Complexity & Opportunity: Why double-entry bookkeeping may be history’s greatest invention – and your next big edge
Out of the Box Thinking: Alice Kelly on why banks must embed compliance or brace for crisis
Keeping it Human: Adam Ennamli on why keeping it simple is the winning cybersecurity formula
How Deep is Deep Enough: The hidden supply chain threats conspiring to be your next big crisis
connect.cefpro.com/magazines
This month’s new features in Connect Magazine
24
EDITOR’S FOREWORD From Complexity to Control
The Next Six Months in Non-Financial Risk
Andreas Simou, Managing Director CeFPro 05
08
BEYOND THE NUMBERS: COMPLEXITY AND OPPORTUNITY IN FINANCE
Professor Clive Deadman on why the transparency and virtual nature of financial services will drive competitive advantage in an increasingly data-driven world.
Professor Clive Deadman, Director at 1905 Investments and author
TRENDWATCH: MODEL RISK IS EXPLODING—HERE ARE THE 5 TRENDS KEEPING CROS AWAKE IN 2025
From emerging technologies to climate targets, our Trendwatch feature picks up the 5 key things that are giving risk managers sleepless nights in 2025
30
NEWS IN REVIEW
Our 3-minute read catches you up on some of the news stories and events that have been on the risk news agenda around the world over the last month
36
INFOGRAPHIC
How rising third-party risk and tight budgets are driving financial firms to adopt generative AI
42
ONSTAGE: KEY SPEAKERS TO WATCH Vendor and Third Party Risk Series 2025 Stand Out Speakers
MANUAL MADNESS: IS TPRM DROWNING IN PAPER CUTS
Mark Norman asks whether it is outdated legacy approaches to Third Party Risk Management rather than the supply chain itself that pose the greatest threat to effective risk management
Mark Norman, Head of Content, CeFPro
COMPLIANCE BY DESIGN OR CRISIS BY DEFAULT? WHY BANKS MUST STOP TREATING REGULATION AS A FIRE DRILL
Alice Kelly examines why embedded compliance and regulatory agility are key factors in maintaing competitive advantage.
Alice Kelly is Head of Programming at CeFPro 14
40 THE HIDDEN COST OF SILOED AND INEFFICIENT MODEL RISK MANAGEMENT
Ife Osakuade looks at how automation could eliminate opportunity cost within financial services risk management
Ife Osakuade, founder of Modelstacks 22
32
WHY COMPLEXITY IS THE ENEMY OF CYBERSECURITY
Regular Connect contributor
Adam Ennamli champions simple, human-centred cybersecurity over complexity and cosmetic compliance.
Adam Ennamli is the Chief Risk, Compliance and Security Officer at the General Bank of Canada
50
CAREERS: HOW ROCCO FANCIULLO TURNED CLIMATE RISK INTO A STRATEGIC WEAPON
Regular Connect contributor Chandrakant Maheshwari discovers how Rocco Fanciullo embedded climate risk into banking strategy before mandated regulation. Rocco Fanciullo, Head of Liquidity Risk Management, Unicredit
46
HOW FAR IS TOO FAR? THE BRUTAL TRUTH ABOUT SUPPLY CHAIN BLIND SPOTS
Anifat Atanda challenges financial institutions to identify flaws in supply chain oversight
Anifat Atanda, Enterprise Risk Manager, First Bank of Nigeria Limited
Mark Norman Head of Content CeFPro mark.norman@cefpro.com
Sales & Advertising
Chris Simou Head of Sales CeFPro chris.simou@cefpro.com
Design
Natasha Marino Head of Design CeFPro natasha@cefpro.com
The Next Six Months in Non-Financial Risk
Andreas Simou Managing Director, CeFPro
A very warm welcome to the June edition of Connect Magazine.
As I write this, just a week or so after our flagship Risk Americas event drew to a close in New York, the Court of International Trade has ruled that Donald Trump’s trade tariffs exceeded his executive powers and must be rolled back.
Given the immediate appeal lodged by the Trump administration against the ruling, by the time you read this, things will likely have changed again. But whether the tariffs stick or not, they are emblematic of what has been something of a tumultuous first half of the year.
Fiscal and economic policy both in the U.S. and Europe will naturally continue to color the work we do in the non-financial risk sector – but as we prepare to embark on the next six months, what might be the challenges and issues lying in wait?
First, the regulatory drumbeat continues. Compliance is not easing up – it’s accelerating, and risk managers will be expected to demonstrate not just awareness, but action, particularly in areas where frameworks remain immature or fragmented.
Cybersecurity and AI remain dominant concerns, and in a climate of increased high profile breaches, boards are no longer satisfied with abstract assurances. They want metrics, response rehearsals, and a tangible shift from passive protection to proactive resilience.
Supply chain fragility, geopolitical instability, and increasing regulatory scrutiny will push financial institutions to map deeper, monitor smarter, and move faster.
And finally, climate and sustainabilitylinked risks are moving from strategic talking points to operational headaches.
In short, non-financial risk managers will need to be able to articulate bigpicture risk implications and execute granular operational responses. The next six months will test not only the strength of frameworks and systems, but the agility and foresight of the people who run them.
I hope you enjoy this edition of Connect Magazine. If you’d like to guest edit a forthcoming edition, or are interested in advertising with us, please get in touch – our contact details are opposite.
BEYOND THE NUMBERS:
Complexity and Opportunity in Finance
After starting work as an engineer, Clive Deadman spent 9 years in private equity/corporate finance and then 20 years with United Utilities and Electricity Northwest. In recent years Clive has worked as Chair and Non-executive Director of a range of organizations and is a Professor of Water and Energy.
