Governance, Risk and Compliance

Mosaic provides expertise and pragmatism to help our clients implement governance, risk, and compliance (GRC) solutions that are fit for purpose.
Mosaic NZ – Governance, Risk and Compliance Solutions for Financial Services
We can advise on the design, execution, and embedding of GRC frameworks, systems, and processes that harmonise for regulatory compliance with improved customer and commercial outcomes.

Our GRC team has extensive experience working in financial services businesses, which gives us a deep understanding of the challenges that these organisations face. We can use this understanding to advise and support our clients in developing and implementing GRC programs that are effective and sustainable.

We believe that sound and embedded GRC systems and processes  are critical in enabling an organisation to achieve its strategic objectives. By taking a proactive approach to risk management and compliance, organisations can understand and appropriately manage their risk exposure, improve their operational efficiency, and protect their reputation.

Conduct and Culture

The Financial Markets (Conduct of Institutions) Amendment Act 2022 (CoFI) has put fair conduct for consumers and organisational culture at the forefront of financial services firms in New Zealand.

While CoFI is a compliance requirement, it is also recognised that good conduct and culture is good business and is essential for any business to achieve its long-term strategic objectives. Effective conduct and culture risk management requires all levels of a financial services business, from the board and senior management to the front-line employees who interact with customers, to be aware of how their own conduct can impact customer outcomes.

There is no one-size-fits-all approach to managing conduct and culture risk. At Mosaic, we support financial services organisations define their own standards of good conduct and fair customer outcomes, and we work with them to embed conduct risk management into their overall risk management framework. This includes assisting organisations to develop controls and processes, including lagging and leading indicators, to measure and manage their conduct performance.

We recognise that conduct and culture risk management can be complex and is not easily managed through prescription and rules alone. Successful implementation and management requires the use of both quantitative and qualitative tools.

Mosaic has access to a range of tools, such as the risk culture assessment tool developed by Macquarie University in conjunction with a multidisciplinary team of risk governance and organisational psychology professionals. In addition, we include specialists in the field of ethics and business conduct to help develop conduct and culture indicators that meet the challenge of evidencing CoFI outcomes.

Customer Remediation

Mosaic has extensive experience working with clients across banking, insurance, funds and wealth to help them understand the risks, regulatory expectations and compliance obligations of customer remediation. We work with clients to ensure that their execution of customer remediation is as effective as possible, replicable, and embedded, to strengthen organisational resilience and competence.

Our support spans the solutioning cycle, from advice and recommendations, through to data analysis, calculation and implementation. We have expertise in the following areas:

  • Development of customer remediation standards, policies, and procedures
  • Regulator strategy and engagement support
  • Obligation interpretation and gap analysis
  • Root cause analysis, including compliance by design, control workshops, mapping, and testing
  • Systems support and implementation
  • Customer data scoping, analysis, mapping, and calculation
  • Customer contact strategy, communication, and implementation
  • Full programme management, including governance reporting and record keeping.

We work to ensure that good customer outcomes are met, taking into account the size and complexity of our clients' operating environment. We also seek to ensure that outcomes can be operationalised effectively and embedded for future operational resilience. We regularly work alongside internal and external risk and legal teams.

Risk and Compliance Maturity

Mosaic can assist you assess your organisation's risk and compliance maturity using our proprietary maturity model or a model developed specifically for your needs. Our experienced team will independently assess your people, processes, and systems to ensure they are operating consistently in line with industry practices.

We can undertake holistic risk or compliance maturity assessments or more focused, "deep-dive" maturity reviews on specific aspects of your business.

Periodic maturity assessments are an effective way to measure your progress, validate your risk and compliance roadmap, enable informed decision-making, support a strong risk and compliance culture, and pursue operational excellence and resilience.

Recent client work: 

  • Holistic risk maturity uplift: Mosaic assisted an investment firm assess its risk and compliance maturity across all aspects of its business.
  • Risk culture and conduct improvement:Mosaic supported a major bank in improving its risk culture and conduct by identifying key themes and recommendations.
  • Holistic privacy maturity assessment: Mosaic conducted a holistic privacy maturity assessment for a local government organisation to assist it understand its current privacy maturity and identify any areas for improvement.

Risk Governance and Frameworks

We work with clients to assess, design, and implement fit-for-purpose frameworks that align corporate governance with risk management and control activities. This helps ensure that actual and potential threats to strategic objectives, business performance, operational efficiency, and resilience are well understood and managed within risk appetite.

An effective risk governance framework drives the identification and focus on the risks that have the most impact on the organisation's strategic objectives. It also holds risk owners accountable for managing those risks effectively. The goal is to reduce and control all risks to an acceptable level and within risk appetite.

Recent client work includes:

  • Development of an incident management framework, policies, procedures, and processes at a major bank
  • Supporting leadership at a large bank to improve risk culture and conduct by identifying key themes and recommendations.

Operational Risk Advisory

Operational risk management is the process of identifying, assessing, and mitigating risks that can impact an organisation's operations. These risks can include human error, system failures, and external events.

Mosaic's Operational Risk Advisory service assists organisations improve their operational risk management capabilities.We provide a holistic approach that includes:

  • Risk assessment and identification
  • Policy development and implementation
  • Training and awareness
  • Control design and testing.

We have a proven track record of success in assisting organisations improve their operational risk management. In one recent example, we worked with a large investment management business to improve their operational risk maturity. We assisted them to:

  • Develop and implement a new risk management framework
  • Train their staff on risk management
  • Document their risks and controls.

As a result of our work, the client was able to significantly improve their operational risk management capabilities. They were able to identify and mitigate risks more effectively, and they were able to reduce their exposure to operational losses.

ESG – Climate & Sustainability

Climate and sustainability are important topics within the broader ESG (environmental, social, and governance) framework. The Taskforce on Climate-related Financial Disclosures (TCFD) was created to help companies report on the impact of climate change on their operations and their impact on the climate. The TCFD reporting framework recommends four areas for companies' disclosures: governance, strategy, risk management, and metrics and targets.

While the TCFD framework is voluntary, New Zealand has adopted a mandatory climate-related disclosure regime that will go into effect in 2023 for climate reporting entities (including large banks and other financial institutions). New Zealand's regime is largely based on the TCFD framework.Mosaic has a team of experienced climate and ESG professionals who can help you prepare for climate-related disclosures and target setting. Our recent client engagements include:

  • Managing a project on voluntary climate disclosure across all pillars, including calculation of financed emissions for a major commercial and retail bank
  • Conducting an in-depth investigation of integration with a climate data provider for greenhouse gas emissions metrics and the determination of physical climate risk across the portfolio of a retail bank
  • Providing support to a major fund manager to define governance disclosure, controls, and checks around its reporting process in the lead up to the mandatory regime.

Regulatory Response

Legislation and regulatory requirements and expectations continue to evolve and change, requiring financial services businesses to respond strategically and tactically to ensure compliance.

Mosaic has assisted clients with responding to recent legislative changes and regulatory impacts, including:

  • Supporting major banks with BS11, CCCFA, CoFI, and data privacy requirements
  • Helping clients implement the Financial Services Legislation Amendment Act 2019
  • Re-licensing a client under the Financial Markets Supervisors Act 2011
  • Evaluating and implementing liquidity management tools for a licensed fund manager.

Mosaic's services help financial services businesses meet regulatory requirements, reduce risk, and improve operational efficiency.

Find out more. Get in touch today.