Case Studies

Client Requirement:

• Provide the Board and senior management with an accurate risk profile of the business.
• Provide the Board with assurance that effective risk controls where operating.

GRC Approach:

• Risk Maturity Assessment: Reviewed the maturity of the current risk management framework and process – via stakeholder interviews.
• Gap Analysis (against best practice): Benchmarked the current risk management framework structure and processes against industry best. practice and identified areas for improvement.
• Detailed Risk Assessment: Detailed risk assessment undertaken across entire business with key stakeholders. Data consolidation undertaken, and key risks and controls presented to the board and management.
• Risk Culture Assessment: Carried out assessment of risk culture to determine stakeholder knowledge levels and attitudes to risk ownership’ Recommendations for improvement and delivery plan developed.
• Framework Development: Development of all framework components (processes, procedures & policies), where gaps and improvement actions identified. Including risk appetite and tolerance statements and metrics.
• Framework Documentation: Development / enhancement of all framework documentation (processes, policies & training material).
• Training and Awareness: Developed and delivered formal risk management training for a range of stakeholders (Board members, senior managers, & suppliers).
• Stakeholder Communication: Developed consistent stakeholder communication in relation to the to the rolling out of the framework and ensuring that key partners and stakeholders, understood need to use and complied.
• Risk Profile: Company’s risk profile developed, refined and keys risks communicated to risk owners and management.
• Risk Appetite / Tolerance: Risk Appetite and Tolerance parameters and statements developed and agreed by the Board.

Results:

• Greatly improved risk management processes. Increased understanding of importance of risk management.
• More confident and engaged workforce.

Client Requirement:

GRC Approach:

• Annual assessment of the adequacy and effectiveness of policies and procedures in place
• Implemented appropriate procedures to mitigate the internal and external financial crime risk trends
• Developed new risk scoring based on the Wolfsburg principles for the AML controls
• Reviewed the reporting and escalation procedure of the significant financial crime risk issues and exceptions
• Supported the AML teams' reviews across the business and confirming all risks are dealt with appropriately
• Managed the monitoring of FCC indicators
  

Results:

• Audit Framework: Establishment of the framework for annual assessment of financial crime compliance policies and procedures
• Wolfsburg principles adopted, and associated controls implemented
• Audit maturity level: Complimented with the maturity matrix showcasing the maturity level of the Financial Crime Compliance
• Compliance monitoring streamlined and put to effective operation
• Financial crime risk trends: Instances of internal collusion eradicated, KRIs reported against the baseline. Procedures and controls put in place to identify and manage external financial crime risk trends

Client Requirement:

GRC Approach:

• Responsible for developing the PSD2 gap assessment report
• Evaluated the existing policies, procedures and systems/controls to advise appropriate action plans to comply to PSD2
• Suggested the complaints handling procedure changes per the regulatory standards
• Risk assessed the two factor authentication requirements to identify the system level changes required
• Detailed the new reporting requirements
• Articulated the key requirements in business continuity and disaster recovery policies, procedures, systems and controls
  
  

Results:

• Business Impact Assessment: Detailed report on as-is to expected practices in all the PSD2 required disciplines. Rapidly adaptable proven recommendations that addresses the gaps identified to become PSD2 compliant
• Policies, Procedures, Systems and Controls: 360-degree assessment that helped the client to see their current position in existing policies, procedures and systems/controls, and advising appropriate action plans for the required improvements
• Complaints Handling: Design strategy and planning to implement the necessary changes in complaints handling procedures and associated operational changes
• Strong Authentication: Recommendations on system level changes towards implementing strong authentication and dynamic linking of the payment transactions
• BCP and DR: Plausible scenarios identified, and appropriate mitigation strategies and planning put in place to address the BC/DR situation should the need arise. Witnessed the implementation of the required changes in BCP & DR policies, procedures, systems and controls
• New reporting and Notification requirements: Articulated the new reporting obligations and assisted the client to formulate required procedures and controls to implement them
• Operational and Security Risks: Assisted the client for establishing a robust risk management framework that focusses on security measures to mitigate the operational and security risks. The framework addressed right from the governance arrangements to identification of risks and their assessment, to data protection and detection of the risks and subsequently addressing the business continuity arrangements.

Client Requirement:

GRC Approach:

• Responsible for guiding and supporting with the application submission process
• Assisted with the business and marketing plan
• Conducted workshops to identify and articulate how the firm is structurally organised, what are the governance arrangements and internal control mechanisms in place, how the firm manage and report fraud and security related customer complaints
• Interpreted the requirements on how the firm intend to protect sensitive payment data, business continuity and disaster recovery arrangements
• Reviewed the security policy document to confirm it demonstrates the operational and security risk management framework in place
• Reviewed the anti-money laundering and terrorist financing policy that articulates the detailed risk assessment, with associated systems and controls, the officer responsible for reporting suspicious activities to national crime agency
• Provided guidance to calculate the required amount for professional indemnity insurance
  

Results:

• Governance arrangements and internal control mechanisms: Risks identified and mapped for all the business units and at the corporate level. Appropriate governance arrangements witnessed incorporating various committees for approval of capital, strategy, design and execution.
• Fraud and security related customer complaints: Helped the client to distinguish between the customer complaints raised for security incidents and other customer complaints. Articulated how the existing framework can be utilised for fraud scenarios by creating a subset of risks relevant to security and vulnerability to fraud.
• BCP and DR: Assisted the client to articulate various plausible scenarios that can disrupt the business and appropriate mitigation strategies and planning put in place to address the BC/DR situation should the need arise. Assisted the client to incorporate the required changes in BCP & DR policies, procedures, systems and controls
• Security policy: Assisted the client for establishing a robust operational and security risk management framework that focusses on security measures to mitigate the operational and security risks. The framework addressed right from the governance arrangements to identification of risks and their assessment, to data protection and detection of the risks and subsequently addressing the business continuity arrangements
• Anti-money laundering and terrorist financing policy: Enabled the firm to deter and detect financial crime, incorporated changes to the policy, risks assessed in relation to firm’s customer base, products & services provided, distribution channels used and the geographic areas of operation. Evaluated the risk mitigation strategies and helped the client with planning and subsequently implementing the required controls.
• PSR and EBA obligations on firms from 13 January 2018: Complimented the application submission with the document on firm’s obligations towards PSD2 regulations.