Risk and Compliance within your re-platforming project.

What is Risk and Compliance?

The Risk and Compliance department is not always welcomed with open arms during transformation programme. It is often seen as slowing down delivery or adding complexity. Yet its role is critical. Risk and Compliance help organisations maintain control over risks, governance and regulatory requirements. Without this oversight, transformation programme can quickly lose direction and control. In this article, we explain why Risk and Compliance are essential in re-platforming projects and how to work with them effectively.

Risk and Compliance are often seen as barriers to progress. In reality, they are what help programmes stay in control as complexity grows.

What is Risk & Compliance?

Let’s start with the basics. Risk and Compliance departments are often split up according to the Three Lines of Defence model. This model consists of:

• First line - operational management, actively involved in delivery
• Second line - risk management and compliance functions that provide oversight and guidance. They are regularly consulted to align the programme approach and key decisions with existing policies.
• Third line - internal audit, providing independent assurance on the effectiveness of governance, risk management and controls. While typically engaged later in the programme, early involvement often improves overall quality and can even reduce delivery time.

Through this division, a clear distinction is made between responsibilities which allows organisations to place these responsibilities in different areas of the organisation. This in turn ensures a suitable level of control at executive level.

While re-platforming, you will inevitably get in touch with each of these lines. In our experience, it is beneficial that project managers for re-platforming projects pro-actively align and work together with risk & compliance departments. Keeping them involved and up to date from the start will not only improve relations between them but also provide guidance during the project. This will save you valuable time and prevent discussions that might delay the project. This last point is often underestimated but can significantly contribute to a shorter overall project timeline.

Here we will present some examples from our daily work, to show you how and when risk and compliance were integrated into our project work.

Risk management

During re-platforming projects, risks will appear at different times and locations due to the complexity and duration of the project but that does not mean you can’t prepare. Before starting a project of this nature, it is essential that an initial risk assessment is done and aligned with the relevant departments. This initial assessment can provide a starting point for Risk (and Compliance) involvement within the project. This sets the tone in terms of expectations and results in a consistent view of the context of the project. Aside from industry specific risk, a broad spectrum of more general topics is seen in almost all projects across all industries:

• Limited capacity and knowledge
• Budgetary constraints
• Internal dependencies
• Re-prioritisation
• Third party delivery risk
• Regulatory changes
• Insufficient auditability

How important it is to start this assessment early can be seen from the few examples mentioned above. For example, the risk of insufficient auditability. While a data migration only takes place in the final stage of the project, the decisions that lead up to this big moment happen throughout the entire course of the project. The outcomes are vital and must be aligned with stakeholders and properly documented.

In complex transformation programmes, risks rarely appear suddenly. They build over time when early decisions go unchallenged.

This is especially true when an external company specialised in data migration is used. After all, large scale data migrations are rare and internal knowledge might be limited. Active involvement is essential, as you (the customer) need to understand the reasoning behind migration design (e.g. when audited after the project has finished).

A risk assessment is not a static deliverable. As the project progresses, the initial risk assessment should be periodically revisited and if necessary, updated to include or adjust current and upcoming risks. For some topics, devoting a separate assessment is required. It is not uncommon for example, that a data migration or system integrity risk will get its own risk assessment where the different aspects and risks can be covered in more detail. Depending on the topic, different subject matter experts should be asked to participate to both take notice of the various risks and set up the correct mitigating measures.

Just defining a mitigating measure is not enough. It should be properly implemented too and to verify this, the Risk department should perform occasional checks on the efficacy of the defined measures. Based on the results, teams might be required to adjust the existing measures in order to achieve a better result. This is especially important for any measures that will persist after the project’s completion.

It’s important to realize that risk management is not a one-time activity but rather a continuous process.

Compliance

Complying with existing standards and policies is another vital aspect of re-platforming. Due to the large amount of (significant) changes to software, products and processes, deviating from standards could introduce additional chaos and cause regulators to get involved. European banks have to deal with an increasing number of regulatory requirements coming from laws and regulations like PSD, AMLD, DORA, CRD and many more.

It should also be noted that these projects, especially for systemically important FI’s, will be under scrutiny from higher authorities. Relevant authorities will typically ask detailed questions on the project scope and progress in order to ensure that your organisation will be able to maintain its current offering, performance and stability.

