Sleepwalking into Trouble: The generation-defining risks of global debt, geopolitical drift, and investor short-termism
Build or Break: Why getting compliance right at the first time of asking matters
Sanctions Under Pressure:
How geopolitics, data speed, and legal ambiguity are driving sanctions compliance complexity
Governance Under Fire: Why weak ESG governance and increasing geopolitical volatility threatens crisis
connect.cefpro.com/magazines
This month’s regular features in
SPEAKERS ONBOARD
Stand out speakers from Climate Risk & Climate Stress Testing Europe 10
FOREWORD
Risk Is Evolving at Pace – Are You Keeping Up?
Guest editor Kelly Lake on the key TPRM issues facing risk managers over the coming months
THE ILLUSION OF RESILIENCE – ARE WE SLEEPWALKING INTO CRISIS?
Amid soaring debt, volatility, and geopolitical tension, Nick Silitch warns against mistaking fragility for systemic risk resilience
Nick Silitch has held senior risk management roles at Prudential Finance and Bank of New York Mellon, among others
THE GEOPOLITICAL ARMS RACE OF SANCTIONS COMPLIANCE
Alice Kelly on how the fast evolution of complex sanctions compliance demands real-time precision and geopolitical awareness
Alice Kelly is Head of Programming at CeFPro
LEGACY RISK WON’T WAIT – FIX WHAT YOU CAN NOW
Guest Editor Kelly Lake looks at how to overcome TPRM legacy challenges as part of driving cultural change in
CAREERS
Where Perfection Hurts, Leadership Heals
Rita Gnutti, Executive Director and Head of the Internal Validation and Controls unit, Intesa Sanpaolo
WHY ESG FAILS WHEN GOVERNANCE GETS IGNORED
Mark Norman reports on why ESG governance must catch up with geopolitical and climate disruption to protect institutional resilience
Mark Norman is Head of Content at CeFPro
TRENDWATCH: MODEL RISK IS EXPLODING – ARE YOU STILL IN CONTROL?
Our monthly look at where the risk focus lies turns the fast moving evolution of model risk scope and complexity
STARTUPS BREAK FAST – COMPLIANCE MUST BE BUILT TO LAST
Adham Mayassi on why compliance must be a design principle, not a repair job Adham Mayassi is Deputy MLRO and Compliance Associate at DFSA-regulated real estate crowdfunding platform, SmartCrowd
NEWS IN REVIEW
Our 3-minute read catches you up on some of the news stories and events that have been on the risk news agenda around the world over the last month
INFOGRAPHIC: THE CLOCK IS RUNNING DOWN ON NON-FINANCIAL RISKS
Our regular look at the industry through key statistics suggest rising non-financial risks demand urgent, data-driven mitigation strategies.
DIGITAL TRANSFORMATION - CUTTING THROUGH THE NOISE IN 2025
Andrew Rollins argues that digital transformation in 2025 must focus on real outcomes, not buzzwords
Andrew Rollins is the Associate Director of Digital TPM at 3VRM
Magazine team
Publisher Andreas Simou
Managing Director CeFPro andreas.simou@cefpro.com
Marketing
Edwin Njenga Head of Marketing CeFPro edwin.njenga@cefpro.com
Where Leaders LEARN
RISK IS EVOLVING AT PACE
Are You Keeping Up?
Welcome to the August issue of Connect magazine.
This month’s edition contains all the usual not-to-be-missed insight you’ve come to expect, particularly on the TPRM risk challenges we’re all facing as we head towards the end of the year.
The pace and complexity of change in the external operating environment is accelerating. From geopolitical uncertainty and regulatory scrutiny to cyber risk and ESG compliance, the need to assess, monitor, and act on third-party exposures has never been more urgent - or more complex.
Worse still, they may not even know who owns the relationship internally.
This month, we explore the practical steps risk and compliance leaders can take to reframe third-party risk management – not as a box-ticking exercise, but as a core driver of business value, resilience, and trust.
You’ll also find articles on how TPRM fits into digital transformation of financial organizations, why we might be seriously underestimating our market risk resilience, and how compliance needs to be front loaded into new and emerging businesses, among many others.
Editor Mark Norman Head of Content CeFPro mark.norman@cefpro.com
Sales & Advertising
Chris Simou Head of Sales CeFPro chris.simou@cefpro.com
Design
Natasha Marino Head of Design CeFPro natasha@cefpro.com
The days of simply onboarding vendors and filing contracts are over. Regulators now expect demonstrable oversight across the full lifecycle of vendor relationships, with clear accountability, real-time visibility, and resilience built in by design.
But legacy systems, siloed data, and unclear ownership remain major obstacles. Too often, organisations lack a single version of the truth when it comes to who their vendors are, what they do, and where risk truly sits.
If you’d like spread the word about your organization or product, why not talk to one of our team about our advertising and promotional opportunities? Their details are overleaf.
Enjoy your reading – the next edition will be out on September 25
Guest Editor
Kelly Lake Third Party Risk Manager
Legal & General
THE ILLUSION OF RESILIENCE
Are We Sleepwalking into Crisis?
Nick Silitch is a highly respected author, adviser and consultant within the financial risk sector. His career includes senior roles at leading financial institutions such as Prudential Finance and Bank of New York Mellon.
Over the course of a stellar career punctuated by senior roles in some of the gold standard financial institutions around the world, Nick Silitch has seen a thing or two in his time.
