Navigating financial ecosystems: combining innovation with control

The financial sector is undergoing fundamental change. Traditional linear models are giving way to ecosystem-driven services, where banks, platforms, technology partners and data sources work together to create value.

Embedded finance, open banking and data-driven decision-making are accelerating innovation, but at the same time creating a new reality: critical parts of the value chain lie outside the organisation, whilst responsibility remains within it.

The challenge for financial institutions is therefore becoming increasingly acute:

• How do you stay in control when your dependence on others is growing exponentially?
• How do you combine speed and innovation with security, compliance and transparency?

Organisations that succeed in this do not introduce extra layers of control. They develop an integrated approach to risk, control, compliance and data that evolves alongside their ecosystem.

That is also where our added value lies: helping to make new ecosystems workable with solutions that are strategically sound, regulatorily robust and operationally feasible.

New risks call for a broader risk assessment

In this context, a traditional entity-wide risk assessment is no longer sufficient. Risk assessments used to focus primarily on internal processes and entities, but today the most significant vulnerabilities are often found at the interfaces between organisations, systems and data flows. These may include credit decisions based on external data, onboarding via platform partners or critical processes running on third-party cloud infrastructure.

Dependencies and risks

An ecosystem-based approach to risk assessment makes dependencies on third parties more explicit. It provides a clearer picture of risks relating to data quality, API integrations and shared responsibilities, and enables ESG and climate risks to be incorporated more consistently into the broader risk framework.

For example, we supported a bank that offers loans via an external retail platform. Extending the risk assessment to include risks relating to third-party onboarding, the reliability of external data and end-to-end ownership ensured both a more realistic picture of the risks and a much clearer basis for targeted control measures.

 
Internal control must be implemented on an end-to-end basis

That same shift has a direct impact on internal control. When processes span multiple parties, it is no longer sufficient to design controls solely within your own organisation. Financial institutions need to get a handle on the entire chain, not just their own part of it.

Grant Thornton helps to redesign internal control frameworks for this distributed reality. This means that end-to-end controls are put in place across the entire customer journey, traditional compliance processes such as KYC and AML are adapted to real-time digital environments and critical activities carried out by third parties are continuously monitored.

Onboarding and responsibility

An embedded onboarding programme illustrates this clearly. When a customer registers via a partner platform, the financial institution remains responsible for compliance, even though the initial interaction takes place beyond its walls. In such processes, we help to clearly define roles and responsibilities, embed control points within data flows and set up dashboards that provide real-time insight into compliance indicators. This ensures that the organisation remains demonstrably in control, without compromising the customer experience.

 
Third-party risk management as a key requirement

The growing reliance on external parties makes third-party risk management a key component of the broader risk framework. Whereas traditional vendor management processes are often static and generic, the current environment calls for a dynamic risk-based approach, particularly given the increasing pressure from regulations such as DORA and NIS2.

From due diligence to ongoing monitoring

Third-party risk management today requires a more structured approach, ranging from the identification and classification of critical third parties to due diligence, contractual agreements and ongoing monitoring. This creates a framework that meets regulators' expectations whilst remaining practical for day-to-day operations.

DORA as a catalyst for stronger governance

For example, as part of a DORA project, we assisted a financial institution in identifying its critical ICT suppliers, tightening up contractual provisions such as audit rights and exit strategies, and establishing a centralised governance framework for third-party risks. The result is a framework that is both regulatorily compliant and operationally manageable.

Operational resilience as a management capability

These same regulations raise the bar in terms of operational resilience. It is no longer enough simply to identify and document risks. Organisations must be able to demonstrate that they can cope with disruptions, even when incidents occur at external partners or within critical digital supply chains.

Turning resilience into concrete action

Operational resilience requires more than just documentation. Maturity assessments, gap analyses and resilience frameworks help to better align governance, processes, testing and escalation, so that resilience becomes an integral part of day-to-day management.

The impact on internal audit

Internal audit also has to adapt to this reality. Traditional audit approaches, which focus primarily on compliance and internal processes, do not provide sufficient coverage when risks arise across organisational boundaries.

An audit approach that transcends organisational boundaries
For internal audit, this means a shift from silos to end-to-end processes. Ecosystem risks, digital risk, third-party risk, ESG and data governance require a more structural place in audit plans and audit execution.

ESG, data and transparency as integral parts of the framework

Alongside digitalisation, sustainability has become a key factor in the risk landscape. Today, ESG factors influence not only strategy and reporting, but also credit decisions, portfolio management, governance and stakeholder confidence. The challenge lies in treating sustainability not as a separate process, but as an integral part of existing risk, control and data frameworks.

Embedding ESG in existing frameworks

The challenge with ESG, too, lies in embedding it within existing risk, control and governance frameworks. This means incorporating climate and sustainability risks into risk assessments, translating ESG indicators into specific controls and aligning reporting requirements with existing decision-making structures.

For example, we helped a bank to translate ESG risks into measurable risk indicators, thereby making sustainability an integral part of credit decisions and portfolio management rather than a standalone reporting topic.

The quality of ESG data is a key prerequisite here. Unlike financial data, this information is often fragmented, incomplete or difficult to verify, yet it is precisely these data that form the basis for reporting, management and strategic decisions.

A pragmatic approach to data: from assessment to data

This is why we take a pragmatic approach to data. We begin with a maturity assessment to identify the most significant gaps, and then develop a feasible target data architecture. In practice, this means that ESG data are integrated into existing data platforms, with clear agreements regarding ownership, quality and governance.

For example, we helped a financial institution analyse its loan portfolio for climate risk. By combining internal customer data, external ESG sources and sector benchmarks and filling in the gaps using modelling, the organisation was able to build a coherent and usable risk profile for the first time.

Reporting and transparency

These insights go beyond mere reporting. They also support pricing, portfolio management and strategic decisions and make it possible to turn sustainability into tangible business value.

At the same time, the pressure to provide transparency is growing. Customers, investors and regulators increasingly expect greater insight into the impact of financial decisions. This means new forms of reporting and service provision, such as ESG dashboards, climate indicators and substantiated disclosures.

We also assist with the practical implementation of these initiatives: from sustainability-specific KPI and reporting frameworks to turning complex data into clear, usable insights for management, regulators and end users.

Conclusion: innovation and control reinforce one another

The common thread running through these changes is clear: success in financial ecosystems requires coherence. Embedded finance, open banking, third-party risk, operational resilience and ESG are not isolated issues, but components of a single, broader transformation. Organisations that succeed in this combine innovative strength with control, transparency and resilience.

Help with implementing the transformation 

We combine strategic advice with in-depth expertise in risk, internal audit, compliance and data, and translate this into solutions that are not only compliant with regulations but, above all, feasible in practice.

In this way, we help our clients not to choose between innovation and control, but to deliberately strengthen both. Because in a market where financial services are becoming increasingly intertwined with broader ecosystems, it is precisely reliable, sustainable and agile organisations that make the difference.