Organisations must ensure that during and after the project, they will adhere to all relevant pieces of regulation or ensure that they acquire any necessary exemptions from internal second and/or third line departments. The project team will have the greatest responsibility to ensure that any changes coming from the project either improve on or maintain the status quo. If changes are expected to clash with any regulations, the risk and compliance department must evaluate whether this is acceptable and falls within the risk appetite.

Depending on the purchased product, the organisation may face a decreased or increased responsibility in terms of interpreting and implementing regulatory changes and requirements. SaaS products for example, can be expected to implement changes but it is up to your organisation to check that their interpretation covers all specific requirements. Vendors that are active in multiple countries are likely to miss out on country-specific requirements.

Another important topic is the possible change to products. Any change to a product must be carefully evaluated. When changes lead to customer impact, underlying agreements and contracts must be revised or even cancelled which could decrease customer satisfaction. In some jurisdictions, organisations are legally obligated to evaluate product changes through the Product Approval and Review Process (PARP).

Both risk and compliance will take on another important role when your organisation is preparing to go live with a new software vendor. They will be involved in setting up the necessary controls that will help you validate whether migration was successful or not. When executed, they will also be responsible for checking the results of the controls and afterwards, they will be one of the gatekeepers that will approve or reject the go-live.

Internal Audit Department

Aside from the R&C departments, the closely related Internal Audit Department need to be involved in the project. While they do not direct project decisions and how to do it, they will evaluate whether the project adhers to the right processes and standards. In many cases, these will coincide with activities performed in cooperation with the R&C department. Through early and frequent cooperation with this department, your project can avoid repercussions from audit in later stages. After all, if audit determines that the project has insufficiently followed these procedures, it may not approve the go-live of the new solution. While audit won’t be as actively involved in shaping the project as the R&C department, they can give you a first view of the activities and planning.

Make use of our experience

From our experience in large re-platforming projects, we have seen that good cooperation is not always a given and becomes complicated as tensions within the project rise. Understanding the role of Risk and Compliance in your re-platforming project is crucial to ensure an efficient and amicable cooperation. Besides involving these departments in time, we see that the R&C departments are often inexperienced in larger change projects. We have identified a few guiding principles to help you get started:

• Establish contact as soon as possible.
• Appoint specific contacts for the programme and/or embed a Risk & Compliance representative in the core team. Multiple contacts might be needed to cover the different lines of defence.
• Attract experienced R&C managers if the organisation is immature in large change projects.
• Agree on deliverables throughout the project as soon as possible.
• Periodically meet to discuss progress and review deliverables together.
• Agree on an escalation process for risks that require management intervention.
• Invest in documentation and make sure that all relevant info is saved and easily found. All assessments and decisions should be clearly documented.

Final remarks

In conclusion, successful re-platforming is not only a technology transformation, but a disciplined approach to integrating risk and compliance. Organisations that engage Risk & Compliance early, embed them structurally into the delivery, and treat risk management as a continuous, forward-looking process consistently outperform in both speed and quality of delivery. Ultimately, those who position Risk & Compliance as strategic enablers, rather than control checkpoints, will accelerate time-to-value while safeguarding long-term resilience.

Über Projective Group

Projective Group wurde in 2006 gegründet und hat sich seitdem als eine führende Unternehmensberatung im Bereich Finanzdienstleistungen etabliert.

Wir sind in der europäischen Branche dafür bekannt, komplexe Herausforderungen und neue Themen in klare, pragmatische Lösungen umzusetzen. Dank unserer tiefen Verankerung und vertrauensvollen Beziehungen im Finanzdienstleistungssektor verfügen wir über fundiertes Fachwissen in allen Schlüsselbereichen. Wir begleiten den gesamten Veränderungsprozess: von der Strategieentwicklung über die Umsetzung komplexer Transformationen bis hin zum langfristigen Aufbau von Kompetenzen durch Managed Services, Personalvermittlung und Schulungen. Unser Anspruch ist einfach: Finanzdienstleister zu befähigen, die Zukunft von Wohlbefinden, Wachstum und Innovation aktiv mitzugestalten.