Case Study: Governance, Risk & Compliance

Implementing Governance and a Risk Management Framework


The Challenge

We worked with a company where risk management was receiving increased attention, but they have no risk management framework or a strong governance structure.

Risk Assessment: We performed a risk assessment to identify gaps using a practical, sustainable, and easy to understand process. We focused on measuring and prioritizing risks as follows:

Identify: We determined and distinguished applicable risks.

Assess: We reviewed the risk exposure and confirmed their risk appetite.

Controls / RCSA: We reviewed regular monitoring and testing of controls.

Respond to risks: We looked at risk responses and examine options for risk mitigation.

Monitor and report: We analysed reporting and escalation to the board of directors and relevant stakeholders.

The Solution

Risk Management Framework (RMF)

Following the risk assessment, we agreed with senior management that it was critical to have a strong risk management framework in place within a governance structure that included conduct risk and culture. To accomplish this, we also needed to ensure that the risk management framework complemented their strategy.

The risk assessment was key to identify the applicable risks, confirm the risk appetite, and identify appropriate risk mitigation. Then, we agreed on the risk management framework (RMF) and the actions to enable the organisation to effectively manage and mitigate risk:

The governance structure needed to be documented. This included policies and procedures, controls, risks associated, systems, continuous improvement, etc.

It was essential to provide all the staff with adequate resources and training in-order to completely comprehend the risk associated and the mitigating controls.


We implemented a Risk and control self-assessment (RCSA) for testing, reviews, process monitoring. Event error tracking and documentation requirements were put in place. Technology and third-party risk and outsourcing external vendors went through meticulous testing. Communication and reporting were discussed with the stakeholders including the Risk Management Life Cycle (RMLC): Identity, assess, make risk decisions, implement controls and supervise.
Subscribe to our newsletter