Experience & Results
25+ years delivering risk technology, frameworks and expertise in Financial Services
With over 25 years of experience in risk management, predominately into financial services, I've built a career helping firms turn risk management from a compliance burden into a decision-making discipline and strategic advantage. My approach combines real thought-leadership, deep regulatory expertise with practical business acumen, delivering frameworks and tools that work in the real world, not just in theory.
I've founded three companies with one successful exit, led risk transformation at scale, and worked with some of the most respected names in financial services. From implementing enterprise risk frameworks at the Bank of England to helping challenger banks reduce capital requirements by 81%, I bring proven methodologies that deliver measurable results.
My work spans enterprise performance management, KPIs & OKRs, enterprise risk management, operational resilience, regulatory transformation, and risk technology. Always focusing on embedding risk management into strategy and operational decision-making processes rather than treating it as something separate from the business.
Career Highlights
Freelance Risk Consultant
Engagements including Interim CRO, Risk Transformation, Risk Framework and Tools and Risk Training and Workshops
Product Director & Interim Chief Risk Officer
Led the product strategy and development of the Enterprise and Operational Risk Management software and the Global Risk Platform, both serving global capital markets firms. Led the implementation of a strategic and operational risk management framework, including SOC2 and NIST.
Founder & CEO - Ascendore Limited
Founded Ascendore to acquire full ownership of StratexSystems after a corporate restructuring. Rebrand the business, returned it to growth and sold to KRM22.
Founder & CEO - StratexSystems
Built integrated GRC platform, raised £1M seed investment, became market leader for UK Challenger Banks and won blue-chip clients across the financial services industry.
Founder & CEO - Manigent Limited
Founded boutique consulting firm, created Risk-Based Performance Management methodology, acquired blue-chip clients, primarily in the Financial Services industry.
COO -CorVu plc (EMEA)
Worked for CorVu in a range of technical, partner management and sales roles. Become COO post the dot com crash to stabilise and lead the EMEA business. Restructured the business. Doubled software license revenues from £2M to £5.3M.
Key Achievements
Leadership
- Founded three companies with one successful exit.
- Raised £1M in funding
- Led turnaround post dot com crash
- Doubled software license revenue from £2M to £5.3M
Client Delivery
- 81% reduction in Pillar 2 capital
- 94% reduction in operational errors
- 100% customer retention post company acquisition
- 50+ blue-chip clients secured
Product Development
- Build 4 B2B Enterprise applications
- Led Risk Cockpit design, development & GTM
- Created the RBPM methodology
- Published book (Palgrave Macmillan)
Some clients I have worked with
Case Studies
Interim CRO | Risk Transformation
Leading Global Fintech serving Capital Markets
CHALLENGES
A new CEO recognised the need to implement a robust enterprise-wide risk management framework to support aggressive growth, align with customer expectations, and ensure the company was investment ready ahead of a major funding round expected within two years.
The CEO and executive team believed they needed risk expertise and a 'change agent' initially, deferring the decision to appoint a Chief Risk Officer to a later stage. While the company had risk management software in place, it was poorly utilized and lacked adoption. The most comprehensive risk register existed as an IT-owned spreadsheet.
APPROACH
Discovery and Foundation
I worked with the executive team to understand their strategic objectives, customer expectations, current risk management capability, and identify where they perceived their most critical risks to be.
Using the Value Orchestration Canvas, I developed a comprehensive risk library and created a 'starter for ten' risk register for each function. Working collaboratively with the executive team and their direct reports, we implemented these registers, established a risk assessment methodology, and launched the risk assessment and reporting process. To overcome limitations in the existing software's reporting capabilities, I delivered a PowerBI-based reporting and dashboarding solution.
Building Momentum
Once the risk assessment and reporting process gained traction, we expanded the framework to include incident tracking and analysis, and aligning risks to the existing OKRs process where possible. We then iterated the risk registers to ensure they fully reflected current and emerging business realities, and addressed SOC2 and ISO27001 certification requirements. Additionally, I developed a DORA overlay to the risk registers, enabling the business to make informed decisions about a potential business model change that would bring them under DORA regulation in 2026/27.
