Overview
A rapidly growing electronic money and wealth management firm recognised the need to strengthen its enterprise risk function in response to evolving regulatory and market expectations.
To support this evolution, the firm partnered with Thistle Initiatives to enhance its risk management capability through a Risk Management as a Service (RMaaS) model. Our expert team stepped in as an outsourced Chief Risk Officer (CRO), guiding the firm through a comprehensive transformation of its risk governance framework.
Challenges
Several key challenges were identified and addressed:
- Absence of Dedicated Risk Leadership: The absence of a Chief Risk Officer (CRO) limited the firm's ability to maintain consistent, strategic oversight of its risk management function.
- Strengthening the Enterprise Risk Framework: The existing framework required further enhancements to improve the structure and depth to better identify, assess, and manage emerging risks.
- Enhancement of Controls and Monitoring: There was an opportunity to strengthen the design and embedding of controls, alongside more consistent monitoring, to provide greater confidence in the effectiveness of risk mitigation strategies.
- Risk Reporting and Governance Oversight: By enhancing the consistency of risk reporting and deepening board-level engagement we supported the firm in delivering more proactive and informed risk governance.
- Embedding a Risk-Aware Culture: There was an opportunity to further embed risk awareness into day-to-day decision-making, helping to foster a more proactive and consistent risk culture across the organisation.
Our Approach
Thistle Initiatives delivered a multi-faceted RMaaS solution tailored to the firm’s structure, scale, and ambitions:
- Outsourced Chief Risk Officer: Thistle Initiatives' Lorraine Mouat assumed the role of CRO, providing strategic leadership and ensuring alignment of risk management practices with business objectives.
- Comprehensive Enterprise Risk Framework Review: We conducted a full review of the firm's risk framework, identifying gaps and recommending enhancements to align with best practices and regulatory expectations.
- Risk Identification & Assessment: Through collaborative workshops and detailed risk assessments, we identified key inherent risks and quantified residual risks after control measures. This provided a clear picture of the firm's risk exposure.
- Evaluation of Control Effectiveness: Our team assessed existing controls, conducting audits and gap analyses to determine their effectiveness in mitigating risks. Recommendations were provided to strengthen weak areas.
- Enhanced Reporting & Committee Support: We streamlined risk reporting with tailored dashboards via our tech enabled platform that provided real-time insights for leadership and board committees. Regular committee attendance ensured proactive discussion and oversight of risk issues.
- Instilling a Risk-Centric Culture: Recognising the importance of a risk-aware mindset, we facilitated a risk management workshop aimed at embedding risk management into everyday practices, empowering employees to actively contribute to risk mitigation efforts.
Results
The engagement delivered measurable improvements across the risk function:
- Strengthened Governance: The firm now benefits from strategic oversight provided by an experienced outsourced CRO.
- Robust Risk Framework: Enhancements to the risk framework have reduced vulnerabilities and provided a structured approach to risk management.
- Improved Control Effectiveness: Regular monitoring and auditing of controls have bolstered the firm’s ability to mitigate risks effectively.
- Enhanced Reporting & Oversight: Real-time risk dashboards and active committee engagement have led to better-informed decision-making at the leadership level.
- Cultural Transformation: A sustained focus on risk awareness to foster a proactive, risk-centric culture, aligning the organisation with best practices in risk management.
Meet the Expert
Lorraine Mouat, Partner 
Lorraine leads a team delivering complex projects for a diverse range of payment service providers (PSPs) and electronic money institutions (EMIs).
She is a seasoned regulatory compliance professional with a strong background across both industry and consultancy. Her expertise spans compliance frameworks, systems and controls, monitoring programmes, conduct risk, and organisational culture. Lorraine has successfully supported many firms through the FCA authorisation process, offering practical, hands-on guidance throughout.
A certified GDPR Practitioner, she also brings deep experience in data protection and privacy compliance. Lorraine’s consulting work covers start-ups to listed entities, with a proven ability to turn complex regulatory challenges into practical, commercial solutions. Her portfolio includes governance and culture initiatives, risk management frameworks, safeguarding assessments, due diligence reviews, and Skilled Person (s166) engagements.
More about Risk Management as a Service
Part of our wider Risk and Resilience offering, RMaaS is a dynamic, scalable solution designed to empower firms with outsourced expert risk management resource, avoiding the costs associated with in-house teams. RMaaS offers a flexible approach to identifying, assessing, mitigating, and monitoring risks, ensuring businesses stay compliant, resilient, and well-prepared to navigate the ever-changing regulatory landscape.