This article discusses the results of 650 interviews with c-suite executives from numerous different industries and contains extracts from Risk, Opportunity & Performance: The Art of taking Worthwhile Risks.
I haven’t admitted it to my friends yet, but I think double entry bookkeeping is arguably the most exciting invention ever.
By making fraud difficult, investors can invest… and pretty much all other innovations then become possible.
The fact that financial services can make a claim to have sponsored the greatest innovation ever illustrates some of the unique and allpervasive characteristics of the sector. It also gives us clues on where we might first look for new opportunities.
Let me explain....
What Is So Special About Finance?
Firstly ‘finance’ is desperately important. All commercial activity is wholly dependent on financial services of one form or another.
But the financial services organizations have another unique quality. They are, compared with all other industries, more ‘transparent’. This means they have lower levels of what I refer to as ‘un-managed complexity’.
Un-Managed Complexity
The challenge when managing value and performance in any activity is having the information you need to make a good decision. And this is harder than it looks, because in
business there are two ‘worlds’ which need to be managed:
• Physical world: Where goods are manufactured and delivered, customers receive services, and our employees get paid and live their lives.
• Virtual world: This is where activity is administered. Records are kept of stock, debtors and cash and assets that need to be managed.
The eternal challenge is to ensure the ‘virtual’ world contains sufficiently accurate records of what a corporation did, does and will own, create and sell.
If information is poor the business is not ‘transparent’ and managers can’t see and manage value well. It has a high level of ‘un-managed complexity’. This means everyone in the organisation needs to rely on others to be efficient and effective.
This particularly applies to business leaders. The chair of the board and CEO may have huge authority, but they will also experience the greatest separation from the day-to-day information that decision making needs.
The exciting thing about financial services which is different from all other activity is the products and the
services it provides wholly exist in the ‘virtual’ world.
That is not to say there is no ‘physical’ world for an insurer or a bank. There is. Employees live and work in the physical world. They can be tempted to commit un-compliant acts. And customers and counterparties are all ultimately human. But all the same, compared with all other industries, properly managed financial services ought to have comparatively low levels of un-managed complexity.
Does that mean they are easy to manage? Sadly, no, because there is another factor to consider.
That is ‘business climate’. And financial services operate in undoubtedly the most demanding business climate of all.
What is Business Climate?
We are not talking about net zero or climate change here. We are talking about the rigor and volatility of regulation, and the ‘clock speed’ of competition.
The world over, financial services operate in the harshest and most challenging of all ‘business climates’. If you work in the sector I don’t need to explain this any further. But for observers new to the sector, it’s really tough.
Regulators keep introducing new requirements, and while implementation is intended to be progressively ‘risk based’, courts across the globe retrospectively reinterpret customer and counter party entitlements.
We should try not to complain –financial services are so fundamental to all activity that this level of scrutiny and oversight is inevitable. But what does all this mean? How can any of this help us find personal and corporate opportunities?
As a start point, it helps us know where to look for opportunity.
Compared with all other sectors the regulatory environment in financial services is demanding and tough. But there are differences. Smaller
businesses also get something of a free pass, and other activities, such as trading, have particularly aggressive business climates.
So if you are a business looking to adopt new compliance measures, you may find the people and the systems you need in the highest value and most rigorously regulated sectors.
Introducing effective compliance measures might not be sexy but it can confer competitive advantage and it does keep business leaders in employment and out of prison.
If you’re thinking of a career move, look to those industries who will most value your skills.
In every industry – shipping, infrastructure management, medicine and advertising – we see future business leaders learning their trade in higher value, low un-managed complexity sectors before moving on and up into senior leadership roles to transform and enhance less well organised businesses.
And with artificial intelligence and machine learning upon us, the ability to use information for competitive advantage might even become more exciting than double entry bookkeeping.
The fact that financial services can make a claim to have sponsored the greatest innovation ever illustrates some of the unique and all-pervasive characteristics of the sector.
The fact that financial services can make a claim to have sponsored the greatest innovation ever illustrates some of the unique and all-pervasive characteristics of the sector.
COMPLIANCE BY DESIGN OR CRISIS BY DEFAULT?
Why Banks Must Stop Treating Regulation as a Fire Drill
Alice Kelly is Head of Programming at CeFPro
As technology accelerates and regulatory frameworks grow ever more complex, financial institutions are confronting a fundamental truth: regulatory compliance can no longer be treated as a back-office burden.
Instead, it must be embedded from the very start of product and process design. According to the European Head of Sustainable Finance at a global investment bank, this cultural
and structural shift is not only urgent – it’s inevitable.
In a panel on adapting to regulatory change at CeFPro’s recent Risk Evolve conference, the message was clear: compliance can no longer function in isolation.
One senior compliance leader at a UK bank emphasised that regulatory horizon scanning and proactive response planning are now
critical capabilities, particularly for institutions operating across multiple jurisdictions.
“Staying on top of monitoring requirements globally is a challenge,” the sustainable finance expert said. “It requires deep collaboration between business lines and control functions.”
For many, the friction lies in ownership. Who should ultimately be
responsible for regulatory change –the compliance team or the front-line business?
“Ownership belongs where the risk lies,” said the Head of Regulatory Controls at a major UK bank. She described the importance of a strong relationship between the first and second lines of defence to ensure that risks are identified early, and controls are implemented effectively.
Compliance
Compliance risk comes from doing business. Making sure the first line takes ownership is one of the ultimate points to ensure alignment and compliance.
risk comes from doing business. Making sure the first line takes ownership is one of the ultimate points to ensure alignment and compliance.
