The Work
Hyper-specific in function. Multi-industry in application.
Where It Breaks
The same failure modes show up across industries. The industry changes the vocabulary. It rarely changes the problem.
The requirements you answer to, mapped to what your organization actually does. Most compliance programs are built around the document set, not the operation. The distance between the two is where findings come from.
In practiceA control matrix that names an owner, an evidence source, and a cadence for every requirement you are actually held to. Nothing generic survives.
The gap between what the binder says and what happens on a Tuesday. The binder passed its last review. The Tuesday version is what the regulator will find, and the two have usually been drifting apart for years.
In practiceWalking the actual process with the people who run it, then closing the gap from both sides: fix the practice or fix the binder, never pretend.
Your risk surface includes every vendor's risk surface. Most programs pretend otherwise. A questionnaire on file is not oversight, and the vendors most likely to hurt you are rarely the ones with the biggest contracts.
In practiceA vendor tier model based on what each one can actually break, with monitoring that matches the tier instead of the invoice.
National and global regulations that disagree with each other, and you in the middle. Data residency, breach notification, audit rights. Satisfying one regime can put you out of step with another, and nobody owns the conflict.
In practiceA jurisdiction map of where the regimes actually conflict for your operation, and a documented position for each conflict before someone else asks for it.
What the acquirer's diligence team and the regulator will see before you do. IT risk surfaces late in most deals, after the price is set. By then it is a renegotiation lever for the other side.
In practiceDiligence-grade review of the risk posture before the data room opens, on either side of the table.
Knowing who is asking, what they ask for, and what they do with the answer. Regulators are not interchangeable. Each one has a posture, a pattern, and a history, and answering one as if it were another is how routine exams become findings.
In practicePreparing the organization for the specific examiner it will face, not a generic audit.
The systems nobody wants to talk about are usually the ones that end up in the finding. Tech debt is treated as an engineering backlog item. On paper it is unquantified risk sitting outside every register you maintain.
In practicePutting the aging systems on the risk register with an owner and a number, so the decision to carry them becomes a decision instead of a habit.
What's the thing that's going to shut this down?
Engagement Shapes
The shape follows the problem. Every engagement ends with a handoff, not a renewal pitch.
Scott in function inside your organization: ownership, a mandate, and an exit plan. For when the risk function needs to exist and doesn't, or needs to be rebuilt while it runs.
A bounded, clear-eyed read of where the exposure actually is. For when you need the answer before a regulator, an acquirer, or a board asks the question.
A standing line to senior judgment without the full-time seat. For organizations that have a program and want it pressure-tested as it evolves.
// hyper-specific in function, multi-industry in application
Questions
Next Step
One conversation is usually enough to know whether the question applies to you.
Start a conversation