The Pivot to Quantitative Analysis
Initially, we deployed a qualitative risk assessment approach to align with the existing software and the CEO’s keep it simple directive. However, it quickly became clear that the software added little value and had no internal buy-in. More significantly, while the executive team initially found RAG-based risk reporting useful, they soon questioned its real value for decision-making.
At this point, I proposed we 'do it properly' resulting in a decision to transition to a more advanced, quantitative, Monte Carlo-based risk analysis approach and phase out the existing software.
This led to a complete reengineering of the risk assessment methodology. We also decommissioned the existing risk management tool and replaced it with a purpose-built solution that was significantly simpler, easier to use. We built in a quantitative risk engine, and leveraged Microsoft PowerBI for reporting and dashboarding. This embedded risk reporting into the existing management reporting architecture and process.
Transformation
The switch from qualitative assessments to quantitative analysis had a transformative effect on the executive team. Risk dashboards and reports now presented real numbers instead of RAG scales. Conversations about investments and trade-offs between risk exposure versus cost of control or mitigation became meaningful and directly relatable to their budgets which fundamentally changed how the leadership team approached decision-making related to risk management.
Deliverables and Results
Deliverables
- Comprehensive Enterprise and Operational Risk Management framework, including SOC2, ISO27001 and DORA compliance
- Fully defined Risk Library and standardised Risk Registers
- PowerBI-based Risk Reporting and Dashboarding suite
- Monte Carlo-based Quantitative Risk Engine
- Built a decision-making culture which take a risk-based approach
Results
- 90% adoption of the Risk Management framework into 4 months
- 32% Reduction in Risk Exposure over 12 months
- 43% Improvement in mitigation effectiveness
- 100% adoption of new risk system
- Realised $100k per year software cost savings
- Success recertification of SOC2
- Complete package of risk information supporting fund raising initiative
Risk & Regulatory Transformation
ICARA Transformation: Mid-Size Capital Markets Broker
The Challenge
A mid-size broker operating within the UK financial services sector faced urgent regulatory pressure and an internal capability gaps. The introduction of the FCA's ICARA (Internal Capital Adequacy and Risk Assessment) regulatory requirement created an urgent compliance deadline, while the board simultaneously demanded a more proactive approach to managing risk across the entire organization. The firm's legacy risk management processes were not only inadequate to meet the new ICARA requirements but had also created a deeply negative perception of risk management within the firm—consuming significant time and resources while delivering little tangible value.
The central challenge extended beyond mere regulatory compliance. The firm needed to overturn this negative perception while simultaneously building a risk framework and fostering a risk culture that aligned with both regulatory and board expectations. Complicating matters further, the firm had limited internal risk management capability; resources lacked both the skills and understanding of modern risk management practices needed to contribute effectively to a comprehensive risk strategy. The complex business model spanning multiple capital markets services demanded an innovative approach that could resonate with diverse stakeholders across the organisation.
The Approach
I began by conducting a thorough assessment of the firm's existing risk management practices, systems, and culture. This evaluation identified key areas for improvement and shaped the development of a comprehensive risk management framework built around the Value Orchestration Canvas; a framework that enables the mapping of risks to the logical domains across a services firm’s value creation processes and value streams that drive the organisation.
Working closely with the executive team, I facilitated workshops to identify and map the firm's critical business services, creating a foundation that stakeholders could immediately recognise and relate to their daily operations. This Value Orchestration Canvas approach proved transformative; rather than presenting risk management as an abstract compliance exercise, it directly connected risk identification and assessment to the actual services the firm delivered to clients and the internal capabilities that enabled those services.
The framework comprised four integrated components that worked in concert. First, we created a systematic process for risk identification and assessment across all business lines, incorporating both quantitative and qualitative analysis while engaging stakeholders at every level—from front-line employees through management to board members to gain a holistic understanding of potential risks.
