PMO + Risk Council Operating Model: From Audit-Reactive To Forward-Looking In Two Quarters

Built the joint PMO + Risk Council operating model for a regulated fintech operating across four markets, unified RAID + risk register, monthly Risk Council cadence, audit-evidence pipeline, programme prioritisation integrated with risk-tier assessment. Moved the function from audit-reactive (fix findings as they arrived) to forward-looking (risk register drives programme prioritisation). Cleared all 6 inherited regulator findings in 18 months, earned 2 explicit commendations on governance posture, and established the < 24h regulator-inquiry response SLA across the organisation. The model became the template for the parent organisation's subsequent fintech subsidiaries.

Inherited a fintech operating across four markets with 6 open regulator findings, a PMO function and a Risk function that operated as separate registers with separate cadences, and a senior team whose programme prioritisation was disconnected from the risk-tier reality. The PMO was tracking 11 tier-1 programmes; the Risk function was tracking 47 enterprise-level risks; the two views did not reconcile. Regulator inquiries arrived monthly across the four markets and routinely produced 5-10 day internal scrambles to assemble evidence. The CEO had received written supervisory letters from two of the four regulators in the prior year. The senior team needed a unified operating model that produced both faster regulator-inquiry response and forward-looking programme prioritisation tied to risk reality.

• Joint operating model document: PMO + Risk Council decision rights, escalation paths, cadence, artefact ownership, signed by CEO, COO, CRO, CPO
• Unified RAID + risk register: every programme has a linked risk view; every enterprise risk has a linked programme view; reconciled weekly
• Monthly Risk Council: 90-minute cadence; standing membership (CEO, COO, CRO, CPO, Head of Compliance, Head of Audit, PMO Head); standing agenda (regulator landscape, top 5 enterprise risks, top 3 programmes in flight, decisions required)
• Audit-evidence pipeline: every programme produces audit evidence as a by-product; evidence is catalogued, queryable, owned, refreshed on a defined cadence
• Per-regulator inquiry response runbook: named owner per regulator, response template, evidence quick-pull, < 24h SLA
• Programme prioritisation tied to risk: top 5 enterprise risks always have a linked tier-1 programme; programme ranking weights risk tier alongside business value
• Regulator engagement calendar: every regulator's supervisory cycle, key milestones, expected inquiries, planned engagements mapped 12 months ahead
• Quarterly executive review: 3-hour deep dive on the governance posture, the regulator landscape, the year-ahead risk and programme outlook

• The Risk Council is the senior decision-making body; PMO and Risk both report into it on cadence
• The unified register is one tool, programmes and risks are linked entities; queries can run across either axis
• Audit evidence is collected at programme execution time, not at audit time, every programme deliverable produces an audit-evidence artefact
• Per-regulator inquiry response is owned by named individuals at the Director level; the < 24h SLA includes the gathering of evidence and the drafting of the response
• Regulator-engagement calendar is published, refreshed monthly, used to schedule programme work that produces the evidence the next inquiry will need
• The CEO's monthly review with the four regulators uses Risk Council outputs as the substrate; not a separate pack

• Weekly PMO + Risk standup: 60 minutes, reconciles the registers, surfaces escalations for the Risk Council
• Monthly Risk Council: 90 minutes, standing agenda, decisions logged with owner + date
• Quarterly Executive Risk Review: 3 hours, broader posture review with the executive team
• Annual Regulator Engagement Plan: published; updated quarterly with material changes
• Real-time alerting on regulator-supervisory events (letters, inquiries, on-site visits, market-wide circulars), triggers immediate Risk Council subgroup if material

Owned the joint PMO + Risk Council operating model design and implementation. Built the joint operating-model document; designed the monthly council cadence; designed the unified register; designed the audit-evidence pipeline; designed the regulator-inquiry response runbook; coached the inherited PMO and Risk function leaders into the joint operating posture. Direct accountability for the governance-posture KPIs (findings closed, commendations earned, inquiry response time) and the cross-functional adoption of the operating model.

• Cleared all 6 inherited regulator findings within 18 months, zero open findings at the end of the cycle
• Earned 2 explicit regulator commendations on governance posture (UAE supervisory cycle, KSA)
• Established the < 24h regulator-inquiry response SLA across the four markets, and met it
• Reduced the executive team's monthly regulator-engagement preparation time by ~70%
• Lifted the programme prioritisation discipline, top-5 enterprise risks now consistently have linked tier-1 programmes
• Established the joint PMO + Risk Council operating model as the template for the parent organisation's subsequent fintech subsidiaries
• Closed two inherited audit observations on RAID + risk integration without external consulting support

• Insisted on the unified RAID + risk register over separate registers, required reorganising both functions' tooling and operating cadences; produced the governance leverage that two separate registers could not
• Built the audit-evidence pipeline as a programme-execution artefact rather than an audit-time artefact, heavier engineering and process discipline upfront; saved weeks of scrambling per inquiry
• Coached the PMO Head and the Head of Risk into co-ownership rather than restructuring the organisation, slower than a reorganisation would have been; preserved the relationships and produced the buy-in
• Insisted on monthly Risk Council cadence with full executive attendance, material executive time investment; produced the cross-functional alignment that less frequent cadence cannot achieve

• PMO and Risk are functions, not registers. The artefact unification only works if the senior leaders of both functions agree to operate as one council; without that, the unified register becomes a tool nobody uses.
• Audit-evidence collection at programme execution time costs roughly 5% of programme effort; collecting it at audit time costs roughly 50%. The economics of doing it right are overwhelming.
• Regulator commendations are operational signals, not just symbolic ones. Regulators that commend an operator typically move that operator further down the supervisory-priority list, which compounds.
• The < 24h inquiry response SLA is achievable only when the evidence is already on the shelf. Building the inquiry-response runbook without building the underlying evidence pipeline produces a process that the team cannot meet.
• Forward-looking programme prioritisation is the test of the governance maturity. If the top 5 enterprise risks do not appear in the top 5 programmes, the organisation is running audit-reactive regardless of how strong the artefacts look.

Every regulated fintech of meaningful scale faces the same problem: PMO + Risk operating as separate functions, governance posture as audit-reactive, regulator inquiries producing scrambles, programme prioritisation disconnected from risk reality. The operating model that solves this, joint Risk Council, unified register, audit-evidence pipeline, inquiry-response runbook, programme prioritisation tied to risk, produces the regulator commendation, the inquiry response time, the absence of findings, and the year-ahead readiness as one bundle. The model is non-trivial to ship (it requires senior buy-in, real tooling investment, and a cultural shift in both functions), but it is replicable across organisations. This is the playbook.