He’s seen, managed and weathered the storms of the various financial crises that make up the financial services scar tissue over the last few decades.
So when he warns, in his wideranging and unflinchingly sober keynote session at CeFPro’s flagship Risk Americas 2025 conference in New York, that financial institutions are underestimating financial and non-financial risk, people tend to listen.
The current economic and financial climate, Silitch says, reflects a decades long environment where significant risk has been added to the system.
On a macro level this translates as a six-fold increase in US debt issued since 2000 – an eyewatering $30 trillion plus; at a market specific level private debt markets, CLOs, NAV lending, and other financing techniques have added remarkable levels of leverage to the private investment ecosystem.
It’s for this reason that he voices concern that future volatility might serve to make the corrections and volatility of the past 30 years seem modest by comparison.
This cyclical behavior reflects more than just liquidity mechanics; it points to a structural short-termism in investor psychology.
Time and again, markets have been quick to discount tail risks – from geopolitics to cyber threats and ballooning fiscal deficits – so long as there is no immediate catalyst to force a reckoning.
What sets this period apart is not the volatility itself, but the scale of the imbalances and fundamental fragility lurking beneath it.
Silitch warns that the path to a new equilibrium will likely be much more volatile and take longer – perhaps decades – to achieve because the imbalances are larger.
“The risk of an event sparking heroic volatility is growing,” he says.
The dollar remains dominant, but that dominance is increasingly challenged – not through dramatic collapses, but through the slow reallocation of reserves, the quiet shift in global trade settlements, and the geopolitical aftershocks of unilateral policy decisions.
Resilience is, naturally, key. But so, too, are economic (and, for that matter, political and military) alliances. The landscape is more nuanced, and with nuance comes greater fragility.
In some ways, Silitch argues, the current landscape of alliances – particularly in the Middle East – risks putting us closer to the socioeconomic imbalances that culminated in the Great War than at any other time in the 111 years since it began.
The risk of an event sparking heroic volatility is growing.
Small things, he says, now have huge potential impact. What, he wonders, would a modest surcharge on the dollar do to the landscape of the American economy?
“More than 60 percent of the world’s financial assets are denominated in dollars, yet we are under 30 percent of the worlds GDP,” he says.
What too, of interest rates, which, he says, are only heading in one direction for the time being –regardless of what the Fed might like?
And then there’s Trump’s trade war, and, in particular, what the president calls his ‘Big Beautiful’ fiscal bill that will keep the U.S. deficit at 6-7% and its $36.2-trillion debt pile ballooning.
Resilience should not be mistaken for durability. The risk premium priced into markets today fails to account for the long-term implications of unsustainable fiscal trajectories and policy-induced distortions.
Historical analogies – such as the Southern European sovereign crises or the liquidity dislocations of the global financial crisis – offer sobering reminders of how swiftly market confidence can unravel when catalysts emerge.
As non-bank lenders increasingly fill gaps once occupied by regulated institutions, a two-tiered system is emerging – one in which private capital benefits from regulatory arbitrage while traditional banks bear the social obligations of financial intermediation.
Without a deliberate policy framework to address this imbalance, the U.S. risks distorting the competitive landscape and weakening the resilience of the broader financial architecture.
Despite the obvious headwinds, the outlook is not irredeemably grim. Adjustment mechanisms still exist. Market forces, institutional guardrails, and elements of policy pragmatism offer a path to course correction – if not reform.
But the window to act without the impetus of crisis may be narrowing. History suggests that real reform tends to follow trauma.
And while hope remains that today’s challenges can be met with foresight rather than reaction, the gravity of risk demands not just vigilance, but urgency.
This October, Amsterdam will host the forefront of climate-focused financial expertise as Climate Risk & Climate Stress Testing Europe 2025 returns to the Amsterdam Marriott Hotel. With a lineup of leading voices, 20+ highimpact sessions, and a focus on emerging risks, regulatory alignment, and strategic resilience, this event offers actionable insight and forwardthinking solutions.
Climate Risk & Climate Stress Testing Europe Stand Out Speakers
From navigating the complexities of physical climate risks to embedding transition risk policies and integrating climate considerations into broader risk management frameworks, our key speakers will share practical strategies and scenario-based approaches. Whether you’re shaping governance, guiding business strategy, or leading stress testing initiatives, this is where the conversation on climate resilience sharpens and the future of sustainable risk management takes shape.
Juan Duan Head of Financial Climate Risk Beazley
Juan Duan is Head of Financial Climate Risk at Beazley. Juan provides strategic leadership on financial climate risk at Beazley, responsible for embedding climate risk into underwriting, leading and coordinating climate risk initiatives across business functions, and strengthening technical capabilities on managing climate risk.
Juan worked at the Bank of England for more than five years where she held a number of catastrophe and climate risk roles. Prior to the Bank of England, she was a Research Associate at AIR Worldwide (now Verisk). She holds a PhD in Hydrology and Climate Change from Imperial College London.
Jarek Olszowka MD – Head of Sustainable Finance Nomura
Jarek is Nomura’s Head of Sustainable Finance, focusing in particular on the origination, structuring and execution of ESG fixed income products around the globe. In this role he has assisted clients in successfully raising more than $200 bn aggregate notional of ESG debt, including executing a number of landmark, ‘first of their’ kind, ESG trades. Jarek represents Nomura in a number of ESG-dedicated industry bodies, such as the London Stock Exchange’s Sustainability Bond Market Advisory Group and serves as a member of ICMA’s Green and Social Bond Principles Advisory Council.
