why there is so much for the financial services sector to consider in the aftermath of the worst climate event in recent memory, and why MESS – Multi-Event Simultaneous Scenario planning – should be an integral part of future risk management.
Craig, I guess the first question seems straightforward, but might have a complex answer: from a risk management perspective, are we truly learning from big simultaneous world events like the fire? Or are we simply making the same mistakes over and over again?
So, think my starting point really goes back a few years when I started really seeing one in a thousand-years events beginning to noticeably occur more frequently. And for me that raised the question of why we were routinely modelling scenarios that only looked at one event.
When we put the multiple aspect together, we started seeing a very different picture. For example, we went through the scenario of a hot wall with North Korea and a Category 4 hurricane hitting the whole East Coast of America.
And as we walked through the scenario, a lot of people changed the way they would respond to two simultaneous events that would have a global impact, compared to what they would do in response to an isolated event.
If you look at COVID, as another example, that was also part of a simultaneous multi-event, because the move to online-based home working opened up a whole wave of cyber attacks.
In climate terms, 2024 was the hottest year on the planet and while you could look at the current fires in California and say they’re just part of one event, they really aren’t.
You have a fire that starts. But then you add in high winds, like we’ve seen in LA, and that’s another event. But when you put them together, you just know it makes it a thousand times worse. The result here is devastation the like of which we haven’t seen since the bombings in Europe in World War 2.
So the question really is are we learning from these things? And the answer is that think some people are and some people aren’t. And that’s really the problem, right there.
think everybody has to use the MESS approach and stop taking an individualistic view of this stuff when it comes to managing risk.
At the moment, there’s too much inclination to deal with events like this separately – I offset this, and then that’s it and I go on to the next thing.
Instead we need to look at the interactions of multiple events going on and incorporate that into all our risk planning.
Looking more broadly, when you consider the conflicts in Russia and Ukraine, the situation in the Middle East, the emerging civil disorder in Southeast Asia now –all of that has an impact on the global economy, right?
The budgetary effect of a contracting economy, it seems to me, is fewer resources on the ground to deal with events, like the wildfires, that should be part of scenario planning. So isn’t the MESS approach really a no-brainer?
Absolutely. About eight years ago we looked at the real estate sector in New York. It’s worth trillions or dollars. But if water comes over Manhattan and doesn’t leave, then all those mortgages are literally underwater.
You look at what’s happened in California right now, it’s going to be the same thing – those mortgages have been burned out of existence.
So, what’s the impact? Obviously the insurers are taking a big hit, but what about the the default on mortgages? Are we going to see a tremendous wave of defaulted payments? You know, if someone doesn’t have a house, they’re probably not going to pay their mortgage.
So from a financial perspective, there’s going to be so many outcomes of this that it’s going to take a while to really figure out the damage. But there is going to be damage, especially amongst the smaller institutions that may not have as much capital cushioning.
And that raises the issue of what you need to do to keep your institution in a healthy place where it can continue to function.
My own view is there are going to be bankruptcies out of this. If you look at the global impact of weather events, we’re talking about billions of wasted dollars.
So there’s definitely an imperative for everybody to think about what they could actually do in terms of MESS planning to be able to thrive in these rapidly changing environments.
look to the Chinese philosophers who said you’re a genius if you can anticipate something, react to it when it’s small, and stop it from ever happening. But you’re basically an idiot if you let it happen because you didn’t plan for it. You want to be in that first category, right?
The secret is in knowing what to classify as a risk. In the end, your board isn’t going to be overly worried about an alien invasion from Mars. But they’re probably going to be interested in a tsunami off the Florida Keys.
So, it comes down to being able to identify what’s most likely, and plan for that. So what does that plan need to take into account?
think it starts with getting back to basics. People need to know what their assets are, how those assets operate, how critical they are, and when they’re over leveraged.
They need to worry about concentration risk. They need to worry about a lot of things, but they need to take those and apply these different stress points to them and see where they shake out.
