Marentis Labs

Home / Case Studies

Retained GaaS Financial Services

Risk Governance Overhaul at an FCA-Regulated Insurer

A mid-market insurer facing supervisory pressure engaged Marentis Labs to restructure its risk committee architecture and rebuild its risk appetite framework from the board down.

FCA-Regulated Insurer · 2025

Engagement Snapshot

Challenge

Risk committee structure had fragmented over three years of rapid growth, creating accountability gaps that the FCA had flagged in a Dear CEO letter.

Service

Retained GaaS

Outcome

Consolidated committee architecture approved by the board; revised risk appetite statement embedded in executive reporting within six months.

The Situation

The organisation, a specialist lines insurer writing approximately £400m in gross written premium, had grown through acquisition over a three-year period. Each acquired entity had brought its own risk and compliance infrastructure, and integration had been partial at best.

By the time the FCA issued its supervisory letter, the group operated three overlapping risk committees — none with clearly defined terms of reference, and none with a direct reporting line to the board’s audit and risk committee. The board was receiving risk information from multiple, inconsistent sources. No single owner could speak authoritatively to the group’s aggregate risk position.

The Chief Risk Officer, newly appointed, recognised that the structural problem predated her tenure and that remediation required external credibility as well as internal expertise.

The Governance Challenge

The failure mode was structural rather than individual. No single executive had created the problem; the committee architecture had evolved organically in a way that created the following specific weaknesses:

  • Accountability fragmentation: Three separate risk forums operated with overlapping mandates and no defined escalation hierarchy. Material risks could, and did, sit in one forum without reaching the others.
  • Risk appetite disconnection: The group’s formal risk appetite statement, approved at board level, had not been translated into operational limits and tolerances at the business unit level. Executives were making risk decisions without reference to a framework they had nominally endorsed.
  • Information quality: Board papers on risk were descriptive rather than analytical. They reported incidents and near-misses; they did not synthesise them into a coherent picture of whether the group’s risk profile remained within appetite.
  • Regulatory relationship: The FCA’s Dear CEO letter had identified these gaps generically. The board needed to respond with a credible remediation plan, one that demonstrated structural change, not cosmetic adjustment.

The regulatory dimension added urgency: the FCA had indicated it expected a substantive response within 90 days.

Our Approach

Marentis Labs was engaged on a Retained GaaS basis, with the principal working directly with the Chair of the Audit and Risk Committee and the incoming CRO. The engagement proceeded in two phases.

Phase one: Diagnostic (weeks 1–4)

The principal conducted a structured review of all existing committee terms of reference, the previous 12 months of risk papers submitted to the board, the group’s risk appetite framework documentation, and four structured interviews with executive committee members. A Red Team Review was applied to the board reporting process, examining each paper against the question: “Would a hostile regulator or litigant find this adequate?”

The diagnostic identified eleven specific governance deficiencies, ranked by regulatory exposure and remediation complexity.

Phase two: Restructuring (months 2–6)

Working with the CRO and General Counsel, the principal designed a consolidated committee architecture comprising a single Group Risk Committee with defined sub-committees for credit, operational, and regulatory risk respectively. Each committee received new terms of reference drafted to FCA good practice standards.

The risk appetite framework was rebuilt using a top-down approach: board-level statements of appetite were cascaded into business unit tolerances with quantitative limits where measurable and qualitative boundaries where not. A new risk reporting template was introduced for board papers, structured around the question of whether the group remained within appetite rather than cataloguing events.

The FCA response was prepared with the board and submitted within the 90-day window.

The Outcome

The restructured committee architecture was approved by the board at its Q2 meeting. The FCA acknowledged the remediation plan as substantive and closed its immediate supervisory action, though routine supervision continued.

Within six months of the engagement commencing:

  • A single Group Risk Committee had replaced the three legacy forums, with clear escalation to the Audit and Risk Committee
  • All business units had signed off operational risk tolerances aligned to the board appetite statement
  • Board risk papers had been restructured; the Chair of the Audit and Risk Committee described the new format as “the first time I’ve been able to read a risk paper and form a view rather than just receive information”
  • The CRO had a defensible, documented governance framework to present to the FCA at its next supervisory visit

The engagement continued into a second year as Retained GaaS, focused on embedding the new framework into the annual planning cycle and stress testing processes.

What This Engagement Illustrates

Governance problems that originate in organisational growth are rarely solved by adding more process. The instinct, especially under regulatory pressure, is to layer additional reporting and committee activity onto a structure that is already fragmented. That produces more noise, not more clarity.

The value of principal-led, external governance is the ability to diagnose what is structurally wrong before recommending what structurally needs to change. In this case, the right answer was less structure, more clearly defined and a board reporting process rebuilt around the question regulators actually ask: are you in control of your risk, and can you demonstrate it?

This illustrative engagement scenario demonstrates Marentis Labs’ Retained GaaS model. All client details are kept completely confidential for all engagements. To discuss a similar challenge, schedule a confidential conversation.