Prior to his current role Jarek was a hybrid capital originator and structurer at Nomura and held positions at Clifford Chance, JP Morgan, Goldman Sachs and CMS, working on capital markets and structured finance transactions. He holds a magna cum laude highest distinction Masters degree in Law from Warsaw University, a combined Bachelors and Masters degree in Banking and Finance from the Warsaw School of Economics, and completed academic scholarships at Zurich University, Copenhagen Business School and the University of Sussex. Additionally, Jarek is a fully qualified solicitor in England.
Herman Bril
MD & Head of Sustainability & Climate Innovation
Isobel Edwards is Global Head of Green, Social and Impact Bond Research at Goldman Sachs Asset Management in The Hague. She is responsible for assessing the credentials of green, social and impact bonds and their issuers as well as aligning the GSAM impact bond assessment methodology with the latest market and scientific guidance. She is an Environmental Scientist by training and has previously worked as a Researcher for the Climate Bonds Initiative, developing environmental standards for the green bond industry.
Isobel Edwards
Global Head of Green, Social and Impact Bond Research
Goldman Sachs
PSP Investments
Herman Bril is Managing Director and Head of Sustainability and Climate Innovation at the Public Sector Pension Investment Board (PSP Investments). Herman joined the organization in July 2022 and is responsible for leading the strategic direction of PSP Investments’ Environment, Social and Governance (ESG) approach.
Herman has more than 25 years of experience in leadership roles at financial institutions spanning across investment management, investment banking, treasury, life and pension insurance, and development finance. Prior to joining PSP Investments, he was Partner & CEO Asset Management at Arabesque Group, where he built and scaled up a digital global asset management firm powered by technology and ESG data. For several years, Herman also served as Chief Investment Officer at the United Nations Joint Staff Pension Fund in New York. In this role, he was responsible for managing close to $80 billion in assets under management as well as 120 staff, including all asset classes and the sustainable investment team.
Dr Arthur Krebbers
MD – Sustainable Finance Advisory
NatWest
Dr. Arthur Krebbers is Managing Director Sustainable Finance Advisory at NatWest. He has been supporting corporate and investor clients with their ESG strategies since 2014. Arthur’s areas of expertise include sustainable treasury and investment strategies, product development, rating management and stakeholder engagement. He is involved in numerous industry bodies that promote sustainability in the global capital markets. His research on sustainable finance is featured in a range of media outlets. Arthur has a PhD in Finance and is a Visiting Professor at Strathclyde University Business School.
THE GEOPOLITICAL ARMS RACE OF SANCTIONS COMPLIANCE
Alice Kelly is Head of Programming at The Center for Financial Professionals
In a world where geopolitical currents shift faster than compliance frameworks can adapt, the role of sanctions professionals has grown more complex, more critical, and increasingly demanding.
The blending of foreign policy, financial integrity, and technological innovation was at the heart of a recent panel discussion at CeFPro’s Financial Crime USA conference, offering a window onto the challenges and strategies shaping this evolving field.
Described with a mix of humour and gravity as “geopolitical therapists,” sanctions leaders are now expected to interpret shifting global dynamics and translate them into operational readiness – often before formal changes are even announced.
Institutions may debate the implications of policy moves, but until regulators act, the compliance mandate remains static. When those changes do arrive, they bring jurisdictional complexity and legal ambiguity.
Global financial institutions must adhere not only to OFAC but to the EU, UK, Canada, and others – usually defaulting to the most stringent rules across the board.
One former U.S. official shared how sanctions easing discussions begin long before public announcements. Internal requests to agencies like the U.S. Treasury trigger confidential feasibility reviews.
Past cases – such as the Iran nuclear deal – highlight just how intricate these deliberations can be. Even when a legal path exists, institutions may hesitate due to reputational risk or market uncertainty.
The rapid imposition of Russia sanctions in recent years has left many compliance teams reluctant to re-engage without clear assurances.
Data and speed were recurring themes. Global compliance teams are under pressure to deliver nearreal-time screening in the age of instant payments.
Daily list updates are no longer sufficient; clients now expect updates every four to six hours to keep transaction latency low without compromising accuracy.
International banks face immense complexity in building consistent screening protocols. Determining which sanctions lists apply universally and which are jurisdiction-specific is challenging – especially in real-time environments.
Quality assurance is essential, with many institutions verifying vendor data against multiple regulatory sources.
Smaller banks, while benefiting from a narrower focus, still bear the burden of documentation and due diligence, particularly under scrutiny from regulators like the OCC.
A long-running grey area remains the definition of a ‘transaction’ under sanctions law. Without a consistent interpretation, approaches vary widely.
Sanctions are no longer governed by black-and-white rules – but by shades of grey.
This inconsistency is especially problematic in fintech and partner bank environments, where customer experience can easily conflict with rigorous compliance.
Faster payments infrastructure is adding to the strain. As settlements shrink from T+2 to T+1 and even T+0, the window for due diligence collapses.
Financial institutions are now embedding sanctions controls into onboarding, KYC, and transaction monitoring – not as a safeguard, but as an operational necessity.
Meanwhile, recent legal changes have extended record retention requirements from five to ten years. Banks must now adapt systems, processes, and policies to meet longer timelines, even as global inconsistencies persist.
