Enterprise Risk and Compliance Management (ERM/CMS) Programs

Our team of former regulators, risk officers, and compliance officers help you build, strengthen, and examine your Compliance Management System (CMS) or Enterprise Risk Management (ERM) programs and frameworks

Reach an Expert

We help you assess, design, build, and mature your ERM Framework and Compliance Management System in the manner most appropriate to your institution, your regulatory environment, and your organization’s readiness.

  • Implement, embed, and mature the three lines of defense model (3LOD) for risk and compliance accountability
  • Assess the adequacy of the risk and compliance resources, tools, and expertise across your organization
  • Advise on and support the implementation of appropriate risk and compliance tools and capabilities that support organizational innovation, improve efficiency, and enhance the integration and adoption of your ERM/CMS Programs
  • Provide strategies and processes to establish and reinforce a strong risk and compliance culture and key risk and compliance principles such as: Authority, Accountability, Engagement, Transparency, Escalation, Proactive/Preventative, Self-Identification, and Self-Monitoring

  • Effective Board and Management Committee structure and composition
  • Board Composition related to applicable risk and compliance experience and expertise
  • Enterprise-wide and standardized process for the development, oversight, updates and use of Policies and Procedures including:
    • Design, documentation, implementation, and maturity roadmap for your organization’s Compliance Program and Enterprise Risk Management Framework and related policies and procedures
    • Effective risk and compliance reporting and analytics, including key risk and performance metrics and appropriate Management and Board visibility and oversight

  • Qualitative and quantitative risk assessment methodologies, including:
    • Process-based risk and control inventory
    • Reporting taxonomy
    • Inherent and residual risk
    • Assessment of control effectiveness based on control type and results of available detective measurements
    • LOD effective challenge
    • Aggregate business line, function, and organizational risk profile and heat mapping
    • Linkage to the issue management process for remediation of control weaknesses
    • Linkage the change management process for ongoing risk assessment updates
  • 1LOD control effectiveness self-monitoring and quality control programs
    • Identification of key controls
    • Automated monitoring techniques
    • Frequency
    • Oversight and escalation
  • 2LOD risk and compliance testing programs, including:
    • Annual risk assessment and annual plan
    • Design and implementation of the testing program, tooling, and reporting
    • Oversight and escalation
  • 3LOD/Independent Audit program, including:
    • Annual risk assessment and annual plan
    • Design and implementation of the audit program, tooling, and reporting
    • Board level oversight and escalation
    • Chief Internal Auditor role, reporting structure, and best practices to protect independence
    • Oversight of outsourced Audit programs

  • Change program design that:
    • enables informed risk acceptance and strategic planning
    • is preventative
    • establishes clear accountability across all lines of defense
    • encompasses all applicable risk types
  • Inventory and tracking of change events including strategic, product/services, regulatory, and industry, with their relative risk
  • Change related risk assessment methodology that
    • considers all applicable risk types
    • includes risk significance methodology
    • captures requisite risk mitigations and internal controls
    • is integrated with and impacts to related risk processes (risk assessment, monitoring and testing, training, reporting, etc.)
  • Change management roles and responsibilities
  • Change management reporting, oversight, and governance
  • Change management training
  • Change management materials including policies, procedures, and templates
  • Post-implementation validation testing
Submit an RFP

  • Design of enterprise-wide Issue Management, covering:
    • Transparency on risk issues
    • Segmentation by risk significance
    • Informed prioritization
    • Root Cause Analysis
    • Early or self-identification of issues
    • Monitoring of remediation efforts
  • Issue management sources
  • Issue risk rating methodology
  • Definition of roles and responsibilities for
    • Identification, investigation, development of corrective action plans
    • Independent review and challenge of root cause and action plans
    • Implementation of corrective action plans
    • Validating issues across all lines of defense
  • Standardized protocols for reporting issues, conducting root cause analysis, establishing corrective action plans, assigning ownership and accountability, remediating issues, closing issues, changing due dates, and validating the effectiveness of issue remediation
  • Issue management reporting, escalation standards, oversight, governance, and training
  • Consideration of customer harm that may be related to identified issues and standard protocols for how related escalation, self-reporting, and restitution should be integrated into the corrective action planning
  • Integration of issue management with related risk processes including risk assessment, monitoring and testing, training, and independent audit

  • Develop institution’s Risk Appetite Framework (RAF) with related risk specific triggers and tolerances
  • RAF Trigger monitoring and reporting
  • Development and testing of key Risk Appetite scenarios and integration with stress testing, capital and liquidity planning, contingency planning, and resolution planning
  • Defined roles and responsibilities, oversight, and governance related to the development and approval of and changes to the RAF and results of scenario testing

  • Assessment of applicable regulatory compliance risks and related significance and integration with regulatory change management process to ensure timely updates and enhancements
  • Training content development
  • Annual training plan and deployment planning
  • Determination of appropriate audiences for and frequency of training
  • Processes for monitoring training completion, key metrics, and reporting
  • Training oversight and governance
  • Development of job-specific and in-person training curriculum
  • Advise on training content development and program management tools and design

  • Scope of regulatory agencies
  • Examination readiness and self-assessment
  • Exam management process including key roles, responsibilities, and governance
  • Exam request, follow-up, and deliverable management process
  • Exam submission protocols and quality review process
  • Examination response and remediation
  • Regulatory relations best practices
  • Legislative relations best practices

Related Insights

Our Experts

Ready to Talk?

We work with you to understand your needs, so we can tailor our approach to your engagement. Learn more when you connect with our team.

Reach an Expert

Related Services

Fair and Responsible Banking

Fair and Responsible Banking

We partner with financial institutions to promote ethical, transparent, and socially responsible banking practices, driving positive impact for all stakeholders.

Learn More

Monitoring, Testing, and Audit

Monitoring, Testing, and Audit

We provide advisory, co-sourced, and out-sourced testing services to ensure compliance with regulatory requirements and best practices.

Learn More

Cards and Payments Products and Services

Cards and Payments Products and Services

We build, assess, remediate, and implement operational and compliance risk management programs

Learn More

Operational Excellence

Operational Excellence

We support your drive for operational excellence and help you manage non-financial risks

Learn More

Data Governance

Data Governance

We can improve your bottom line, as well as your regulatory compliance, with our formal, systematic approach to measuring and uplifting Data Governance.

Learn More