In October 2024, TD Bank pleaded guilty and agreed to pay more than $3 billion in combined penalties for a decade of anti-money-laundering failures.
The Department of Justice filings read like a checklist of broken controls: unmonitored high-risk clients, ignored alerts, an understaffed financial intelligence unit, and a compliance program that leadership knew was inadequate.
A year earlier, OCC examiners had privately told more than half of large US banks that their operational risk and control frameworks were weak. The Basel Committee refreshed its operational risk guidance in March 2026.
| Key Takeaways: RCSA in Financial Compliance |
| RCSA in Financial Compliance only works when it drives decisions, not when it fills binders. Tie every output to a board, capital, or investment decision. |
| Score inherent risk before controls, evaluate control design and operating effectiveness separately, and publish residual risk with confidence intervals, not just a 1-to-25 heat-map cell. |
| Basel BCBS 195, OCC 12 CFR Part 30 Appendix D, DORA, and the IIA Three Lines Model all converge on the same demand: risk owners must self-assess, and second and third lines must challenge and assure. |
| Add quantitative layers (FAIR, Monte Carlo, loss distributions) to cover the weakness of 1-to-5 qualitative scoring. Practitioners who only use heat maps will be out-argued by those who quantify exposure in dollars. |
| Third parties, AI models, and crown-jewel change programs belong inside the RCSA in Financial Compliance scope. Exclusion is how the next TD Bank headline is written. |
| Continuous control monitoring, event-triggered reviews, and AI-assisted evidence capture are replacing the annual spreadsheet refresh. Start the transition in 2026 or lose credibility with regulators. |
| Track every finding to closure with SMART actions, owners, due dates, evidence of closure, and KRI-based success metrics. Open findings past their due date are the single loudest red flag in supervisory exams. |
DORA came into application in January 2025. The supervisory message for 2026 is unmistakable: RCSA in Financial Compliance is no longer a back-office hygiene task. It is the primary management evidence that a regulated firm actually runs its operations inside the risk appetite its board approved.
This guide is for risk, compliance, audit, and operations leaders who need their RCSA in Financial Compliance to survive the next exam cycle and produce decisions the board can act on.
It expands the familiar seven-tip list into a practitioner playbook: the regulatory stack you must satisfy, the scoring methodology that stands up to challenge, the Three Lines operating model, quantitative upgrades beyond heat maps, the pitfalls that sink most programs, real enforcement cases you can learn from, and a forward view through 2028.
Every tip links to a framework, a standard, or a recent enforcement action: no filler, no theatre.
Why RCSA in Financial Compliance Still Matters in 2026
The easy answer is that regulators require it. The better answer is that nothing else integrates a bank’s operational, conduct, cyber, third-party, and compliance risk picture in one management-owned view. Capital models quantify the tail. KRIs monitor the pulse.
Internal audit retrospectively assures. Only RCSA in Financial Compliance gives the first line a forward-looking, comprehensive inventory of what could go wrong and how well the firm is actually defending against it.
Defining RCSA in Financial Compliance without the jargon
RCSA in Financial Compliance is a structured, management-led process that identifies operational and compliance risks inside a process, business line, or legal entity; rates their inherent severity before controls; evaluates the design and operating effectiveness of the controls that mitigate them; and records the residual risk that remains.
The output is a living risk and control inventory mapped to a Basel-aligned taxonomy and cross-referenced to the firm’s risk appetite statement. For the long-form method walkthrough, Risk Publishing’s complete RCSA guide and the step-by-step implementation guide both unpack the mechanics in depth.
The regulatory stack driving RCSA in Financial Compliance
The framework does not float in space. It sits on top of a stack: Basel Committee Principles for the Sound Management of Operational Risk (BCBS 195), the OCC heightened standards codified at 12 CFR Part 30 Appendix D, the EU Digital Operational Resilience Act (DORA), FCA SYSC and the UK Operational Resilience rules, the EBA Outsourcing Guidelines, and, across sectors, COSO ERM 2017 together with the IIA Three Lines Model (2020).
The common thread is that risk owners must self-assess, the second line must challenge, and the third line must assure. For the full US regulatory context, see Risk Publishing’s primer on defining operational risk and the use of RCSA.