Argiro Ouraniou, Head of Compliance Risk Management and Governance at Eurobank, agreed, adding: “Compliance risk comes from doing business. Making sure the first line takes ownership is one of the ultimate points to ensure alignment and compliance.”
But with regulatory requirements shifting so quickly, how can financial institutions remain operationally effective?
The answer lies in building agility not around speed, but around prioritisation.
“Agility has a different definition in regulatory frameworks,” said Ouraniou. “Non-compliance is not an option. It’s about identifying higherrisk areas and prioritising resources accordingly.”
Ouraniou argues for a model of ‘compliance by design’, where compliance is not a final checkpoint but an integrated part of product development, policy creation and procedural planning.
This cultural evolution extends to skill sets as well. The traditional view of compliance professionals as rulebook enforcers is quickly becoming obsolete.
Today, they must be persuasive communicators, strategic thinkers, and credible business partners.
“It’s not enough to be technically proficient,” Ouraniou said. “Soft skills – what we now call power skills – like stakeholder management, communication and influence, are essential.”
There is also growing pressure on compliance teams to be techliterate, especially as artificial intelligence, automation and datadriven decision-making become foundational in modern banking.
“We need to be AI literate,” Ouraniou added, highlighting the shift in compliance expectations from regulatory interpretation to risk-driven strategic advisory.
Critically, Ouraniou and her peers see positive signs as the silos between first and second lines of defence begin to erode.
“When collaboration starts, you realise the benefits, and you can’t go back to working in silos,” she said.
“Compliance people are becoming more business aware.”
Even relationships with regulators are evolving. Rather than waiting for enforcement actions, many
institutions are now proactively engaging with supervisors to align expectations early. “They’re becoming more open to dialogue because they too are adapting to new risks and technologies.”
Ultimately, the call from this panel was not for incremental improvement, but for a fundamental rethinking of how financial institutions approach compliance.
Those that continue to treat regulation as a checklist may find themselves constantly reacting—and falling behind. Those that embed compliance into the DNA of their business will be positioned to lead.
Ready for isolated integrated capital planning?
Don’t let economic uncertainties and regulatory pressures increase costs in your capital planning. Transform balance sheet management and ICAAP with FIS® Balance Sheet Manager.
Equipped with extensive modelling, scenario and simulation capabilities, our integrated solution boosts insights, balances risk and improves internal controls and compliance to make your money work harder.
Unlock modern balance sheet management. Visit: https://www.fisglobal.com/products/fis-balance-sheet-manager
THE HIDDEN COST
Of Siloed and Inefficient Model Risk Management
Ife Osakuade is the Founder of ModelStacks, an intelligent model risk infrastructure that helps banks manage model documentation with speed and transparency. Ife previously worked as the Global Product Owner for Regulatory Compliance at B4B Payments (a Banking Circle company).
Banks today rely on hundreds or even thousands of quantitative models for everything from credit scoring to capital planning. Yet many institutions still manage model risk in silos with legacy processes.
Documentation is scattered in spreadsheets and Word files, validation workflows are manual, and each business unit may follow its own approach.
These inefficiencies carry hidden costs: high labour expenditure, slow time-to-market for models, and elevated operational risk. Crucially, they also undermine a bank’s ability to meet ever-
tightening regulatory standards for model risk management (MRM).
The U.S. Federal Reserve’s SR 11-7 and OCC 2011-12 guidance (2011), as well as the UK’s Prudential Regulation Authority Supervisory Statement SS 1/23 (2023), and Canada’s Guideline E-23 on Model Risk Management, which is set to come into effect on July 1, 2025, all demand rigorous model governance, independent validation, and comprehensive documentation.
Legacy MRM Systems: Hidden Costs and Risks
Siloed MRM processes exact a toll in ways that may not show up directly on balance sheets. For one, they drain skilled resources.
As model inventories grow, highly paid risk experts end up spending countless hours on routine tasks – copying data between systems, writing repetitive report sections, chasing information across departments.
Recent analyses note that the explosion of models (including AI/ ML models) has overwhelmed MRM teams, leading to validation backlogs and delays.
Simply adding more staff is not a sustainable fix, because humancentric processes scale poorly and remain error-prone.
At almost every bank, inventory discipline is maintained through a manual process of attestation: model owners or functional heads for every business unit are asked to sign off on the complete set of models that fall within their domain of ownership and responsibility.
Attestations are typically performed via email, requiring a model risk manager to submit a list of models that inventory indicates is owned and maintained by a particular model supervisor, owner, or functional head - and obtaining confirmation by return email.
Such a process can be timeconsuming, tedious, and error-prone, especially given the number of handoffs that may be involved.
Some models may simply be overlooked in the process, some may be orphans (models without owners as a result of staff turnover or reorganization), and some orphans may no longer be in use. Resolving these discrepancies often
requires numerous iterations of the attestation process to determine the current correct ownership of orphan models.
Also, it’s ironic that building and maintaining a model inventory is still a manual, twentieth century process at most financial institutions.
The fact is that most bank still cannot produce real-time metrics for how many models are being used, how often, and where, or even if any models may have slipped through the governance control framework and gone into production without first being validated – a strict regulatory requirement in the United States (Federal Reserve Board 2011).
Modernizing with AI: Efficiency and ROI
To turn MRM from a cost centre into a strategic asset, banks must modernize their legacy processes –and automation is proving to be the key enabler.