Jurisdictional divergence – such as when the EU or UK enforces sanctions not mirrored by the U.S. – requires banks to freeze assets even in nonaligned territories, making interbranch coordination and escalation protocols vital.
Evasion tactics also continue to evolve. Old methods – falsified
shipping manifests, opaque ownership structures – still persist, but new threats hide in complexity.
Layered investment structures, obscure trust vehicles, and adverse media stories are all pieces of a growing risk mosaic. Increasingly, sanctions teams collaborate with AML and onboarding teams to detect anomalies that traditional filters miss. Technology is beginning to catch up. AI is being used to mimic firstline analyst decision-making and conduct 100% sampling-based quality assurance. But specificity is crucial.
Without robust validation, governance, and precision modelling, AI can amplify risk rather than reduce it.
Above all, sanctions compliance can no longer operate in isolation. It must be embedded within a broader financial crime strategy.
As one panellist concluded, sanctions are no longer governed by blackand-white rules – but by shades of grey. And it is in those grey areas, that the next chapter of financial crime compliance will be written
Where Perfection Hurts, Leadership Heals
Rita Gnutti is Executive Director and Head of the Internal Validation and Controls unit at Intesa Sanpaolo, one of Europe’s leading banking groups. Over the last two decades, she has helped shape the bank’s approach to market risk, counterparty credit models, and internal model validation while quietly evolving from a perfection-driven analyst into a widely respected leader and public voice in model risk governance.
Early
Brilliance,
Quiet Pressure
Rita Gnutti never set out to become a public voice for model risk governance – but over the course of two decades at the heart of European banking, she’s become exactly that.
From her early pursuit of perfection to a more seasoned philosophy grounded in clarity, speed and human insight, her journey reveals a quiet but radical transformation to create the story of a risk leader who learned to lead by letting go.
Rita’s journey began with unmistakable academic excellence: she graduated cum laude in Economics from Università Cattolica del Sacro Cuore and was awarded the prestigious Premio Agostino Gemelli (Agostino Gemelli Prize) as the top graduating student in 1992.
Yet even with such honors, stepping into the banking world brought its own quiet challenge: how do you stand out in a room full of similarly high achievers?
The answer, she thought, came easily enough: by having an attitude grounded in responsibility and the belief that you can make a difference.
From Perfectionism to Prioritization
Driven by a personal mantra of perfection, though, Rita found herself at odds with reality. “Perfection is a beautiful principle,” she reflects, “but it leads to suffering when you don’t have the time or the team to match it.”
Over time, she came to a hardwon insight: “Fast and good,” she says, “often beats perfect and late.”
This pushed her to develop a new skill: the ability to summarize, to prioritize, and to identify what level of detail actually drives impact. And, she says, this shift didn’t just improve how she communicated – it shaped how she led.
Leadership by Example, Not Just Oversight
Today, Rita’s leadership philosophy centers around empowerment, not perfection. She brings her team into projects early, encourages them to explain difficult concepts in simple language, and stretches their growth by moving the goalposts: “Don’t just solve the problem, show you can explain it.”
“If you’re smart,” she says, “your job is to bring out the best in others. Not everyone needs to be a PhD to add value.”
Her understanding of talent is nuanced: “Some are brilliant, some are steady. Both can contribute. Your job as a leader is to tune into that.”
Accidental Beginnings, Intentional Voice
Rita’s speaking career didn’t begin by ambition; it began by accident. Years ago, her manager was too busy to speak at a conference on Counterparty Credit Risk and asked Rita to take his place.
It was an international stage and her first time presenting in such a setting. “I was scared. I wanted to be perfect,” she recalls.
But the real learning came from repetition. “It took me ten years to become confident. I was trained to swim by being thrown into the water.” Now, she’s a familiar name at conferences across Europe, sharing insights on model validation, AI, and regulatory transformation while inspiring others who, like her, once struggled to find their voice.
A Journey Still in Motion
Rita Gnutti’s story is not just about a career in validation, it’s about learning when to push, when to let go, and how to bring others along. She remains a perfectionist at heart, but one who’s learned the higher art of clarity over complexity, speed over symmetry, and leadership over individual brilliance.
Expert Financial Risk Intelligence Reports Trusted by Global Leaders
TRENDWATCH:
MODEL RISK IS EXPLODING
Are You Still in Control?
This month we put the Trendwatch spotlight on the key threats and challenges financial organizations need to solve in the face of the increasing complexity and scope of model risk.
The adoption of artificial intelligence, machine learning, and complex quantitative models to drive decision-making creates potential for growing systemic, reputational, and regulatory failure.
At the same time regulators across jurisdictions are tightening their expectations to ensure enforceable technical standards.
So, exactly what are the trends that we should be worrying about? And what should risk managers be doing about them?
AI-DRIVEN MODEL COMPLEXITY AND OPAQUENESS
The integration of AI and machine learning into financial models brings unparalleled sophistication but also major governance challenges. Models built using black-box algorithms often lack transparency, making validation and explainability difficult. The Bank of England’s Financial Policy Committee warned in 2024 that widespread adoption of similar AI models may amplify systemic risks through herd-like behaviour in trading strategies. Regulators such as the ECB and BIS are urging firms to develop explainability frameworks to manage emerging AI risks and prevent regulatory breaches. (Bank of England, 2024, BIS Bulletin No. 76)
02
VALUATION RISK IN ILLIQUID AND COMPLEX PORTFOLIOS
Valuation models for illiquid instruments, including Level 2 and Level 3 assets, continue to pose material risk to financial stability. Model assumptions - especially those around volatility, credit spreads, and discounting - can rapidly unravel under stress. The European Central Bank has identified valuation risk as a persistent vulnerability, particularly when market inputs become unreliable during periods of volatility. Their 2024 Risk Assessment underlined the need for model validation teams to enhance their sensitivity analysis, scenario testing, and independent challenge of front-office valuations.
