a

COO Magazine Q1 2025

Evolution: Controls into Strategic Risk and Resiliency

Maurice Evlyn-Bufton
CEO
Armstrong Wolfe

The role of the first line of defence in the financial markets sector is undergoing a critical transformation.

The role of the first line of defence in the financial markets sector is undergoing a critical transformation. Historically viewed as the operational backbone for maintaining controls and adherence to processes, the first line is increasingly being called upon to broaden its mandate. Financial Markets COOs, in particular, are challenging the status quo where control functions focus narrowly on managing controls rather than actively engaging with risk management and resilience strategies.

This shift acknowledges the evolving complexity of financial markets and the need for organizations to adopt a more integrated and forward-looking approach to risk and resilience. This article investigates the drivers behind this phenomenon and offers strategic recommendations to meet the challenges ahead.

Part 1

The Status Quo: Control Functions Managing Controls

Traditionally, the first line of defence – embodied by control functions – has been tasked with ensuring operational integrity. This includes monitoring adherence to established policies, processes, and regulatory requirements. However, in many institutions, this responsibility has become siloed, resulting in control functions that are reactive rather than proactive. This approach has limitations:

  1. Limited Risk Engagement: Control functions often focus on ensuring compliance with existing frameworks without fully engaging with the broader strategic risks facing the organization.
  2. Fragmentation: The separation between control functions and risk management creates gaps in understanding and addressing emerging risks.
  3. Inadequate Resiliency Focus: Traditional control frameworks prioritize prevention over preparedness, leaving organizations vulnerable to unexpected disruptions.

Drivers of Change

Several factors are prompting a revaluation of the first line’s role and the mandate of the Chief Control Officer:

  1. Complexity of Financial Markets: Increasing market volatility, interconnectedness, and the pace of technological advancements have heightened the need for a more dynamic approach to risk management.
  2. Regulatory Expectations: Regulators are emphasizing operational resilience and risk culture, urging firms to take a holistic view of their risk management practices.
  3. Digital Transformation: The adoption of AI, automation, and other digital tools necessitates a shift from traditional control methodologies to more agile, data-driven approaches.
  4. Stakeholder Pressure: Investors and other stakeholders are demanding greater transparency and assurance that firms are resilient and well-equipped to navigate future challenges.

The Mandate of the Chief Control Officer: A Strategic Pivot

The Chief Control Officer (CCO) must evolve from being a custodian of controls to a strategic partner in risk and resilience. This requires:

  1. Proactive Risk Management: The CCO must work closely with the Chief Risk Officer (CRO) to identify and address emerging risks proactively. This includes developing predictive risk models and integrating risk considerations into business decision-making.
  2. Building Resilience: The mandate should expand to include operational resilience, ensuring the organization can withstand and recover from disruptions. This includes stress testing, scenario planning, and developing contingency plans.
  3. Enhanced Collaboration: The CCO must break down silos between the first and second lines of defence, fostering a culture of collaboration and shared accountability.
  4. Embedding Risk Culture: Beyond processes and frameworks, the CCO should focus on embedding a risk-aware culture throughout the organization. This involves training, communication, and incentivizing behaviours that align with risk management goals.

Recommendations for Meeting the Challenge

To successfully evolve the role of controls into strategic risk and resiliency, organizations must:

Redefine Competencies:

  • Develop competencies that bridge the gap between control management and strategic risk.
  • Invest in upskilling first-line professionals in areas such as data analytics, risk modelling, and resilience planning.

Integrate Technology:

  • Leverage AI and automation to enhance risk detection and response capabilities.
  • Utilize data visualization tools to provide real-time insights into control effectiveness and risk exposure.

Foster Cross-Functional Collaboration:

  • Create forums and governance structures that enable open communication between the first and second lines.
  • Encourage joint ownership of risk and resilience initiatives.

Adopt a Holistic Framework:

  • Move beyond compliance-driven controls to a framework that integrates risk management, resilience, and business continuity.
  • Align control objectives with broader strategic goals.

Measure and Monitor Progress:

  • Develop key performance indicators (KPIs) and metrics to track the effectiveness of the first line’s expanded mandate.
  • Conduct regular reviews to assess the maturity of risk and resilience capabilities.

The Path Forward

The evolution of the first line of defence into a more strategic role is both a challenge and an opportunity for financial markets organizations. By redefining the competencies of the mandate, empowering the Chief Control Officer, and fostering a culture of collaboration, firms can navigate the complexities of today’s environment with greater confidence.