Fines data shows the cost of getting this stack wrong. Global AML, KYC and sanctions penalties totalled $3.8 billion in 2025, $4.6 billion in 2024, and $6.6 billion in 2023. Headline penalties dropped year over year, but the volume and geographic spread expanded; H1 2025 alone saw a 417% surge in regulatory penalties outside the US.
A strong RCSA in Financial Compliance is the cheapest insurance a regulated firm can buy.
Figure 1: The operational risk landscape that a 2026 RCSA in Financial Compliance must cover. Information security, third-party risk and geopolitical disruption dominate industry polls.
Seven Essential Tips for Effective RCSA in Financial Compliance
The original seven-tip article that ranks for this keyword is light on specifics. The practitioner version below names the framework, the evidence, and the decision each tip produces.
Each tip is written as a decision a Chief Risk Officer could defend in front of a Joint Examination Team.
| RCSA in Financial Compliance tip | What ‘good’ looks like in 2026 |
| 1. Anchor to a real risk taxonomy | Adopt a Basel-aligned operational risk taxonomy (internal fraud, external fraud, employment practices, clients/products, damage to assets, business disruption, execution/delivery) and map every risk to it |
| 2. Quantify beyond heat maps | Add FAIR or Monte Carlo layers on top residual risks; express exposure in dollars, loss distributions, and confidence intervals, not just 1-to-5 scores |
| 3. Extend scope to third parties | Include critical vendors, intragroup providers, and crown-jewel outsourced ICT services inside the RCSA in Financial Compliance universe, aligned with DORA Article 28 |
| 4. Link to KRIs, losses and scenarios | Every top residual risk needs at least one KRI with threshold, one scenario run, and one reconciled loss event in the prior 12 months |
| 5. Embed in change and project gates | Require an updated RCSA at major change gates (new products, migrations, organisational restructures) before go-live signoff |
| 6. Automate evidence, retire spreadsheets | Move off Excel into a GRC platform with workflow, audit trail, control evidence attachments, and KRI integration |
| 7. Drive to board decisions | Feed one-page board dashboards with residual risk trajectory, top movements, KRI breaches, and explicit decision asks (capital, investment, appetite, or remediation) |
Tip 1: Anchor RCSA in Financial Compliance to a real risk taxonomy
A scored risk that does not map to a standard taxonomy produces no aggregation. Adopt the seven Basel event categories (internal fraud, external fraud, employment practices and workplace safety, clients / products / business practices, damage to physical assets, business disruption and system failures, execution / delivery / process management) and extend with conduct, model, climate, third-party, and AI risks.
The taxonomy is what lets the firm compare a retail branch’s RCSA to a capital markets desk’s RCSA at portfolio level.
Tip 2: Quantify RCSA in Financial Compliance beyond a 1-to-5 heat map
The biggest intellectual criticism of RCSA in Financial Compliance is that qualitative 1-to-5 scoring produces unfalsifiable outputs.
Fix it by layering quantitative analysis on top residual risks: FAIR for cyber, loss distribution approaches for operational losses, Monte Carlo simulation for cash and liquidity stress, and scenario analysis for severe-but-plausible events.
Express exposure in dollars with a confidence interval, not just a colour. Boards understand dollars, not heat cells.
For examples tied to practitioner reality, Risk Publishing’s banking KRI examples and risk management metrics explainer translate qualitative judgments into quantifiable thresholds.
Tip 3: Extend RCSA in Financial Compliance to third parties and concentration risk
Excluding third parties is how banks walk into sanctions. DORA Article 28 requires a register of ICT third-party arrangements, criticality assessments, and contract requirements.
The OCC’s 2024 and 2025 Third-Party Risk Management guidance and the EBA Outsourcing Guidelines point the same way. Include your top 20 vendors, intragroup ICT providers, and the cloud hyperscaler relationships on which your crown-jewel systems depend.
Rate concentration risk explicitly. Recent analysis by the Financial Stability Board and KPMG on OCC heightened standards makes clear that supervisors now treat vendor-risk gaps as gaps in the RCSA.
Tip 4: Link RCSA in Financial Compliance to KRIs, losses, and scenarios
A residual risk with no KRI, no loss event, and no scenario is a ghost. Each top residual risk should be paired with at least one KRI with a threshold, a ranked scenario, and reconciled internal loss history over the prior 12-36 months.