(ECB Risk Assessment Report 2024)
03
MODEL GOVERNANCE AND CHANGE CONTROL GAPS
Many financial institutions struggle with robust governance for model lifecycle management - especially around version control, model redeployment, and internal accountability. In its 2023 supervisory statement SS1/23, the UK’s Prudential Regulation Authority emphasized that inadequate governance frameworks are a key reason for persistent model risk management weaknesses. It called for greater board oversight and centralized inventory controls. Similarly, the US Federal Reserve continues to highlight issues with fragmented ownership and weak documentation across model portfolios in its enforcement actions.
(PRA SS1/23, Federal Reserve SR 11-7)
04
DATA INTEGRITY AND BIAS IN AI MODEL INPUTS
As machine learning adoption grows, the quality and representativeness of input data has become a critical model risk concern. Poorly curated datasets can produce biased or unstable outcomes, especially in credit risk scoring, fraud detection, or anti-money laundering tools. The European Banking Authority’s 2024 report on AI and big data stressed that financial institutions must enforce strict data provenance and integrity standards. It also recommended bias monitoring and adversarial testing, particularly for high-stakes applications like lending decisions.
(EBA Report on Machine Learning in Risk Management, 2024)
05 REGULATORY ESCALATION AND CROSS-JURISDICTIONAL COMPLEXITY
The global regulatory landscape for model risk is rapidly tightening. New requirements under the EU’s Digital Operational Resilience Act (DORA) and the AI Act, alongside evolving expectations from the US OCC and Canadian OSFI, are raising the bar. Financial institutions must navigate crossborder compliance while ensuring consistent model documentation, explainability, and control testing. The Basel Committee has also emphasized that inadequate MRM can threaten prudential soundness. Failure to adapt will expose firms to operational, compliance, and reputational risks.
(Basel Committee Principles for Model Risk Management, 2023, EU AI Act and DORA)
LEGACY RISK WON’T WAIT FIX WHAT YOU CAN NOW
In this, the second in a short series of articles, this month’s guest editor, Kelly Lake, looks at how to overcome TPRM legacy challenges as part of driving cultural change in financial services
Kelly Lake is a Third Party Risk Manager at Legal & General. She has previously held senior risk and technical management roles at Benchmark Capital and Fusion Wealth
If you read the first article in this series, Driving Value Through Third Party Risk Management: From Friction to Function, you might already by thinking about and even implementing ways to change the perception of third party risk management (TPRM) within your business to ensure it is seen by colleagues and leaders as the value-add that it is.
While this sounds promising in theory, legacy challenges – like poor data quality, outdated systems, and ingrained habits and culture – can make progress feel like an uphill struggle in practice.
A lot of the discourse that takes place around TPRM in professional networking settings and publications requires a suspension of disbelief and a collective delusion: that TPRM exists in a vacuum and can be built from the ground up based on a perfect concept.
The reality is messier, and for most of us will involve obstacles that can sometimes feel insurmountable.
There is balancing act for professionals who attend networking events, committees and working groups, as full disclosure of the gaps and issues we might grapple with can
feel exposing, resulting in a biased picture where it’s easy to feel alone in the challenge, and it can be difficult to differentiate genuine solutions from sales pitches.
Start where you are Issues such as poor data quality, organizational silos, and legacy systems that aren’t fit for purpose in the modern TPRM landscape all present practical hurdles to be overcome, and there is rarely a magic want or straightforward ‘right’ way to do so.
Even the most forward-thinking organizations aren’t fortune-tellers. Many are now navigating the consequences of decisions made before today’s risks and expectations were fully understood. If this resonates then you may need to start by shining a light into those dusty corners. Identify what data you have, where it lives, and who owns it.
It’s rarely feasible – or wise - to try solving everything at once. Whether you are dealing with poor quality data, organizational silos, or outdated tooling, it is essential to focus on the issues that directly impact risk scoring, compliance, and decisionmaking.
What is most urgent and most critical to your organization will be deeply unique, and until you have an honest and realistic picture of the current state, warts and all, and an objective view of the risks and issues you need to tackle, you can’t start to plan your way forward.
Focus on what can be fixed, not who can be blamed
A solution-focussed approach helps to channel collective energy into resolving issues and improving outcomes. When the focus is on learning, adapting, and moving forward you create a safe space for continuous improvement and encourage stakeholders to engage constructively.
Build a business case for change
Getting from where you are to where you want to be is often going to require significant change, which will most likely require significant investment. Creating a clear case to support your proposed program of change – and to justify the costs of implementing it – is crucial.
The first article in this series explored ways to quantify and demonstrate the ROI of TPRM, and that exercise will form the backbone of your argument here.
It’s not always going to be possible to fix the cause of your issues, and it’s not going to achieve maximum impact if you don’t lay the groundwork by identifying those outliers and considering them in your plans.