Generative AI and intelligent workflow tools can take on labourintensive tasks, particularly in model documentation and attestation. For example, generative AI can draft model documentation and validation reports, a capability that some institutions are already using today.
Instead of model developers spending days writing up conceptual soundness, an AI assistant can generate a first draft in minutes – complete with standardized language and key details – for the human expert to refine.
This not only saves time but also ensures consistency and thoroughness.
Intelligent Agent Approach
One solution that financial institutions might consider in addressing these challenges these is the automation of the documentation and attestation lifecycle through collaboration with an intelligent agent.
From data ingestion and model auto-logging to AI-driven content generation and collaborative review, banks and other financial organizations can not only meet
compliance requirements but also enhance transparency, accuracy and operational efficiency in their model risk management processes.
A benefit of this approach, beyond the reduction of unnecessary manual effort, is having certainty around compliance with regulatory standards.
By leveraging advanced AI, fine-tuned Small Language Models (SLMs) and a multi-agent orchestration system, automating the documentation transforms compliance process into a dynamic, continuously updating and collaborative workflow.
It’s ironic that building and maintaining a model inventory is still a manual, twentieth century process at most financial institutions. It’s ironic that building and maintaining a model inventory is still a manual, twentieth century process at most financial institutions.
AUDIO & PODCAST SERIES
Lead the conversation in risk
Risk Leaders Connect is the go-to audio and podcast series for risk professionals who think ahead. From industry-shaping insights to straight-talking CROs, we bring you sharp, essential conversations that inform, inspire, and elevate your decision-making.
Whether you’re managing financial, operational, or emerging risks, this is your space to stay ahead of what’s next.
Candid Conversations with Industry Leaders
Actionable Insights, Not Just Talk
A Global Community of Risk Professionals
Start listening >
MODEL RISK IS EXPLODING
Here Are the 5 Trends Keeping CROs Awake in 2025
In 2025, those of us working in the risk management field are facing a model risk landscape that is more volatile, opaque, and politically charged than ever before.
From the disruptive rise of generative AI to the escalating demands of climate risk modeling, the traditional guardrails of model governance are being stretched thin.
Here are the five most urgent model risk management (MRM) trends that CROs must confront.
01
AI AND GENERATIVE MODELS: THE NEW FRONTIER OF UNCERTAINTY
The rapid adoption of AI - especially generative models - has introduced new layers of complexity into financial modeling. While these tools offer efficiency gains, they also pose significant risks, including hallucinations, data bias, and lack of interpretability.
U.S. Treasury Secretary Janet Yellen has highlighted these concerns, noting that AI-related risks have moved towards the top of the regulatory agenda (Reuters).
The Bank of England is considering including AI in its annual stress tests, reflecting the growing regulatory focus on AI’s impact on financial stability (Financial Times)
02
CLIMATE RISK MODELING: A SYSTEMIC STRESS TEST
Climate change is no longer a distant threat; it’s a present-day risk that financial institutions must model accurately. The Financial Times reports that climatefueled catastrophes cause hundreds of billions in losses annually, with insurance companies retreating from high-risk areas, shifting financial burdens to individuals and governments.
Banks must now integrate climate risk into their models, accounting for both physical and transition risks, to ensure resilience in the face of environmental volatility.
03 REGULATORY PRESSURE: FROM PRINCIPLES TO ENFORCEMENT
Regulators are intensifying their scrutiny of model risk management practices. The UK’s Prudential Regulation Authority (PRA) has set out expectations for banks’ management of model risk, emphasizing the need for a strategic approach to MRM.
Similarly, the U.S. Office of the Comptroller of the Currency (OCC) and the Federal Reserve are focusing on model risk in their supervisory activities.
Financial institutions must ensure compliance with these evolving standards to avoid regulatory penalties. (Global Association of Risk Professionals).
04
TALENT AND COST PRESSURES:
THE HUMAN CAPITAL SQUEEZE
The demand for skilled professionals in model risk management is outpacing supply. A survey by the Risk Management Association (RMA) found that the main challenges to expanding model validation capabilities are cost and talent shortages, with 69% and 56% of respondents citing these issues, respectively.
Financial institutions must invest in training and retaining talent to maintain robust MRM frameworks. (Risk Management Association)
05 CYBERSECURITY & OPERATIONAL RESILIENCE:
THE DIGITAL IMPERATIVE
As financial institutions increasingly rely on digital models, cybersecurity and operational resilience have become critical components of model risk management. Protiviti’s 2024 survey highlights that interest rates and cybersecurity risks are among the top concerns for financial services leaders.
Ensuring the security and reliability of models is essential to protect against data breaches and operational disruptions. (Protiviti)
NEWS WHAT'S BEEN HAPPENING...
Round up of news stories in June
Risk & Finance in Focus: Latest Headlines
AI Hype Meets Hard Truths in Third-Party Risk Management Revolution
AI is being hailed as the answer to third-party risk management’s mounting complexity, but a new survey reveals that most organisations are still far from delivering on that promise. While leadership teams are keen to automate due diligence and mitigate rising financial exposures, adoption remains nascent and heavily constrained by budget, legacy tech, and skills gaps.
View here >
Global Financial Regulators Turn Up the Heat on Climate Risk Compliance
Climate-related financial regulation is entering a new era, as authorities in the UK, EU, Japan, and globally unveil proposals and reviews that raise the bar for oversight. From the PRA’s upgraded expectations on governance and risk management to the ECB’s critique of diluted EU standards, the ISSB’s IFRS S2 amendments, and Japan’s survey on transition plans, the global push for green finance accountability is intensifying.