Risk Publishing’s KRI examples library, the regulatory compliance KRI set, and the banking KRI catalogue provide starter indicators. External loss data from ORX benchmarks the firm’s own experience against the industry.
Tip 5: Embed RCSA in Financial Compliance into change and project gates
Most operational losses trace to change: system migrations, new products, mergers, organisational restructures. Put a mandatory RCSA review inside every change-gate.
No go-live without a refreshed risk and control view, a regulatory impact assessment, and sign-off from the CRO and Compliance. The Basel BCBS 195 principles are explicit on this: change programs introduce new risks that must be assessed before implementation.
Tip 6: Automate evidence and retire spreadsheet RCSA in Financial Compliance
The ORX RCSA Practice Benchmark and Deloitte UK’s Ten Steps to RCSA Redemption both identify Excel-based RCSAs as a top source of scoring drift, version confusion, and evidence loss. Move to a GRC platform that integrates KRIs, workflow, evidence attachments, audit trail, and dashboards.
AI copilots now accelerate control evidence gathering and anomaly detection, but only if the underlying data is clean.
Tip 7: Drive RCSA in Financial Compliance outputs into board decisions
If the CEO and the Risk Committee cannot name the top-5 residual risks, the RCSA in Financial Compliance program has failed.
Build a one-page board dashboard with residual risk heat map, top-5 period-over-period movements, KRI status, open findings aging, explicit decision asks (capital, investment, appetite, or remediation), and a What / So What / Now What summary.
Guide to key elements of a risk register covers the underlying data contract. Get it on the Risk Committee agenda monthly and the full Board quarterly.
Figure 2: Global AML, KYC and sanctions fines have come down from 2023’s peak but remain the dominant driver of RCSA in Financial Compliance attention.
The RCSA in Financial Compliance Scoring Methodology
The scoring engine is where most programs either build credibility or lose it. The Basel Committee, COSO, and the major GRC vendors broadly agree on the mechanics.
What separates credible programs from box-ticking ones is the discipline with which these mechanics are applied.
| Scoring dimension | Definition for RCSA in Financial Compliance | Practical anchoring |
| Inherent likelihood (1-5) | 1 = remote; 3 = possible within 1-3 yrs; 5 = expected within 12 months | Anchored to frequency data from internal loss DB and ORX external losses |
| Inherent impact (1-5) | 1 = <$100k; 3 = $1m-$10m; 5 = >$100m, systemic or licence-threatening | Calibrate impact thresholds to the group’s capital and earnings base |
| Inherent risk | Likelihood x impact, 1-25 scale, before any controls | Published to the Risk Committee with narrative on the top-20 risks |
| Control design (1-5) | Does the control, as designed, address the risk? | Assessed against policy, standard, or regulation it is meant to meet |
| Control operating effectiveness (1-5) | Is the control consistently performed in practice? | Evidence-based; sample-tested by the first line and validated by second line |
| Residual risk | Inherent risk reduced by weighted control effectiveness | Plot against risk appetite to identify breaches requiring remediation |
| Risk appetite cell | Board-approved tolerance per category (e.g., cyber, AML, conduct) | Residual risk > appetite = mandatory treatment plan with owner and due date |
Inherent risk scoring in RCSA in Financial Compliance
Inherent risk is the exposure before any controls. Most banks use a 1-to-5 likelihood scale and a 1-to-5 impact scale, producing a 1-to-25 inherent score.
The trap is subjective interpretation: what exactly is ‘possible within three years’ versus ‘expected within twelve months’? Fix it by anchoring likelihood to frequency data, internal loss events plus ORX external data, and anchoring impact to the group’s capital and earnings (for example, 5 = loss > 10% of net income). Document the anchors; re-anchor annually.
Control effectiveness in RCSA in Financial Compliance
Control effectiveness must be assessed on two separate dimensions: design adequacy (is the control, as designed, capable of preventing or detecting the risk?) and operating effectiveness (is the control consistently performed in practice, evidenced, and tested?).
Most weak RCSAs collapse these into one number. The COSO 2013 Internal Control Framework and the IIA’s International Professional Practices Framework both insist on the separation. Design-only testing is a red flag in any exam.
Residual risk and appetite in RCSA in Financial Compliance
Residual risk = inherent risk reduced by weighted control effectiveness. Plot it against a board-approved risk appetite statement. Any residual risk above appetite triggers a mandatory treatment plan with an owner, due date, budget, and KRI-based success metric.