Turning legacy into leverage Legacy challenges in TPRM aren’t just obstacles – they’re opportunities to build smarter, more resilient programs. By starting where you are, focusing on what can be fixed, and engaging stakeholders with empathy and intent, you lay the groundwork for meaningful, lasting change.
Progress doesn’t require perfection. It requires honesty, prioritization, and a willingness to evolve.
The path forward may not be linear, but it is navigable. And every step you take – no matter how small – moves you closer to a program that’s not just compliant, but truly value-driving.
Progress doesn’t require perfection. It requires honesty, prioritization, and a willingness to evolve.
WHY ESG FAILS WHEN GOVERNANCE GETS IGNORED
When ESG is discussed, attention typically gravitates toward emissions and labor rights. But for a senior risk manager at a leading European bank, it is governance that presents the greatest vulnerabilities – and where financial institutions too often fall short.
Speaking at CeFPro’s Vendor Risk Europe event, the risk manager noted that unlike many regulated entities, their institution operates without direct ESG regulatory oversight. This absence of external compliance pressure means ESG implementation must be driven internally. “It’s not about ticking regulatory boxes – it’s about culture,” they said.
That internal focus can be a strength, but it’s also a risk. Without regulatory compulsion, governance can be overlooked unless institutions make a conscious effort to prioritise it.
Some ESG components are progressing well. Information security, for instance, has become a key onboarding priority. New third-party relationships are subject to rigorous cybersecurity screening, and robust frameworks are in place to manage ongoing risk.
But governance remains patchy. Business continuity planning is still developing – and as third-party risk becomes increasingly prominent, governance is emerging as a critical lens through which vendors are now being evaluated.
This senior manager emphasized that many ESG frameworks miss the influence of geopolitics on operational and reputational risk. Financial services institutions may feel insulated, especially those not directly involved in trade. However, the growing exposure of technology providers to geopolitical disruption is shifting that assumption.
They highlighted the global implications of recent events, from Russia’s exclusion from SWIFT following its invasion of Ukraine to mounting concerns over Taiwan and the strategic Strait of Taiwan.
Even the threat of a blockade, they argued, could paralyze global financial systems.
Dependencies on U.S. technology giants also raise critical questions about operational sovereignty and systemic resilience – especially if tensions rise between global powers.
As the ESG risk expert put it, “We’ve been lucky so far, but that won’t last.”
To prepare for this evolving risk landscape, ESG thinking must move beyond emissions disclosures and workplace policies. It needs to account for political volatility, climate disruptions, and opaque governance frameworks throughout the vendor ecosystem.
Climate risk, once seen as a longterm concern, is rapidly becoming operationally relevant. The speaker’s bank, they said, has begun stresstesting its physical and digital infrastructure – including data centres – for climate vulnerabilities.
Recent tabletop exercises have explored scenarios like wildfires or extreme weather events hitting major operational hubs. “These aren’t hypothetical risks anymore,” they said. “Fires in Los Angeles and droughts at the Panama Canal are already creating bottlenecks that impact logistics. The financial sector will be hit next – especially through its digital supply chains.”
Yet, the tools to measure and manage climate exposure are still catching up. Scope 3 emissions remain hard to quantify, and real-time climate data is not yet fully integrated into risk systems. Nonetheless, the trajectory is clear: climate risk is accelerating – and it will trigger political and economic consequences that institutions are unprepared for.
What ESG now requires, the speaker argued, is sharper governance – not just more ambitious pledges. This means embedding resilience into the core of ESG risk thinking.
“Risk doesn’t stop at your own balance sheet,” they warned. “In a fragmented world, internal discipline and geopolitical situational awareness may be the only real safeguards we have.”
Mark Norman is Head of Content at CeFPro
OUTSMART CLIMATE RISK
The only European forum that turns looming regulations into opportunity
Find out more >
LEARN WHAT REGULATORS WILL ASK NEXT.
Swap uncertainty for a proven playbook
Regulation
Slash compliance costs, avoid last-minute fire drills, and free up bandwidth for growth projects instead of paperwork.
Physical Risk
Translate storms, heatwaves, and flood maps into forward-looking numbers so capital is pre-positioned before the next headline-grabbing event.
Transition Risk
Stress-test carbon prices, election outcomes, and tech shifts, keeping your portfolio two steps ahead of politics.
Integration
Weave climate metrics into credit, market, and operational risk dashboards your board already uses, so decisions happen fast.
Scenario Development
Prioritise the right scenarios, align them with regulatory tests and tell a single, compelling story with numbers.
NEWS WHAT'S BEEN HAPPENING...
Round up of news stories in August
Risk & Finance in Focus: Latest Headlines
ECCTA Deadline Leaves Financial Firms Sleepwalking to Fraud Disaster
Almost one in four financial services firms are already breaching ECCTA rules, with thousands at risk of corporate liability under new ‘failure to prevent fraud’ laws set to take effect on 1 September. New research shows lax governance, overdue filings, and poor due diligence, painting a troubling picture of a sector ill-prepared for sweeping enforcement action. View here >
Banks Push Back on OCC Crypto Charter
In a coordinated move, five major US banking trade groups have urged the OCC to delay crypto firms’ national trust bank charter applications, citing a lack of public transparency. The request targets applications from firms like Fidelity Digital Assets and Ripple. The call for a pause highlights growing tensions over crypto’s push into regulated banking and raises questions over how far traditional regulators will bend.