Depending on that, I think people can get themselves into a place where they can make good decisions on next steps.
They may decide there’s nothing they can do about any given scenario, but their action is to keep an eye on it. We’ll monitor it. Maybe we’ll move things around, and
not have too much concentration risk here. Let’s do this. Let’s do that. Let’s not go into that business. It could be a lot of things.
So, if a MESS approach had been taken to the scenario planning for the wildfires, one option might have been to build, say, a 10-mile concrete fire break around Los Angeles. But you might not build it based on cost versus likelihood?
But in not building it, you create a reality in which anybody living in Los Angeles will struggle to get insurance against fire damage to their property in the future?
Right, But then extrapolate that. If you can’t get insurance, who’s going to underwrite your mortgage? Because no lender is going to give you a mortgage if you can’t get insurance.
And this brings us back to where we started. Do people learn? My house has been destroyed in these fires but want to build the same house in the same area with the same shrubbery and trees around it.
If we ignore any urban planning issues, how do mitigate my risk? In a perfect world, I put in that 10-mile fire break. put sprinkler systems throughout the forest so the city can turn them on and off. But you can’t build in a heavily wooded forest.
So maybe you have to push that forest out, and whether you like it or not, you have to ring fence these population areas so they’re essentially bulletproof in these events. If you’re in Florida, you find a way to floodproof property.
When Hurricane Sandy hit New York, for example, some of those people who rebuilt their homes were forced to raise them as part of the new building code.
But in the end, the reality is always that you’re not going to cover everything. There’s always risk. That’s what risk is about.
So you have to figure out what you’re actually looking at, what is the outcome you need, and what’s the best approach and the most economical way to deal with it.
What we can’t continue to do is hide from the actual, realistic situation we’re all facing but don’t want to think about because it’s scary and difficult.
We have to have people in positions who are willing to be ridiculed for thinking beyond the obvious, for expanding the envelope, expanding the possibilities and figuring out where our risk appetite really sits.
That’s what it really comes down to, you know – are we comfortable with this situation? Where does our risk appetite fail us? Have we accepted too much risk, and what are the potential consequences of that?
Fuel Your Success with Weekly Intelligence Fuel Your Success with Weekly Intelligence
Your essential guide to the latest industry news, practitioner insights, and can’t miss CeFPro offers.
CeFPro’s Weekly Newsletter
Delivered directly to your inbox every Wednesday
Third-Party Risk Management - Compliance, Challenges, and the Future
If there is a single truth about the future challenges that Third Party Risk Management will bring in the future, it must surely be that the landscape is going to become more complex and even trickier to navigate than it is now.
One only has to look at the current confusion and lack of preparedness around the EU’s new Digital Operational Resilience Act (DORA) legislation, and the US’s Uyghur Forced Labor Protection regulations to see that the TPRM environment is becoming increasingly multifaceted – which means the strategies financial institutions use to manage it needs to be equally multi-faceted.
In a recent CeFPro webinar, we asked experts from the TPRM field in both the UK and Europe to share their experiences and insights and give a sense of what risk leaders now need to prioritize in order to deliver effective TPRM strategies that will future proof their supply chains.
In this article, we explore the views of Anne McGowan, Head of Supplier Management, Governance & Risk with Lloyds Banking Group, who has extensive experience in driving best practice in TPRM over a long and distinguished career with the Group.
A key theme to emerge from the discussion was how organizations are grappling with these changes, while also managing the complexity of emerging risks like geopolitical tensions and technological advancements.
At the core of McGowan’s approach to the subject is the recognition that TPRM is not a static field. “You can only be confident about delivering a top-class performance if you’re consistently evolving,” she says, using the example of Olympic gold medal-winning gymnast Simone Biles to illustrate her point.
“If you were to ask her today how confident would she be to replay her Olympic performance? Would she think it would be as good? Well, it would depend on how much training she had, but probably not.”
This article was written based on the contribution of Anne McGowan to a recent CeFPro webinar focused on ensuring resilience and maturity in Third Party Risk Management approaches.