The first-time residual risk is reported without an appetite reference point, the Risk Committee will ask the question.
Be ready with the appetite statement, the calibration, and the exception management process. Risk and control self-assessment PDF reference illustrates what a defensible scoring workpaper looks like.
Figure 3: A worked RCSA in Financial Compliance view: inherent risk drops under effective controls, but cyber and third-party residuals stay elevated and drive board attention.
Three Lines Model for RCSA in Financial Compliance
Role confusion is the second-most-common RCSA failure after scoring bias. The IIA Three Lines Model clarifies who does what, but supervisory exams show that in practice, second lines frequently end up writing the first line’s self-assessments, and third lines audit whatever the second line already blessed. The RACI below resets the discipline.
| Activity in RCSA in Financial Compliance | 1st Line (Business) | 2nd Line (Risk / Compliance) | 3rd Line (Internal Audit) |
| Identify risks and controls | R / A | C | I |
| Score inherent risk | R / A | C | I |
| Assess control design | R / A | C | I |
| Test control operating effectiveness | R | C / A | C |
| Challenge scoring consistency | I | R / A | C |
| Aggregate and report to Risk Committee | C | R / A | C |
| Independent assurance over the framework | I | C | R / A |
| Close findings and remediate | R / A | C | I |
First-line ownership of RCSA in Financial Compliance
The business owns the risks and the controls. Full stop. First-line teams identify risks, attest controls, run the scoring workshops, and execute the remediation.
The COSO ERM framework principle 11 anchors this: operational management is accountable for risk. A second line that does this work instead is committing the Three Lines cardinal sin and will not survive a quality assurance review.
Second-line challenge of RCSA in Financial Compliance
Enterprise risk and compliance teams set the methodology, calibrate scoring, challenge optimistic ratings, aggregate outputs into the board view, and maintain the risk appetite statement.
They do not score risks on behalf of the business; they challenge what the business scored. Expect tension here. Productive tension is the point.
Third-line assurance over RCSA in Financial Compliance
Internal audit, under the IIA’s Global Internal Audit Standards, provides independent assurance on the framework’s design, the quality of the first-line assessments, the rigour of second-line challenge, and the closure of remediation actions.
A strong third line also reviews the firm’s Quality Assurance and Improvement Program (QAIP) for the RCSA itself.
Figure 4: Delivery models for RCSA in Financial Compliance. The majority still run workshops, but hybrid and continuous approaches are growing fastest.
Where RCSA in Financial Compliance Programs Fail and the Fixes That Work
Every recurring RCSA failure pattern traces to the same short list. Naming them explicitly is the first step to engineering them out.
| Pitfall | Root Cause | Remedy |
| Scoring clusters in the middle | Raters avoid extremes to dodge follow-up workshops | Calibrate with worked examples; force distribution review at second-line challenge; require written justification for every ‘medium’ on a top-20 risk |
| Annual-only, calendar-driven refresh | Cycle tied to audit schedule, not the risk profile | Add quarterly lightweight updates, continuous KRI feeds, and mandatory event triggers for incidents, new products, and organisational change |
| RCSA disconnected from actual losses | First line self-attests; internal loss events never feed back | Reconcile top residual risks against the internal loss database and near-miss log every cycle; flag mismatches for the Risk Committee |
| Controls assumed effective, never tested | Design review substituted for operating effectiveness testing | Build a two-dimensional control effectiveness rating (design + operating); sample test the top 20% of controls covering 80% of residual risk |
| Third parties and intragroup providers excluded | Out-of-sight, out-of-mind beyond the legal entity boundary | Align scope with DORA, EBA Outsourcing Guidelines, and OCC Third-Party Risk Management; add vendor and intragroup RCSAs to the risk universe |
| Findings never close | No owners, no due dates, no evidence requirements | Adopt SMART actions; require evidence of closure; publish aging reports; escalate anything over 90 days past due to the CRO and Audit Committee |
| Output never reaches the board | Reports stop at operational committees | Build a one-page board RCSA dashboard with residual risk heat map, top-5 movements, KRI status, open findings aging, and explicit decision asks |
| RCSA methodology drifts between units | No central authoring authority; BUs build their own scales | Enforce a single methodology document; require deviations to go to the ERM committee; automate scoring in the GRC platform to remove manual drift |
Figure 5: Pitfalls reported by practitioners running RCSA in Financial Compliance programs. Scoring bias and static cycles are the top concerns.