This transformation requires strong leadership, investment in capabilities, and a commitment to breaking down silos. However, the payoff – enhanced resilience, proactive risk management, and sustained trust from stakeholders – is well worth the effort.

In a financial landscape where the only constant is change, the first line of defence must evolve to remain relevant and effective. It’s time to move beyond managing controls to mastering strategic risk and resilience.

Part 2

Defining the skills, experiences, technical and behavioural competencies required to be success in role

To succeed in the newly defined role of Chief Control Officer (CCO), with its expanded focus on strategic risk and resiliency, candidates need to exhibit a combination of skills, experiences, and competencies across behavioral and technical domains. Here’s a detailed breakdown:

Skills and Competencies

Behavioral Competencies

Leadership and Influence: Ability to lead cross-functional teams and drive collaboration across the first and second lines of defense. Strong influencing skills to align stakeholders, including senior executives, regulators, and business units, with a shared vision for risk and resiliency.

Strategic Thinking: Capability to anticipate emerging risks and trends in financial markets and align control strategies with long-term organizational objectives. A forward-looking mindset to integrate operational resilience into broader business strategies.

Adaptability and Resilience: Comfort navigating complex, rapidly changing environments while maintaining focus on organizational priorities. Emotional intelligence to manage stress and uncertainty, especially in high-pressure situations like disruptions or regulatory scrutiny.

Collaboration and Relationship Building: Skilled at breaking down silos and fostering a culture of shared accountability. Excellent interpersonal skills to manage relationships with diverse stakeholders, including compliance, risk, operations, and external partners.

Communication and Stakeholder Engagement: Clear and effective communication skills to articulate complex control and risk concepts to non-technical audiences. Ability to prepare concise, actionable insights for executive leadership and boards.

Technical Competencies

Risk Management Expertise: Deep understanding of risk management frameworks, methodologies, and tools, particularly in financial markets. Experience with operational resilience planning, including scenario analysis, stress testing, and incident response.

Data Analytics and Technology Integration: Proficiency in leveraging advanced analytics, artificial intelligence (AI), and automation to enhance risk detection and response. Familiarity with technology platforms used for risk monitoring, such as real-time dashboards, data visualization tools, and control mapping systems.

Regulatory Knowledge: Comprehensive knowledge of global financial regulations, including expectations for operational resilience, data governance, and risk culture. Experience engaging with regulatory bodies and addressing compliance mandates effectively.

Project and Change Management: Ability to lead large-scale transformation initiatives, including remediation efforts, process improvements, and technology adoption. Skilled in project management methodologies, such as Agile or Lean, to ensure timely and effective implementation of control strategies.

Business Acumen: Strong understanding of financial markets and products, enabling alignment of control functions with business objectives. Experience in cost-benefit analysis to balance risk mitigation efforts with financial impact.

Experiences

Cross-Functional Leadership: Proven track record of leading teams across risk, compliance, operations, and business units. Experience building and scaling collaborative frameworks for decision-making and problem resolution.

Operational Resilience Initiatives: Hands-on experience designing and implementing operational resilience frameworks, including business continuity planning and crisis management.

First-Line and Second-Line Collaboration: Experience working at the intersection of control and risk functions, ideally having held roles in both domains to understand their interplay.

Regulatory Engagement: Direct involvement in regulatory audits, responses to enforcement actions, or participation in regulatory committees.

Transformation Projects: History of overseeing transformation projects, particularly those involving technology integration, process reengineering, or organizational redesign.

Behavioral and Technical Proficiency in Action

To excel, the ideal candidate will:

Bridge the Gap Between Controls and Strategy: Shift from reactive oversight to proactive risk management, ensuring alignment with organizational goals.

Foster a Risk-Aware Culture: Lead initiatives to embed risk awareness into daily operations and decision-making processes across the organization.

Leverage Technology Effectively: Implement tools and technologies that provide actionable insights, reduce inefficiencies, and enable predictive risk capabilities.

Maintain Stakeholder Confidence: Build trust with internal and external stakeholders through transparency, responsiveness, and delivering measurable results.

By combining these skills, experiences, and competencies, the Chief Control Officer can drive the evolution of controls into a more strategic, resilient, and value-adding function within financial markets. Let me know if you’d like to refine or expand on any aspect!

    Also in this edition...