View here >
Barclays Hit With £42 Million Fine Over Dirty Money Failures
The FCA has fined Barclays £42 million for major lapses in antimoney laundering controls tied to two separate cases involving WealthTek and Stunt & Co. The bank failed to perform basic checks, allowing £80 million in suspect funds to flow through its accounts.
View here >
Fed Turns Its Back on Climate as Central Bankers Warn of Economic Collapse
As the US Federal Reserve distances itself from global efforts to address climate risk, international central banks are sounding louder alarms about the severe economic damage unchecked climate change could inflict. A new adaptation framework from the NGFS urges financial institutions to act now –even as the Fed retreats under pressure from the Trump administration.
View here >
Microsoft Cyber Attack Hit US Agencies Hard
A major cyberattack exploiting a zero-day flaw in Microsoft SharePoint servers has compromised dozens of US government agencies and businesses. The flaw remains unpatched, prompting global warnings and investigations by authorities in the US, Australia, and Canada.
View here >
National Crime Agency Announces Arrests as M&S Cyberattack Fallout Exposes £300 Million Hole
Four young suspects have been arrested in connection with cyberattacks that crippled major UK retailers, including Marks & Spencer, costing M&S an estimated £300 million. As shoppers faced stock shortages and online chaos, the incident laid bare just how fragile retail IT systems are—and how urgently cybersecurity investment must rise up the boardroom agenda.
View here >
STARTUPS BREAK
FAST:
Compliance Must Be Built to Last
Adham Mayassi is Deputy MLRO and Compliance Associate at SmartCrowd, a DFSA-regulated real estate crowdfunding platform. He works at the intersection of regulatory compliance and product development, helping build scalable AML frameworks in resource-constrained FinTech environments.
Joining an early-stage FinTech can feel like boarding a rocket with no safety harness – it’s equal parts thrilling and brutal.
There’s thrill, speed, and innovation – but also risk, pressure, and the constant threat of structural collapse. For compliance leaders, this is not just a warning – it’s a call to action.
Get it right from day one, or risk building a business on regulatory quicksand.
The Early-Stage Reality Check
When you work in an early-stage FinTech, you’re building something new, sometimes pushing the edge of what regulation even covers, but you’re also under-resourced, under pressure, and often operating without a safety net.
If you’ve come from a structured banking environment, it’s a shock. There’s no compliance manual to inherit, no risk matrix to tweak. You’re writing the playbook as you go, and doing it right, early, matters more than most people realize.
Get the Structure Right, Early Early on, it’s all about building things properly before the stakes get too high. You aren’t dealing with the heavy onboarding volume or customer base that makes systemic changes difficult. This is the window to get your framework right.
The capital and manpower invested now, if allocated wisely, could save you tenfold what you’d spend fixing it later.
That means documenting operational guides, mapping out your risk exposure clearly, and building for scale.
You need to ask yourself early: Where does the risk actually sit in the product? What needs to be protected? What assumptions are we making that could collapse under regulatory scrutiny?
Too often, startups skip these questions to prioritize breaking even. And when they finally get to scale, they’re held back by years of improvised and reactive decision making.
Leadership Buy-In Is Non-Negotiable
The people at the top, the ones steering the company through uncharted waters, need to deeply understand the importance of compliance. It’s not enough to have verbal support. Leadership must recognize that how an idea is implemented matters just as much as the idea itself. Especially in regulated environments, it’s not innovation vs. compliance; it’s innovation through compliance.
Being a yes-man here is dangerous. Yes, accepting crypto might be exciting, but if that becomes the point of failure because no one was willing to challenge the implementation, it could sink the ship.
Compliance is a top-down function. If leadership is comfortable skating by the rules, that attitude will trickle into every team. And by the time the problems are visible, they’ll be systemic.
It’s not innovation vs. compliance –it’s innovation through compliance.
Know the Product. Inside Out.
If you are not a tech nerd when you start, become one. If UI/UX or backend data flows are foreign to you, fix that. You don’t need to code, but you do need to understand how your compliance obligations translate into product logic.
Product and tech teams rarely have more than a surface-level understanding of regulatory requirements. That’s not a dig, it’s just not their job to think like regulators.
If your infrastructure is not built to allow you to extract the right data at the right time for reporting, you’re setting yourself up for failure. Design compliance into the product, not as an afterthought, but as a foundational layer.
Delegate, Train, and Build with INTENTION
Startups often rely on small teams wearing multiple hats, and that’s fine, if you train them properly. You can’t expect engineers or operations staff to absorb regulatory nuance just
from conducting an annual training session. You need to lead that process and invest time in giving your team just enough of a compliance lens to execute the parts relevant to them.
Early stage FinTech firms usually start with just a few people. Everyone has overlapping responsibilities, including compliance. The key is to own the regulatory narrative early, defining what good compliance looks like, and delegate clearly. That will include staying close to the details, managing critical solutions, and making sure that the compliance controls are implemented as designed.
If you can do that, you’re not just managing the risk, you’re building a function that can scale and replicate. That is the difference between a reactive compliance department and a strategic compliance team that drives growth.
Conclusion: Build It Once, Build It Right
The foundation you build now will either support your scale, or collapse under it.
Don’t settle for being a passenger on the rocket ship. If you’re in compliance, you’re one of the people holding the ship together mid-flight. Treat that responsibility with the seriousness it demands.
What’s Driving Tech
Investment?