Anne is Head of Supplier Management, Governance & Risk with Lloyds Banking Group, and a member of the CeFPro Advisory Board
analogy reinforces the necessity for businesses to continuously adapt their third-party risk management frameworks in response to shifting regulatory landscapes and new risks.
As organizations face mounting pressure to meet regulatory requirements, McGowan acknowledges that confidence in TPRM programs is often questioned, particularly when regulators come knocking.
“It doesn’t matter how mature you are today, you have to be able to move with the demand for new knowledge, new skills,” she explained. New directives from regulators, such as DORA, are compelling organizations to rethink their approach.
DORA is a key piece of legislation aimed at ensuring the digital resilience of financial markets, but McGowan admits its prescriptive nature is not without its challenges.
“Deadlines drive urgency rather than the prescriptiveness or not, of the legislation,” she says, going on to explain that, while regulatory guidance may not always be as prescriptive as needed,
the approach of many regulators – focused on outcomes rather than rigid rules – has created significant pressure for organizations to respond quickly.
“Once there is regulation, and the nearer a deadline is, the more urgent it becomes,” she said.
The stakes are high. Not only do organizations face potential financial penalties for non-compliance, but reputational damage can also be a significant driver of urgency.
“The size of the penalty is important, but it’s also your reputational damage as well because that has an impact on your share price,” McGowan explains. The cascading effect of non-compliance can ripple through an organization, making it imperative for companies to stay ahead of regulatory requirements, particularly in the face of looming deadlines.
While the EU and UK are tightening regulations, other regions, including the United States, are also ramping up their focus on third-party risk management.
McGowan highlighted the lack of prescription in the US compared to the EU and the UK, but noted, too, that the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have been active in setting expectations for corporate behavior.
This regulatory activity in the U.S. is driving organizations to mature their TPRM programs, but as McGowan says, the critical element is the growing sense of urgency spurred by deadlines and increased regulatory attention.
One area that continues to evolve within TPRM is the management of fourth-party risk, which has become more prominent in recent years. That trend has not been lost on McGowan, who points to the work Lloyds has been doing in getting the business into a good place early.
But she agrees that for all the planning that a business might do, there are still risks that could catch companies off guard.
McGowan cited the 2024 CrowdStrike event as a reminder of the need for rigorous third-party oversight and the importance of maintaining a clear understanding of who is involved in the supply chain.
“At the beginning of the Crowdstrike incident, everyone thought it was a Microsoft incident, and it was actually a couple of hours before people began to pull the thread that they realized that it was actually a different provider,” she said.
To mitigate such risks, organizations must leverage data for better decision-making. McGowan highlighted the importance of understanding the risks tied to geographic regions, data centers, and potential concentration points in the supply chain.
“You don’t want them all to be in the same place,” she said. This visibility allows companies to proactively address risks and make informed decisions about risk acceptance and contingency planning.
As businesses expand their risk management frameworks, the focus is not just on traditional risks like cybersecurity or financial stability, but also on emerging areas such as environmental, social, and governance (ESG) considerations.
McGowan reiterated the growing role of ESG in TPRM, noting that her organization has developed an “Emerald Standard” that outlines what Lloyds expects from its suppliers and aims to guide them in their ESG efforts.
Looking ahead, she anticipates further challenges as businesses address issues like artificial intelligence (AI) within their supply chains, admitting that AI’s potential to reshape TPRM practices is still unfolding.
It’s clear that the evolution of third-party risk management is not just about meeting regulatory requirements; it’s about adapting to a constantly changing environment.
Whether responding to geopolitical crises, preparing for new regulations, or addressing the complexities of AI and ESG, businesses must stay agile to effectively manage the expanding landscape of third-party risk.
The Clock’s Ticking - Monitoring Risk in Real Time
Ellie Dowsett Assistant Editor Connect
There has never been a time of greater technological transformation than now. The relentless evolution of the Internet of Things and AI opens up a new world of exciting opportunities and change.
