← Case studies

GRC Operating Model Transformation at a Leading Fintech and Payments Platform

Operating model and change lead · Leading Fintech and Payments Platform

Realigned governance, risk, and compliance accountabilities across three lines of defense following a sequence of regulatory and compliance pressures that exposed operating model gaps.

Situation

A leading fintech and payments platform was recovering from a sequence of regulatory and compliance pressures that exposed gaps in the maturity of its governance, risk, and compliance operating model. Executive leadership made the strategic decision to modernize GRC end-to-end rather than continue with point fixes. The three-lines-of-defense architecture was in place on paper, but accountabilities, decision rights, and escalation paths were unclear in practice across the first line of business risk owners, the second line of GRC professionals, and the third line of internal audit.

Task

Tim led the operating model realignment across eight enterprise product functions. The scope covered decision rights, escalation paths, control ownership, and the change and alignment campaign required to drive behavioral shift at enterprise scale across the three lines.

Action

Tim realigned roles, responsibilities, and expectations across the three lines of defense at a fintech platform recovering from regulatory scrutiny, against the prior state where unclear accountabilities elevated the firm’s risk profile and audit exposure, by combining structural operating model redesign with a sustained change and alignment campaign engineered to drive behavioral change at enterprise scale. The work applied Deloitte’s Business Transformation Methodology, D3 Organization Design framework, ChangeScan diagnostics, ChangeScout adoption analytics, and PROSCI ADKAR change discipline against the IIA’s Three Lines Model governance architecture.

Result

Clearly defined roles, responsibilities, and expectations across hundreds of first-line business risk owners, second-line GRC professionals, and third-line internal audit partners. A modernized GRC operating model positioned to absorb future regulatory inflection without rebuilding from scratch.

Methods & Tools: Deloitte Business Transformation · Deloitte D3 Organization Design · Deloitte ChangeScout · PROSCI ADKAR · IIA Three Lines Model