(Hint: It’s Not the Customers)
Discover what’s leading the charge >
The Clock is Running Down on Non-Financial Risks
Financial services firms face escalating non financial risks over the next three months – from cyber threats and operational disruption to deteriorating credit, third party failure, regulatory shifts, and climate shocks.
Industry surveys and supervisory reports signal rising vulnerabilities across each front, and suggest institutions must act swiftly to meet the emerging threats they will face.
Cyber resilience, better supply chain oversight, credit quality, culture and regulatory readiness, and climate instability all represent short term risk exposures.
Cyber AI Attacks Surge
Cyber AI Attacks Surge: 45% of financial services firms reported AI powered cyberattacksincluding deepfakes and phishing - over the past year
Source: Axios
Cyber Incidents Top Global Business Risk
Cyber ranked #1 in the Allianz Risk Barometer with 38% of 3,700+ risk executives identifying it as their primary concern
Source: Insurance Journal
31% of respondents in the same survey cited business interruption - often tied to cyber events or supply chain breakdowns - as their #2 risk
Source: Allianz Business Interruption Escalates
Cyber Risk Dominance in 2025 Strategy
72 % of global cybersecurity leaders cite rising cyber risk – particularly ransomware and generative AI threatsas their top near term concern
Source: World Economic Forum
More than 71 % of financial services executives anticipate rising financial crime risk in 2025, driven by AI enhanced fraud
Source: Kroll.com Financial Crime Risk Climbs
Source: Axios Bad Loan Vulnerability Rises
9% of euro area banks reported credit quality tightening due to worsening non performing loans to firms in Q2 2025, expecting persistence into Q3
DIGITAL TRANSFORMATION
Cutting Through the Noise in 2025
Andrew Rollins is the Associate Director of Digital TPM at 3VRM, helping businesses to manage third party risk across the whole vendor cycle. He previously worked at Barclays and Deloitte.
‘Agentic AI’, ‘Automation’, ‘RealTime Decision Making’ ‘Digital transformation’ – buzz words and phrases that have been tossed around without regard in recent years. Business influencers and consultants have been pushing the supposed benefits without much real evidence of success – offering a quick fix for all types of problems and challenges, seemingly solved by adding ‘AI’ to all marketing material.
However, are we starting to see some changes? For financial services and risk professionals, it’s no longer
about chasing shiny tech; it’s about making smarter decisions, building better business models, and actually delivering value.
At 3VRM, we’ve spent the last year working with our clients to map out digital strategies. We’ve learned a lot - what works, what doesn’t, and where the real opportunities lie. And if there’s one thing we’ve realized, it’s that transformation isn’t just about tech. It’s about people, process, and purpose.
Five Things We’ve Learned
Let’s cut through the jargon. Digital transformation isn’t really about technology – it’s about making things work better. After a year of pitching, piloting, and pushing through resistance, we’ve learned a few things worth sharing.
1. It’s Not About the Tools; It’s About the Outcome
We’ve seen plenty of organizations get excited about shiny platforms. Unless those tools solve a real problem, they’re just expensive distractions. When we work with our clients, the best transformations start with a clear business case, goals and trackable targets. That’s the kind of clarity that gets buy-in from stakeholders.
2. People First, Always
One of the biggest myths?
Digital Transformation is about replacing people. It’s not. It’s about creating capacity. With our focus in TPM we’ve used tech to eliminate spreadsheet hell and reduce onboarding times, not headcount. If your solution doesn’t make life easier for the end user, it’s not a solution.
3. Buzzwords Don’t Mean Success
We’ve all sat through presentations filled with ‘synergy’, ‘agility’, and ‘digital-first’. What resonates is authenticity. Challenge your technology providers, understand how it works. Transformation should be practical, not performative.
4. You Need a Plan and a Backup Plan
Transformation is messy. Timelines slip. Stakeholders change. You might fail. You shouldn’t be paralyzed by fear but be prepared for the fact that very rarely do things go perfectly. Having a plan is important but being flexible is even more important.
5. Transformation Is a Journey, Not a Sprint
This one’s a cliché, but true. You don’t ‘do’ digital transformation in a quarter. It’s a continuous process of improvement that is never really finished.
The AI Hype Cycle: Where Are We Now?
It would be remiss of me not to focus on AI. It’s everywhere - according to Gartner’s 2025 Hype Cycle, we’re smack in the middle of the ‘Peak of Inflated Expectations’
AI agents and AI-ready data are the hot topics, everyone’s talking about them, investing in them, and dreaming up use cases, but the reality is more nuanced.
Yes, AI has huge potential. It’s not a magic wand. Success depends on aligning AI with business goals, having the right infrastructure & data, and making sure your teams know what they’re doing. At 3VRM, we’re seeing AI used effectively some areas but we’re also seeing a lot of overpromising and underdelivering.
So, what’s our take? Be excited but be realistic. Use AI where it makes sense, and don’t get swept up in the hype.
Start with the problem, not the technology.
Final Thoughts
Digital transformation in 2025 is about cutting through the noise. It’s about being clear on your value, choosing the right partners, and delivering outcomes - not just outputs. Whether you’re a bank, insurer, or fintech, the principles are the same: start with the problem, not the technology. Build something that works. And don’t forget your people.
If you’re planning your own transformation journey, ask yourself: are you chasing hype, or solving real problems? The answer could make all the difference.
Meticulously researched, premier risk-focused conferences that deliver actionable insights and elite networking for financial services professionals worldwide