But it also opens up a web of exponentially greater threats and risk which, like a multi-headed hydra, multiply at a near incomprehensible speed and create an ever more complex management ecosystem in which to meet those risks head on.
This expanding network of risk demands, in return, a continuous evolution of monitoring systems that are resilient and robust enough to at least keep pace with, if not get ahead of, the emerging nature of risk.
At a recent CeFPro event focusing on vendor risk, the managing director of one of the world’s largest retail banks observed that continuous monitoring tools were increasingly at the vanguard of third party risk management.
“We’ve been using supply chain monitoring tools for the last year and a half,” he explained. “They send alerts, which require review and analysis with subject matter experts from cybersecurity, compliance, and financial teams.
“These alerts can signal potential financial issues or even future bankruptcies. While they don’t always trigger an exit plan, they allow us to track specific services and third parties closely.”
However, he went on to say that no system is infallible, noting that any monitoring system is inherently vulnerable to false positives. This, he said, presents an additional challenge: “You need to recheck them, talk to your third party, improve your review processes,” he said. “It’s all about partnering with the third party to ensure a thorough risk assessment.”
Get ahead of the Curve
Effective third-party risk management starts well before issues arise. According to the executive, embedding service level agreements (SLAs) into contracts from the outset is essential.
“From the beginning, when there’s a new service, it’s important to define SLAs with the service manager and business team before signing the contract,” he said. “After that, service managers absolutely must review them regularly – monthly, quarterly, or semi-annually –to ensure compliance.”
Which opens up another, more internalized issue: how do you ensure you’re creating, adopting, or applying systems and tools that people will use? The best tool in the world, he says, is a liability if it’s too complicated to use.
“The reporting process must be user-friendly, encouraging managers to provide evidence and stay engaged,” he says.
Beyond documentation, engagement is critical. “It’s not just about filling out forms. Service managers need to present their service at least once a year in third-party risk meetings. They should explain the risks, issues, and progress. This ensures they’re prepared and genuinely aware of what’s happening with the service.”
Proactive Approaches Reap Rewards
There is a wide acceptance that addressing recurring failures in SLA compliance requires proactive communication, and there was certainly no disagreement on that. “When we see a trend of failures
over months, we can’t just press a button and say there’s no compliance. The third party should inform us proactively, rather than us chasing them,” the executive said.
This, he ventures, aligns with the broader theme of resilience. “Third-party risk management is a relationship,” he explained. “It’s about negotiation, compliance assessments, and fostering collaboration to protect the bank.”
Prioritizing Risk Means Being Open to Change
Managing risk across a diverse portfolio of third parties requires clear prioritization. That, he says, means focusing on critical key performance indicators (KPIs) and third parties: “Risk assessments help classify services as critical, medium, or low. Sometimes, a third party may be deemed critical due to a concentration of high-risk services, even if others are lower risk.”
He added that his bank is adapting its monitoring tools and capabilities in order to be able to know if a third party is using AI and, if they are, to understand how that impacts the service provided.
“AI helps interpret trends in financial evaluations and compliance issues, but it requires maturity and further investigation,” he said.
As the financial sector navigates new regulatory frameworks and technological advancements, there seems little doubt that many financial institutions will need to actively embrace changes in traditional and current thinking and take a more innovative approach to monitoring risk.
Event SUSTAINABLE FINANCE EUROPE
London, United Kingdom 25-26
FEB View details >
www.cefpro.events/sustainable-finance-europe
Event CREDIT RISK USA
NYC, United States of America 25
MAR View details >
www.cefpro.events/credit-risk-usa
Event FINANCIAL CRIME USA
NYC, United States of America 25-26
MAR View details >
www.cefpro.events/financial-crime-usa
Event RISK EVOLVE
London, United Kingdom 2-3
APR View details >
www.risk-evolve.com
To view our full upcoming events calendar click here or visit, www.connect.cefpro.com/upcoming/events