Case Evidence: RCSA in Financial Compliance Failures That Moved Markets
Cases are not anecdotes; they are the evidence base for where RCSA in Financial Compliance actually matters. Three recent enforcement actions illustrate the pattern.
TD Bank: RCSA in Financial Compliance gaps meet a $3 billion penalty
In October 2024, TD Bank’s US subsidiary pleaded guilty to Bank Secrecy Act and money-laundering conspiracy violations, resulting in over $3 billion in combined penalties from the DOJ, FinCEN, OCC, and the Federal Reserve.
Root causes read like a worst-case RCSA in Financial Compliance: transaction monitoring scenarios that did not detect narcotics trafficking typologies, AML program leaders who knew the program was under-resourced and did not remediate, and self-assessments that produced clean ratings on controls that were demonstrably broken.
The penalty is a supervisory proof-point: qualitative self-attestation without testing and evidence is not a control.
Klarna and Nordea: RCSA in Financial Compliance lessons outside the US
In December 2024, Sweden’s Finansinspektionen fined Klarna Bank $50 million for AML program deficiencies. In 2025 the NYDFS fined Nordea Bank $35 million for customer due diligence failures on correspondent banking.
Both cases involved known control weaknesses that were self-rated as ‘adequate’ at the time. The lesson for RCSA in Financial Compliance teams: if the internal self-assessment disagrees with the external data (loss events, regulatory findings, whistleblower reports), the self-assessment is wrong.
What these cases tell every RCSA in Financial Compliance program
Three patterns repeat across every enforcement case reviewed by ComplyAdvantage and the Payments Association: inadequate transaction monitoring, weak customer due diligence on high-risk clients, and governance failures where senior management could not evidence oversight.
A mature RCSA in Financial Compliance makes all three visible months before they become enforcement actions, but only if the scoring is honest and findings are tracked to closure.
Figure 6: Numbers the 2026 RCSA in Financial Compliance program has to reckon with.
Frequently Asked Questions About RCSA in Financial Compliance
Eight questions we hear most often from RCSA practitioners, CROs, and internal audit teams. Answers target long-tail queries and the People Also Ask variants that appear in Google for this keyword family.
What is RCSA in Financial Compliance in plain terms?
RCSA in Financial Compliance is the structured process where the first line of defense (the business and operational teams) identifies the operational and compliance risks inside their own processes, rates inherent risk, evaluates the design and operating effectiveness of their controls, and records the residual risk after controls are applied.
The Basel Committee on Banking Supervision describes it as a core building block of operational risk management, and the OCC codifies it inside its heightened standards for banks with over $50 billion in assets.
The output is a risk and control inventory that second-line risk teams challenge and third-line internal audit assures. Done well, it is the management tool that converts operational risk theory into capital, pricing, investment, and remediation decisions.
How often should an RCSA in Financial Compliance cycle run?
The traditional annual refresh is no longer sufficient. Leading banks now run a hybrid RCSA in Financial Compliance cadence: a full refresh once a year, quarterly lightweight updates, continuous KRI monitoring feeding into risk scores, and event-triggered reassessments after material incidents, new products, major changes, or regulatory shifts.
The OCC’s 2025 supervisory priorities and the ORX practitioner benchmark both signal that static annual cycles will be treated as a weakness at the next exam. Match your cadence to your risk profile, not to your calendar.
Who owns RCSA in Financial Compliance under the Three Lines Model?
The first line (business and operations) owns the RCSA in Financial Compliance end to end: identification, scoring, control self-attestation, and action plan execution.
The second line (enterprise risk and compliance) sets the methodology, validates scoring consistency, challenges optimistic ratings, and aggregates the output for the board.
The third line (internal audit) assures the framework periodically, tests a sample of controls, and reports gaps to the audit committee.
The IIA’s 2020 update of the Three Lines Model clarifies that risk ownership sits with operational management; the second line does not own risks and must not take over the self-assessment.
Can RCSA in Financial Compliance replace quantitative operational risk models?
No, and attempting it is a classic failure mode. RCSA in Financial Compliance is predominantly qualitative and directional. Banks subject to Basel’s standardized approach for operational risk still need loss data, internal loss experience, and scenario analysis.