Second, I worked closely with the board to define the firm's risk appetite and establish risk tolerance levels, ensuring that the firm's risk-taking behaviour aligned with strategic objectives and that risk management practices were embedded throughout the company.
Third, we developed a comprehensive set of risk mitigation strategies and controls tailored to the firm's specific risks and regulatory requirements, implementing new policies and procedures, refining existing controls, and integrating risk management best practices across the organization.
Finally, we created a robust risk reporting and monitoring system that ensured timely and accurate risk information flowed to the board, senior management, and regulatory authorities, incorporating key risk indicators, performance metrics, and escalation procedures to facilitate effective decision-making.
A critical element of the project was the comprehensive wind-down analysis required under ICARA, which mapped out how the firm would manage an orderly closure if necessary. This analysis not only satisfied regulatory requirements but also provided valuable insights into operational dependencies and vulnerabilities. Throughout the project, I placed strong emphasis on training and knowledge transfer, ensuring employees at all levels understood not just the mechanics of the framework but the fundamental importance of risk management and how they could contribute effectively to the firm's risk strategy.
The Transformation
The implementation of the Value Orchestration Canvas-based risk management framework successfully transformed the firm's risk culture and met both regulatory and board requirements within the six-month timeframe. The new framework addressed all ICARA regulatory requirements, ensuring the firm remained compliant and avoided potential penalties and reputational damage while positioning them advantageously for the upcoming Operational Resilience requirements.
More significantly, the firm's risk management processes and systems were fundamentally enhanced, facilitating a truly proactive approach to risk identification, assessment, and mitigation. The framework became embedded in day-to-day operations rather than being filed away as a compliance document. Employees at all levels of the firm gained a better understanding of risk management principles and their role in maintaining a healthy risk culture, fundamentally shifting the firm's perception of risk management from a burdensome compliance exercise to a value-adding business capability.
A new risk committee was established with clear governance structures, risk appetite statements, and escalation procedures that ensured risk considerations were integrated into strategic decision-making. Perhaps most tellingly, the business-aligned approach generated genuine stakeholder buy-in across the organization—something the previous framework had conspicuously failed to achieve.
The project delivered exactly what was needed: regulatory compliance achieved ahead of deadline, internal capability built for sustainability, and most importantly, a fundamental transformation in how the organisation understood and engaged with risk management; shifting it from an administrative burden to a strategic enabler.
Deliverables and Results
Deliverables
- Value Orchestration Canvas-based risk framework aligned to critical business services and ICARA requirements
- Complete ICARA regulatory documentation including wind-down analysis and capital adequacy assessment
- Risk governance infrastructure with committee and reporting dashboards suite
- Firm wide training program and knowledge transfer for sustainable capability
Results
- FCA ICARA compliance achieved ahead of regulatory deadline
- Transformed risk culture from "compliance burden" to strategic enabler with genuine stakeholder buy-in
- Framework embedded in daily operations
- Built sustainable internal risk management capability reducing external dependency
"Andrew's Value Orchestration Canvas framework has changed the firm's view on Risk Management and the value it brings because we finally have a framework they relate to and add value in their day-to-day roles." - CRO
Risk Framework and Technology implementation
Building While Using: Internal Risk Implementation at KRM22
The Challenge
As an ambitious, investor backed SaaS start-up in the risk management technology space, early in its life, KRM22 needed to establish credible management reporting and risk management processes that would provide the CEO and board with visibility into operational performance, risks, and emerging issues. As a company developing risk management software and services for Capital Market firms, managing operational and cyber risks was critical to building market credibility and operational resilience.
The company's prospective clients were sophisticated financial services firms with mature risk and compliance functions who would scrutinize KRM22's own governance and risk arrangements as part of their vendor due diligence. Demonstrating robust operational resilience, effective cyber risk management, and comprehensive management reporting wasn't optional; it was a prerequisite for winning and retaining enterprise clients.