View here >
AI vs Hybrid Hackers: Banks Race to Reinvent Cyber Defences
Before
It’s Too Late
CIOs in financial services are turning to AI to outpace a new breed of cyberattack. As hybrid threats grow more complex, exploiting both cloud and on-premise systems, institutions are revamping outdated defences. From AI copilots to automated threat detection, the battle for cyber resilience is intensifying—and it’s no longer just about prevention, but survival through speed, integration, and strategy.
View here >
EU Targets Shadow Banking in Landmark Stress Test Shake-Up
European regulators are preparing their first system-wide stress test for non-bank financial institutions, reflecting growing unease over hedge funds, private equity, and money market funds. With a quarter of eurozone loans now sitting outside traditional banks, the EU aims to expose hidden risks and tighten oversight of this fast-growing but lightly regulated sector.
View here >
Wells Fargo Nears Regulatory Breakout After Years Under Fed Asset Cap
Wells Fargo CEO Charlie Scharf says the bank is nearing the end of its long regulatory reckoning, with just two consent orders remaining— including the $1.95 trillion asset cap imposed in 2018. After years of overhauls, risk management reforms, and leadership changes, the bank is positioning itself for renewed growth, especially in retail deposits.
View here >
Why COMPLEXITY is the ENEMY of CYBERSECURITY
Adam Ennamli is the Chief Risk, Compliance and Security Officer at the General Bank of Canada. He was previously Global Vice President, Operations and Technology at Thomson Reuters
Adam Ennamli is not impressed by flashy cybersecurity dashboards or complex compliance frameworks that bury risk teams in administration while attackers quietly slip past the perimeter.
As Chief Risk, Compliance and Security Officer at the General Bank of Canada, his approach to cybersecurity is both resolutely practical and refreshingly human.
“We invest in the things that actually stop breaches,” he says. “Not just the things that look good in a board presentation.” And often, those tools are surprisingly basic.
Ennamli points to Take hardware security keys as a prime example of this, saying: “They’re one of our foundational controls because they dramatically reduce credential-based attacks, which are still the number one way adversaries gain access.”
Combined with enforced password policies through browser-based password managers, Ennamli has created a low-friction but highimpact defence at the very point where most breaches originate: the user.
“These tools typically cost less than a single incident response,” he notes. “And yet, they provide enterprise-grade protection.”
But even the most effective past investments are not a guarantee of future safety.
“What’s worked for the last few years might not work for the next five,” Ennamli warns. “AI and fast-moving sub-trends are changing the threat landscape. So while we continue to use accessible technology to protect endpoints, we’re constantly reassessing our assumptions.”
When asked which low-profile tool he believes delivers disproportionate best value, Ennamli doesn’t hesitate. “Network segmentation using software-defined perimeters,” he says. “It acts like a digital airlock. If malware enters one segment, it’s contained. It doesn’t spread laterally across the infrastructure.”
It has a compelling additional benefit, too, in that compared to traditional perimeter security, the softwaredefined perimeter model isn’t just more agile – it’s cheaper: “You get enterprise-scale containment capabilities at a fraction of the cost,” Ennamli says. “And that’s what keeps a malware event from turning into a system-wide crisis.”
Despite the temptation to stack layers of security tools on top of one another, Ennamli insists that simplicity is paramount. “If security controls require too much time or effort, people will find ways around them. That’s not a user problem – it’s a design problem.”
He and his team conduct regular ‘friction assessments’ to test how usable each control actually is.
“If users are bypassing your controls, that’s where you simplify. You can’t force complexity on people. It’s your job as a security leader to implement solutions that are both simple and secure.”
In other words, the best cybersecurity controls are invisible. “The most effective tools operate quietly in the background. They protect without interrupting. And that’s what makes people actually use them.”
Measuring success in cybersecurity is notoriously difficult, especially when the most valuable outcome is the breach that never happened.
Still, Ennamli doesn’t leave return on investment to chance. “We track near-miss events: phishing attempts blocked, unauthorised access stopped, suspicious downloads quarantined. These are leading indicators of value.”
And he is blunt about the cost of inaction. “Every prevented incident represents a saving. When you consider that average breach costs dwarf our security investments, the ROI speaks for itself.”
Perhaps most importantly, Ennamli is passionate about making security accessible to everyone across the organisation – not just the tech teams.
“Traditional training doesn’t work anymore,” he says. “You can’t stick someone in front of a screen for four hours and expect them to become cyber-savvy.”
Instead, he favours interactive and psychologically attuned strategies; “Gamification, positive reinforcement, public recognition for reporting threats – those are far more effective than lectures. People engage when they feel capable, not when they’re being audited.”
He’s also a believer in empowering staff with intuitive tools. “We use tech that provides real-time risk assessments on websites and emails, so even non-technical staff can make informed decisions. It’s about building capability, not ticking compliance boxes.”
For Ennamli, it all comes back to one principle: usability drives security.
“The more usable your tools are, the more secure your organisation becomes,” he says. “It’s not about being clever. It’s about being clear, consistent, and relentlessly simple.”
Risk Teams Are Drowning While Budgets Shrink -
Is AI the Lifeline?
As third-party ecosystems grow in complexity, financial institutions are facing a widening productivity gap in risk management. A recent CeFPro whitepaper, in collaboration with Certa, reveals that 81% of organizations have seen an increase in third-party relationships over the past three years
Yet, nearly half report stagnant or reduced risk management budgets. This mismatch between workload and resourcing is forcing risk teams to operate with increasingly constrained capacity — delaying critical tasks, overburdening staff, and ultimately exposing organizations to preventable vulnerabilities.
