Service 01, Risk

Enterprise & Operational Risk

Enterprise risk, operational risk, digital risk, and third-party risk advisory for multinational organisations operating across the Americas, Europe, the Middle East, and the Asia-Pacific. The practice covers the full risk management lifecycle: risk-framework design and governance, operational and control assessments, technology-risk advisory, business continuity, third-party risk management, internal audit, fraud risk, regulatory compliance, and continuous controls monitoring for organisations operating in regulated public-company environments, financial services, critical infrastructure, and distributed industrial estates.

9Country permanent footprint
16SME disciplines on the bench
4Phase operating discipline
Risk advisory working session reviewing an enterprise risk-and-control matrix

Scope of Service

  • Enterprise risk management framework design and implementation
  • Operational risk assessments and Risk-and-Control Matrix (RCM) development
  • Third-Party Risk Management (TPRM): framework design, vendor risk assessment, due diligence, and ongoing monitoring
  • Business continuity management (BCM) and crisis management
  • Information security and cybersecurity advisory
  • IT general controls (ITGC), ERP controls, and segregation of duties (SoD) reviews
  • Continuous controls monitoring (CCM) design and implementation
  • Internal audit programmes: outsourced, co-sourced, and risk-based audit plans
  • Fraud risk assessment and forensic advisory
  • Regulatory compliance advisory across jurisdiction-specific regimes
  • Governance, Risk and Compliance (GRC) platform advisory and implementation
  • Digital risk services: process automation, workflow modernisation, EHS technology platform deployment, and document/collaboration platform transformation
  • Enterprise project management and PMO support for risk and compliance programmes
  • M&A risk advisory and post-merger integration support, operational-risk diligence, controls harmonisation, integration governance

Standards and Frameworks

International standards and frameworks

ISO 31000Risk managementISO 22301Business continuityISO/IEC 27001 & 27002Information securityCOSO ERM (2017)Enterprise riskCOSO Internal ControlIntegrated FrameworkNIST CSFCybersecurity FrameworkNIST SP 800-53NIST SP 800-171COBITITILIIA StandardsInternal audit

Regional regulatory frameworks

Federal Reserve and OCC guidance on operational risk and third-party risk (United States); OSFI Guideline B-10 on third-party risk management (Canada); SEC operational disclosure and risk-management expectations.

Digital Operational Resilience Act (DORA) for the financial sector; EBA Guidelines on outsourcing arrangements; GDPR for data protection; UK FCA and PRA operational resilience requirements (PS21/3, SS1/21).

SAMA Cybersecurity Framework and Business Continuity Management Framework (Saudi Arabia); UAE Central Bank operational-risk and outsourcing guidance; UAE NESA / TDRA cybersecurity standards.

APRA Prudential Standards CPS 230 (operational risk management) and CPS 234 (information security) (Australia); MAS Technology Risk Management Guidelines and Outsourcing Guidelines (Singapore); RBI Master Directions on cybersecurity and outsourcing of financial services (India).

How We Work

Enterprise and operational risk engagements follow the firm's four-phase operating discipline.

01

Scope

Risk-universe mapping, current-state assessment of the risk management framework and control environment, alignment with applicable international standards and regional regulatory regimes.

02

Design

Risk taxonomy, risk-and-control matrix, governance model, methodology selection (ISO 31000 / COSO ERM / hybrid), and roadmap for control implementation, technology enablement, or programme deployment.

03

Execute

Control implementation, technology configuration (GRC platforms, CCM tooling, EHS systems), assessment and audit execution, finding closure, and capability transfer.

04

Assure

Control testing, surveillance, continuous monitoring dashboards, internal audit cycle execution, management reporting, and ongoing programme governance.

Global Delivery

Risk advisory engagements are delivered across the firm's nine-country permanent footprint: the United States, Canada, the United Kingdom, Germany, the UAE, Saudi Arabia, India, Singapore, and Australia with regional teams operating under the applicable international standards and country-specific regulatory regimes. Multi-jurisdictional risk and controls programmes are coordinated under a single methodology with regional execution.

United StatesCanadaUnited KingdomGermanyUAESaudi ArabiaIndiaSingaporeAustralia

Sector Experience

  • Regulated Utilities: multi-stream governance, risk, compliance, and technology mandate for Caribbean Utilities Company, Ltd. (CUC), a TSX-listed public utility wholly owned by Fortis Inc. Scope includes TPRM framework development, IT governance and policy modernisation, SharePoint Server → SharePoint Online (Microsoft 365) migration, and enterprise project management. See the dedicated case study →
  • Insurance: risk-assurance audits for TATA AIG across the full Indian estate.
  • E-commerce & Digital Commerce: ISO 22301 business continuity management implementation and certification for Flipkart, Myntra, Jabong, and PhonePe.
  • Industrial Manufacturing & Heavy Industry: digital risk and process modernisation taking 100+ industrial facilities paperless through proprietary EHS technology platforms.
  • Government & Public Sector: risk and compliance advisory across state-owned enterprise environments, including in regulated atomic-energy operations.

Subject-Matter Experts on Permanent Bench

16specialist disciplines retained on a permanent in-house bench
Enterprise Risk ManagementBusiness Continuity & Crisis ManagementInformation Security & CybersecurityGRCITGCERP ControlsSegregation of Duties (SoD)Continuous Controls MonitoringInternal AuditFraud RiskRegulatory ComplianceFinancial RiskAudit, Compliance & AssuranceDigital EHS/ESG AnalyticsData AnalyticsMergers & Acquisitions
Featured engagement

Caribbean Utilities Company, Ltd. multi-stream governance, risk, and technology mandate.

A TSX-listed public utility serving the Cayman Islands. The engagement spans Third-Party Risk Management, IT Governance and Policy Development, SharePoint modernisation, SOX/ICFR Controls Advisory, and Enterprise Project Management, delivered as a single advisory partnership rather than fragmented across vendors.

Read the CUC case study →
Begin

Talk to the enterprise risk practice.

Get a senior risk practitioner on the call within one business day, direct, evidence-led, and accountable from first call through delivery.

Book a discovery call