The CEO recognized that this internal implementation needed to be genuine and rigorous, not a superficial showcase. The company needed real operational resilience, effective cyber risk management, and management reporting that actually informed decision making and enhanced our cyber risk posture and operational resilience, with the added benefit that success would demonstrate our own risk management platform, applications and capability to deliver these outcomes for clients facing similar challenges.
The Approach
Taking on the Chief Risk Officer role, I had the unusual opportunity to simultaneously build risk management capability within KRM22 while the product team continued developing the Enterprise Risk Management application - creating a powerful feedback loop where internal implementation needs informed product development while product capabilities enabled more sophisticated risk management practices internally.
I led the implementation of the Enterprise & Operational Risk framework and technology within KRM22, treating the internal deployment with the same rigor we would apply to a client engagement. This wasn't a simplified "pilot" or proof of concept; it was a full enterprise implementation that would serve as the reference architecture for client deployments. The internal implementation required designing the complete information architecture; creating a integrated strategy execution and risk management framework, defining risk taxonomies, establishing the assessment methodology, building a suite of KPIs & KRIs, mapping these to data sources and a suite of dashboards and reports that would provide meaningful insights for decision-making rather than compliance theatre.
A critical element was designing a comprehensive IT risk framework that incorporated best practices from multiple standards and frameworks including NIST cybersecurity framework, ISO27001 information security management, CoBit governance principles, and ITIL service management practices. Rather than treating these as competing frameworks requiring separate assessments, I integrated them into a coherent approach where a single risk and control assessment process satisfied requirements across multiple frameworks simultaneously. This integrated approach not only reduced duplication but demonstrated to clients how they could simplify their own compliance obligations through an integrated framework design. It also demonstrated the power of our software platform and its family of applications.
Achieving SOC2 certification early was both a business necessity and an opportunity to stress-test our software approach under a real-world conditions with a real external auditor.
During this audit, I was able to demonstrate how we mapped the SOC2 requirements into our risk and control framework, using our enterprise risk application to provide auditors with real-time evidence of controls in place and working rather than producing static documentation. This approach not only streamlined the audit process but demonstrated the platform's capability to support compliance obligations efficiently; compelling proof point for prospective clients facing similar certification requirements.
One of the key dashboards within the suite delivered with was the 'CEO Cockpit. This brought together performance management, risk management and financial management information onto ‘a single page’ in real-time providing the CEO with at-a-glance visibility into the company’s performance and risk profile across strategic, operational, technology, compliance, and financial domains. The CEO Cockpit didn't simply aggregate risk data; it provided actionable intelligence that the CEO’s or his direct reports attention.
Critically, the dashboard was built using the same software we were selling to clients, making every executive review meeting an implicit product demonstration.
The Transformation
The achievement and maintenance of SOC2 certification provided immediate business value, satisfying client security requirements, enabling the immediate signing of two new contracts and enabling the company to credibility compete for enterprise contracts.
The CEO Cockpit delivered huge value to the CEO and his team by providing real-time risk visibility that drove decision-making, with the dashboard became an integral part of executive meetings, demonstrating that real-time performance and risk management had a valuable place in the boardroom, and could be an enabler rather than an administrative burden.
Perhaps most valuable was the impact on product development and client implementations. The internal implementation revealed user experience issues, workflow inefficiencies, and reporting gaps that would have been difficult to identify through theoretical design or limited pilot testing. Product features were refined based on real operational use, integration challenges were solved through actual practice rather than speculation, and the implementation methodology was proven through internal experience before being deployed with clients. When KRM22's consultants worked with clients to implement our risk solutions, they could speak from genuine experience about what worked, what challenges to anticipate, and how to configure the platform for maximum value.
Beyond these tangible outcomes, the engagement successfully built risk culture within a start-up environment; demonstrating that effective risk management and entrepreneurial growth were complementary rather than contradictory.
The unique aspect of simultaneously building the product while implementing it internally created a powerful virtuous cycle. Internal implementation needs drove product improvements, which enabled more sophisticated risk management practices internally, which revealed additional product enhancement opportunities. This dynamic meant KRM22's risk management capability and product capability evolved together, each reinforcing the other in ways that would have been impossible with either pure product development or pure consultancy approaches alone.