The report highlights how traditional, manual workflows — still dominant across document analysis, due diligence, and policy interpretation — are a major source
81% 68% 70%
of firms reported an increase in thirdparty relationships over the past three years, yet 40% faced stagnant or reduced risk management budgets. of organizations plan to implement automation tools to manage increased third-party risk workloads without added resources.
of firms still manually analyze third-party documents like contracts and assessments.
5,511 41% 60%
The median organization spends approximately 5,511 hours per month completing due diligence questionnaires. of respondents spend more than 30 hours monthly analyzing third-party documents, highlighting the compliance workload. of firms cite data security concerns as the top barrier to adopting AI-driven third-party risk management solutions.
39% 66% 62%
Companies using AI in TPRM report significant benefits: 39% saw efficiency gains of 21–30%, while 26% saw gains of 11–20%. If given 10% more bandwidth, 66% of respondents would redirect that capacity to higher-level strategic initiatives.
Within the next 1–2 years, 62% of organizations plan to adopt more GenAI tools for third-party risk management.
Traditional IT systems struggle with unstructured data, yet AI solutions like Certa’s can automatically analyze contracts, fill assessments, and manage compliance tasks in real time.
Risk teams spend 21–30 hours a month reading PDFs. AI cuts that down to minutes.
85% say productivity is their top TPRM challenge. AI-generated workflows can ease the load.
62% plan to expand GenAI use by 2027. See how early adopters are already winning.
MANUAL MADNESS:
Is TPRM Drowning in Paper Cuts?
Mark is Head of Content at CeFPro
Despite the growing arsenal of digital tools now available to risk managers in the finance sector, there’s a widespread acceptance that thirdparty risk management (TPRM) remains mired in outdated, manual processes that are draining time, budget, and morale.
According to CeFPro and Certa’s 2025 whitepaper, Bridging the Productivity Gap in Third-Party Risk Management with AI, 70 percent of organizations still manually analyze third-party documents such as contracts and information security reports, and more than half conduct due diligence by hand.
These outdated workflows not only create inefficiencies but also expose firms to greater risk.
The reasons for this faintly archaic approach, it seems, are both technical and cultural. Legacy platforms can handle structured data like spreadsheets but falter when faced with the unstructured data that typifies TPRM – contracts, certifications, and custom assessments.
These documents vary wildly in format and content, requiring human
eyes to review, interpret, and verify, and teams can spend more than 5,500 hours a month on due diligence, a figure that inevitably balloons as third-party networks grow.
This labour-intensive process often becomes unsustainable as business operations scale, leading to critical bottlenecks in procurement, compliance, and vendor onboarding. Manual processing leaves too much room for interpretation, and results are difficult to audit or standardise — making consistency nearly impossible to achieve across complex vendor ecosystems.
Beyond bandwidth, this approach is riddled with bottlenecks. Smaller suppliers often lack the resources to complete assessments promptly, whilst inconsistent or incomplete submissions force risk teams into time-consuming follow-ups, creating cycles of rework.
Worse still, functional owners within firms may delay responses for weeks, sometimes extending onboarding delays to 90 days or more.
These lags have knock-on effects across the enterprise. Delayed onboarding can stall product
In some organizations, extensive documentation is seen as a proxy for thoroughness, especially in jurisdictions with complex or shifting regulatory landscapes. In some organizations, extensive documentation is seen as a proxy for thoroughness, especially in jurisdictions with complex or shifting regulatory landscapes.
launches, impair customer experience, and limit operational agility at precisely the time businesses are trying to accelerate digital transformation.
There is also the burden of policy interpretation. With 41% of respondents spending more than 30 hours a month reviewing thirdparty policies and contracts, manual compliance tasks remain a constant and unending drag on resources.
The slow, repetitive tasks that are endemic to manual process divert attention from strategic initiatives and increase the risk of human error.
The cultural resistance to change doesn’t help, either. In some organizations, extensive documentation is seen as a proxy for thoroughness, especially in jurisdictions with complex or shifting regulatory landscapes.
But this misplaced belief simply serves to perpetuate inefficiency.
The whitepaper highlights a clear productivity gap: rising third-party engagement without a matching budget increase, which means firms
are doing more with less, but the strain is showing.
Many delay non-critical tasks or redistribute work among already stretched teams, exacerbating burnout and diminishing effectiveness.
As fatigue deepens and resource constraints tighten, teams are less able to spot anomalies, follow up on red flags, or adapt to shifting regulatory expectations in real time.
As a result, efficiency also diminishes, and the sum of the whole is entirely dependent upon assiduous and error-free work – something that cannot be 100 percent guaranteed when humans are involved.
So, what’s the answer? The CeFPro/ Certa report suggests that in order to move forward, firms must face the uncomfortable truth that manual TPRM and the beliefs that are intrinsic to it are no longer sustainable.
As risk exposure grows and expectations around responsiveness and resilience rise, a new approach is needed – one that is digital-first, dynamic, and fit for scale.
As one of our most established and well-attended event series, Vendor & Third Party Risk returned this June in both New York City and London. These flagship gatherings brought together a collective of industry leaders to explore the evolving landscape of third-party risk management, delivering timely insights on regulatory shifts like DORA, practical strategies for program resilience, and expert guidance on risk oversight.
Vendor and Third Party Risk Series 2025 Stand Out Speakers
Sri Intan Head
In this edition of Connect Magazine, we spotlight five standout speakers on either side of the Atlantic who sheped the conversation at this year’s events.