Where banks add the most value is by layering FAIR-style quantification, Monte Carlo simulation, or loss distribution approaches over the top residual risks coming out of the RCSA.
That combination (qualitative discovery plus quantitative stress testing) is what credible Chief Risk Officers present to boards and regulators.
How does DORA change RCSA in Financial Compliance inside EU banks and insurers?
The Digital Operational Resilience Act entered application on 17 January 2025 and now requires EU financial entities to maintain an ICT risk management framework with documented, periodic self-assessments, register of information on third-party ICT providers, incident reporting, and threat-led penetration testing for significant entities.
For RCSA in Financial Compliance, DORA forces three upgrades: ICT risks must be named and scored as first-class citizens; third-party and intragroup ICT dependencies must be inside scope; and evidence of the self-assessment and management sign-off must be retained in a form supervisors can demand on short notice.
What KPIs and KRIs should track the health of RCSA in Financial Compliance?
At program level, track percentage of in-scope processes with a current RCSA (target 100%), percentage of controls with a completed design and operating effectiveness assessment, percentage of findings closed by due date, average age of open findings, and residual risk movement period over period.
At risk-level, pair every top residual risk with at least one KRI that has a threshold, an owner, and an escalation rule.
KRI examples library and compliance KRI catalogue give ready-to-use indicators for most business lines. Publish the deck to the Risk Committee monthly and the full Board quarterly.
What are the most dangerous pitfalls in an RCSA in Financial Compliance program?
Scoring bias (everyone clusters around ‘medium’) tops the ORX benchmark. Static annual-only cycles, disconnection from actual loss events, and self-attestation without control testing are close behind.
Deloitte UK’s 2025 ‘Ten Steps to RCSA Redemption’ piece calls out one more: outputs that never translate into capital, pricing, investment, or remediation decisions, which turns the whole exercise into compliance theatre.
Treat every one of these as an existential threat to the program and engineer the framework to prevent them.
Does RCSA in Financial Compliance apply to fintechs and non-bank lenders?
Yes, and increasingly explicitly. The FCA in the UK, the CFPB in the US, and sector regulators across the EU have extended operational and conduct risk expectations to non-bank financial services firms.
The maturity of the program can be lighter than a systemic bank, but the core discipline (risk inventory, inherent and residual scoring, control testing, third-party scope, and board reporting) is not optional. Expect the supervisory bar to keep rising as fintechs grow and as payment, crypto and embedded-finance regulations bite.
Looking Ahead: RCSA in Financial Compliance 2026-2028
The framework is not standing still. Three shifts will reshape the RCSA in Financial Compliance discipline between 2026 and 2028.
AI-assisted RCSA in Financial Compliance becomes standard
Large language models already draft risk descriptions, extract control evidence from operational data, summarise incident post-mortems, and flag scoring inconsistencies.
The NIST AI Risk Management Framework, and for firms exposed to the EU AI Act, creates a parallel obligation: AI models used inside the RCSA process must themselves be risk-assessed.
The reward is speed and consistency; the trap is automation without calibration. Continue the second-line challenge; do not outsource judgment to the model. NIST Cybersecurity Framework KRI set shows one way to operationalise AI-adjacent indicators.
Continuous controls and dynamic RCSA in Financial Compliance
The annual cycle is dying. Banks investing in control evidence pipelines, telemetry from core systems, and KRI feeds into the GRC platform are already running continuous RCSA in Financial Compliance on priority processes.
The OCC’s 2025 supervisory priorities and the Basel technical amendment of March 2026 both point the same way: supervisors now expect dynamic evidence, not annual PDFs.
Convergence of RCSA in Financial Compliance with operational resilience
DORA, FCA PS21/3 operational resilience, PRA SS1/21, and Basel BCBS 239 are converging. Impact tolerances, important business services, and severe-but-plausible scenarios are now the same language operational resilience teams use. Merge them.
A 2028 RCSA in Financial Compliance program that is not integrated with operational resilience mapping will be rebuilt under regulatory pressure. Start now.
If your team needs to refresh the RCSA in Financial Compliance framework, quantify residual risk, or rebuild the board reporting layer, the Risk Publishing advisory services page sets out how we help banks, insurers, and pension funds do it. For a confidential conversation, use the contact page.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.