Deliverables and Results
Deliverables
- Enterprise Risk Framework and software implemented: Full deployment of the Enterprise Risk application internally including risk framework, taxonomy, assessment process, control frameworks, and KPIs & KRIs integrated with all major company data sources
- Integrated IT Risk Framework: Comprehensive framework incorporating NIST cybersecurity, ISO27001, CoBit, and ITIL standards with unified risk and control assessment methodology satisfying multiple compliance frameworks simultaneously
- CEO Dashboard: Real-time executive performance, risk, and financial visibility across the business
- SOC2 Certification: Complete program to deliver a audit ready framework and technology solution with real-time, automated evidence collection which ultimately achieved SOC2 certification at the first time of trying.
Results
- Established Market Credibility: demonstratable "we use it ourselves" positioning with SOC2 certification provided compelling proof points in client sales conversations
- CEO Decision-Making: For a busy CEO operating globally, a real-time CEO Cockpit providing “at a glace” business visibility proved vital to effective decision-making.
- Integrated IT Risk framework embedded within a technology platform that drove internal IT risk management while enabling us to sell globally.
- Approx. £1M ARR contracted on the successful SOC2 certification.
Risk Transformation
Risk Framework & Technology Transformation: UK Challenger Bank
The Challenge
A UK challenger bank faced a critical constraint on its growth ambitions: disproportionately high Pillar 2 capital requirements imposed by the Prudential Regulation Authority (PRA). The root cause was clear; a fragmented risk management approach that failed to provide regulators with confidence in the firm's ability to identify, assess, and control risks effectively. Operational errors were recurring with concerning frequency, directly impacting capital calculations and regulatory perceptions, while the absence of an integrated enterprise risk framework meant that risks were managed in silos across the organization with no coherent oversight or consistent methodology.
The existing risk technology landscape compounded these challenges. Multiple disconnected systems and spreadsheets created data quality issues, made consolidated reporting nearly impossible, and consumed excessive manual effort in producing risk information that often arrived too late to inform decisions. The board recognized that addressing the capital constraint required not just better processes, but purpose-built technology that could enable systematic risk management across the enterprise while providing the data integrity and reporting capability needed to satisfy regulatory requirements and support business decision-making.
The Approach
I worked alongside the bank's leadership team to design and deploy a comprehensive enterprise risk framework coupled with purpose-built risk technology that would transform how the organization identified, assessed, controlled, and reported risks. The engagement combined strategic consulting on risk management methodology with hands-on technology development and deployment to create an integrated solution.
The framework design began with extensive stakeholder engagement across all business lines and support functions, mapping the bank's critical business services using the Value Orchestration Canvas approach and identifying the key risks that could disrupt value delivery. Working closely with the executive team and board, I developed a risk appetite framework that articulated the bank's tolerance for different risk categories in quantitative terms, providing clear boundaries for business decision-making and a foundation for meaningful dialogue with regulators about the bank's risk profile and management capability. A cornerstone of the transformation was designing and implementing a systematic Risk and Control Self-Assessment (RCSA) process embedded within purpose built technology. Rather than relying on spreadsheets and manual consolidation, I developed a risk technology platform that enabled business lines to identify and assess risks consistently while providing enterprise-wide visibility through real-time dashboards and automated reporting. The RCSA technology incorporated workflow capabilities, audit trails, and data validation controls that ensured both process discipline and data integrity.
Strengthening operational risk management required both enhanced processes and enabling technology. I designed and deployed an operational risk module that captured, categorised, and analysed operational errors and near-misses with root cause analysis capabilities driving targeted control improvements. The technology automated error capture where possible, provided structured templates for investigation and analysis, and generated management information that highlighted trends and concentrations requiring attention.
The risk technology platform integrated risk data from across the firm, implementing standardised risk taxonomies, automated data validation controls, and dynamic reporting that provided risk information tailored to different audiences—from front-line managers monitoring specific risk indicators through executive dashboards tracking enterprise-wide risk profiles to board-level reporting satisfying regulatory requirements. The platform was designed not as a compliance tool but as a business enabler, making risk information accessible, actionable, and integrated into daily decision-making.