Did you miss out on the June events? We’ve got you covered - Vendor & Third Party Risk is going global! Join us in Dallas and Amsterdam this November for round 2!
of Third-Party Risk Management for North America
Commerzbank
Sri manages the Third-Party Risk Management Program for North America at Commerzbank, where she is responsible for establishing and overseeing an appropriate and effective thirdparty risk management in the region. Her previous experiences include managing global change management efforts for Citigroup’s Third Party Management Program and leading various business intelligence & analytics solution efforts.
James is the Global Head of TPM Country Governance at Citi. James is responsible for enhancing Citi’s global approach to Country Third Party Regulatory Risk and leads global teams in the execution of robust assurance activities. James is at the centre of Citi’s TPM Technology Transformation & Integration journey, bringing together Procurement, Third Party Risk, Operational Resilience, Digital and Cyber Risk, Legal and Compliance. Prior to joining Citi in 2022, James spent well over a decade at EY as a Consultant in Third Party Risk Management, Cyber Security and IT Assurance, and is CISSP and ISO certified. James brings insights and lived experiences from a suite of Financial Services and non-FS organisations, and has worked closely alongside UK and European regulators.
James Ellery-Gower
Global Head of TPM
Country Governance
Citi
Eva Penny is a Global Vendor Risk Manager at Zurich Insurance, bringing several years of experience with leading international insurance organizations. She has expertise in Procurement, Contract Management, Supplier Relationship Management, Supplier Assurance, and Third-Party Risk Management. In her role, Eva delivers policy, supports implementation of the Third-Party Risk Management strategy, and oversees the global Governance, Risk, and Compliance (GRC) solution. She also reviews and interprets regulations from multiple jurisdictions—including the recent EU AI Act—and ensures these requirements are fully integrated into Zurich’s comprehensive third-party risk management framework.
Hilda Andeliz VP Third Party Risk Performance Analyst Valley National Bank
With over 9 years of experience in the banking industry, Ms. Andeliz has a robust background in retail banking and risk management. She is known for her strategic insight and ability to implement effective risk management frameworks that align with the bank’s objectives. In her current role Ms. Andeliz oversees the evaluation and mitigation of risks associated with third parties, ensuring that the bank maintains the highest standards of compliance and operational efficiency. Ms. Andeliz holds a BA in Finance from Rutgers University. and is a Certified ThirdParty Risk Management Professional (C3PRMP).
Ayesha James
Group Third Party Risk
Steward & Europe Head of Operational & Resilience Risk
HSBC
Ayesha James was the HSBC Group Third Party Risk Steward and Regional Head of Enterprise Risk Management for Europe from 2021-25. The role covers all aspects of operational risk, resilience risk and third party risk management.
Prior to this role Ayesha was Chief Control Officer reporting to the COO of HSBC UK where she worked on the establishment of the ring-fenced bank and the early roll out of Third Party Risk Management. In her early career she worked as a technology and outsourcing lawyer.
As passionate about personal resilience as about organisational resilience, Ayesha spends her free time cooking, out running, walking with her Viszla, Milo, and singing in a local choir.
Eva Penny Global Vendor Risk Management Specialist Zurich Insurance
HOW FAR IS TOO FAR? The Brutal Truth About Supply Chain Blind Spots
In today’s hyper-connected economy, the issue of third party risk is no longer one of whether a company is vulnerable to supply chain exposure – risk, in this broad sense, is inevitable.
The burning question for risk managers is how deep that vulnerability runs.
Before joining the stage at CeFPro’s Vendor & Third Party Risk Europe event we caught up with one of our key speakers – supply chain risk strategist Anifat Atanda – to explore the challenges that risk managers face in ensuring they have line of sight across their entire third party relationships.
Atanda, Enterprise Risk Manager at First Bank of Nigeria, is unequivocal in her view that organizational oversight of these relationships must extend far beyond the first few links of any given supply chain.
“There isn’t a one-size-fits-all approach to how deep you go,” she explained. “But there are essential factors that should drive
Anifat Atanda is Enterprise Risk Manager at First Bank of Nigeria, where she has also held credit risk and credit analyst roles. Her current role relates to governance and risk management professional, but she also has expertise in financial analysis, policy development and governance systems.
that decision – regulatory demands, risk exposure, cost-benefit analysis, and the criticality of the component to the final product or service.”
In other words, there is no such thing as ‘too far down’ the supply chain if the risk warrants it.
Atanda emphasized that fourth, fifth, and sixth-party suppliers – entities well beyond a company’s immediate partners – can pose material threats.
These hidden players might not appear on an organization’s radar until something goes wrong. But when it does, the consequences can be far reaching and potentially devastating.
She cites an incident from 2024, when a seismic event in the Atlantic Ocean severed critical submarine internet cables, triggering widespread downtime for banks across 13 African countries.
Unlike events like the CrowdStrike incident of last summer (2024), which was resolved in a relatively short timeframe, the outage lasted weeks, halting transactions and online services, and demonstrating how a single infrastructure failure deep in the supply chain could bring an entire sector to its knees.
These hidden players might not appear on an organization’s radar until something goes wrong. But when it does, the consequences can be far reaching and potentially devastating.
These hidden players might not appear on an organization’s radar until something goes wrong. But when it does, the consequences can be far reaching and potentially devastating.
“Identifying suppliers to critical services is non-negotiable,” said Atanda. “But this showed us the importance of upstream redundancy and resiliency. It’s not enough to know your suppliers – you need to understand the network they rely on, too.”
So how can organizations realistically track such extensive ecosystems?
According to Atanda, visibility starts with understanding your own operations – what’s being outsourced, to whom, and why.
From there, it requires the creation of a detailed supply chain map that includes all layers of suppliers, no matter how far removed.
She pointed to a suite of tools that support this effort: supply chain mapping platforms, risk monitoring software, and data analytics tools that help detect potential vulnerabilities. But the tech, she cautions, is only as good as the process.
“You need a robust risk management framework that doesn’t just focus on third-party vendors,” she said. “It must encompass fourth, fifth, sixth parties. You need contingency plans aligned with your business continuity strategy. And above all, close collaboration with your suppliers to understand their own ecosystems.”
That kind of engagement may be easier said than done, but it’s becoming essential in the face of rising regulatory scrutiny.
Governments and regulators are increasingly mandating deeper due diligence in supplier networks, especially when it comes to cybersecurity, ESG obligations (recent climate policy rollbacks at the White House notwithstanding) and operational resilience.
Atanda also highlighted the growing role of data. By leveraging analytics, organizations can identify both emerging threats and new opportunities buried deep in their
supply chains. This is not just a matter of risk avoidance – it’s a competitive advantage.
Yet, the human dimension remains critical. While tools can alert organizations to red flags, it’s up to leaders to act on them.
Atanda argued that a company’s resilience is shaped not by how much it knows, but by how quickly and intelligently it responds to the unknown. “Every unexpected disruption is a chance to rethink your oversight,” she said. “You won’t always see it coming. But how prepared you are determines how far you fall – or whether you fall at all.”
As global supply chains grow evermore tangled, it’s clear that a shallow view won’t cut it. Organizations that limit their sight on direct partners are gambling with blind spots. And in today’s environment, one buried risk can become tomorrow’s front-page crisis.
FROM LIQUIDITY TO LEGACY:
How Rocco Fanciullo Turned Climate Risk into a Strategic Weapon
As told to Chandrakant is Maheshwari, First Vice President, Lead Model Validator at Flagstar Bank, New York, and a regular monthly contributor to Connect Magazine
When climate risk first edged onto the risk radar of European banks, many treated it as a theoretical concern – something to monitor, not something to act on.
Rocco Fanciullo thought differently. As a senior risk leader with a background in liquidity and balance sheet management, he recognized early on that climate and environmental factors weren’t just regulatory distractions – they were reshaping the fundamentals of banking.
Chandrakant Maheshwari talked to him about his journey from skepticism to strategic integration and how financial institutions can embed climate risk into the core of their risk frameworks, long before it’s mandated.
For you, climate risk surfaced during routine risk identification work. What was an early example that triggered deeper investigation into this area?
The increase in frequency of extreme climate events, together with the growing attention of European institutions and regulators triggered the inclusion of the climate & environmental risk in the risk identification questionnaire. Once identified, the potential impact of the risk is quantified to estimate its severity.
Your view is that traditional financial measures could not capture climate exposure. What new data sources or indicators did you begin to rely on?
The analysis on the liquidity risk generated by bank customers, either on the asset and liability side, typically rely on the potential liquidity needs that they have. Those in turn depend upon the sector where the company operates, the life cycle of its products, its credit rating and its internal trade cycle.
Other factors to consider are the internal policies and strategy of the counterparts and the physical location of its productive plants. For this purpose, banks had to attribute to their customers a climate score/rating to assess their risk levels.
Which areas required the steepest learning curve: scientific modeling, regulatory alignment, or internal buy-in?
Ranking the three per importance, first would be regulatory alignment, to interpret the initial requirements and to follow the subsequent changes in regulation emerged after the observations of the rules application; second, internal buy-in, to integrate the risk culture of the institution with this new risk factor; and third, scientific modelling, related with the adaptation of the existing models to the new risk.
If someone from a liquidity or treasury background wants to build credibility in climate risk, where should they begin?
The starting point should be reading papers and guidelines published by regulators on the topic.
A lot of material can be found on the EBA and ECB web sites and dedicated reports published also on the industry good practices. This has to be followed by reading additional research from different sources.
It is also recommended to complete the personal learning path with some specific courses on climate risk to learn from best practice and to share ideas with other people on a similar learning path.
How do you personally stay ahead—through communities, reading, conversations, or experimentation?
It means being constantly informed to strengthen personal knowledge. The first step is typically reading internal or external comments or articles on specific topics or the updates in regulations.
The second step is the internal sharing of ideas in risk communities, useful to mix up experiences that might come from different risk pillars.
The final and most complex step is experimentation, which means transforming ideas into steering tools.
Risk functions, and finance and business functions must constantly cooperate and challenge each other and revise processes and practices by integrating suggestions that emerge from the risk functions assessment.
The cooperation-challenge path described above was the most powerful learning tool in my work experience.
What does ‘being futureready’ mean to you as a risk professional in today’s evolving ESG and regulatory environment? It means enriching risk culture with the experiences offered by the real work life through the observation of the internal and external contest, and to be prepared to adapt or change the risk framework of the institution in order to respond to new stimuli.
WEBINAR - On-Demand | Watch at a time that suits you
The Silent Risk in Your Reporting Process
Manual workflows. Disconnected systems. Outdated tools. In an era of intensifying regulatory pressure, these legacy processes aren’t just inefficient. They’re dangerous. Watch the free on-demand webinar and hear how industry leaders from U.S. Bank, BNY, and Workiva are transforming risk reporting and compliance for the future.
Why watch?
• Expose silent risks in your legacy reporting stack
• See how top banks are cutting compliance chaos
• Arm yourself for what regulators are expecting next