Throughout the engagement, I worked closely with the bank's team to build internal capability through comprehensive training on both the framework methodology and the technology platform, ensuring the organization could sustain and evolve the risk management approach after the consultancy concluded.
The Transformation
The integrated framework and technology transformation delivered extraordinary results that fundamentally changed both the bank's operational performance and its regulatory standing. Most dramatically, the bank achieved an 81.2% reduction in Pillar 2 capital requirements—liberating significant capital that could be deployed to support business growth rather than being held against perceived risk management deficiencies. This reduction reflected the PRA's increased confidence in the bank's risk management capabilities, enabled by the robust framework and the data integrity and reporting capability provided by the purpose-built technology platform.
Operational performance improvements were equally remarkable. The bank delivered a 94% reduction in the value of operational errors and a 63% reduction in error volumes—transformations directly enabled by the systematic RCSA processes and operational risk management technology that made risks visible, controls explicit, and performance measurable. The technology platform's ability to identify patterns and trends meant issues were caught and addressed earlier, preventing small problems from escalating into significant errors.
The risk technology platform transformed how the organization managed risk information. What had previously required days or weeks of manual data collection and spreadsheet consolidation could now be generated in real-time through automated dashboards. Risk reporting that had been backward-looking and static became forward-looking and dynamic, enabling proactive risk management rather than reactive reporting. Data quality issues that had undermined confidence in risk information were eliminated through automated validation and integrated data flows.
Beyond quantitative achievements, the transformation delivered lasting cultural and organizational benefits. Risk culture evolved from compliance-focused to genuinely embedded in business operations, with the technology platform making it easy rather than burdensome to integrate risk considerations into daily decisions. The bank's regulatory relationship with the PRA improved markedly, with the robust framework and technology-enabled reporting providing confidence in the bank's risk management capability.
The project successfully delivered an integrated solution where framework and technology reinforced each other; the
framework provided the methodology and governance that gave structure to risk management, while the technology made that framework practical, scalable, and sustainable. The bank gained not just better risk management, but a competitive advantage through superior risk insight and more efficient operations.
Deliverables and Results
Deliverables
- Enterprise Risk Management Framework: Comprehensive framework spanning risk governance, appetite statements, RCSA methodology, operational risk management processes, and reporting structures aligned with PRA expectations and business strategy
- Purpose-Built Risk Technology Platform: Integrated risk management system including RCSA module, operational risk and incident management, risk appetite monitoring, automated reporting dashboards, and board-level reporting capabilities with full audit trail and data validation controls
- Risk Appetite Framework: Quantified risk appetite and tolerance statements across all material risk categories with technology-enabled monitoring, approved by board and regulators, providing clear boundaries for business decision-making
- Implementation and Training Program: Complete deployment of framework and technology including data migration, system configuration, user training, process documentation, and ongoing support ensuring sustainable internal capability
Results
- Capital Reduction: 81.2% reduction in Pillar 2 capital requirements enabled by robust framework and technology-enabled data integrity, freeing tens of millions of pounds for business growth
- Operational Excellence: 94% reduction in operational error values and 63% reduction in error volumes driven by systematic RCSA processes and technology-enabled visibility and control effectiveness monitoring
- Risk Management Efficiency: Eliminated manual data consolidation and spreadsheet-based reporting, reducing risk reporting cycle time from weeks to real-time while improving data quality and enabling proactive risk management
- Regulatory Confidence: Enhanced PRA confidence through robust framework and technology-enabled reporting capability, shifting regulatory relationship from remediation-focused to strategic business engagement with sustainable internal capability
"Since HML commenced its initiative to implement an enterprise-wide risk management framework, we have reduced our Pillar 2 capital by 81.2% while delivering 94% reduction in the value of errors and a 63% reduction in the volume of errors." - Gillian Weatherill, Head of Enterprise Risk at HML