We design, build, release, and make changes to our app and underlying technology every day. While that speed is great, it’s important we still make those changes safely and they don’t introduce any problems to our customers, Monzonauts, our technology, or our company.
Like all banks, we have experts in our team who help us identify, assess, measure, mitigate and report on any risks involved in those changes. These Monzonauts work all over the company in what we call our risk ‘disciplines’.
Our risk disciplines include folks who look at specific technology-related risks, such as those related to cyber security. In this post, three Monzonauts explain how they work together with each other and other disciplines to manage risk in a fast-moving tech-focused banking environment.
First line of defence: Own and manage the risks we face
I’m Becky and I’m the Risk and Control Lead across several tech-heavy areas of Monzo. I look after Platform and Banking Services Group, where our engineers build the core infrastructure and tooling that powers the bank, and Security, where our team keeps our customers, staff, and technology secure.
In the first line of defence, our job is to help Monzonauts to think critically about risks and proactively keep them under control. In practice we do this by:
running risk assessments to make sure that before we make a change, we have identified and scored the associated risks and involved the right people across the company
maintaining a register of risk and controls
monitoring the status of our risks and controls
keeping an eye on any incidents and places where our controls could be improved
making sure any improvements happen when they should
We act as trusted advisors to the squads. For example, if a Monzo squad wanted to do a large migration from one big platform to another that would be considered what we call a ‘Major Technology Change’.
For example, in September 2022 Monzo became a direct participant of the Bacs scheme. Before this, we guided the squads involved through a very structured process to evaluate the risks involved and received input from other teams across Monzo to make sure that we stay within our risk ‘appetite’.
Together with the squads we assessed risks like the availability and accurate processing of payments for our customers, regulatory and scheme compliance, and any financial or legal impact. We helped them put new controls in place and test them before the migration.
Our main goal was to make sure that when we rolled this out to over 6 million accounts, that our customers weren’t impacted. By assessing the risks and making sure we had the right level of comfort over the controls that were in place, the migration went smoothly. Since the migration, we’ve processed billions of pounds of customer Direct Debits and Direct Credits, and are now listed as one of the 31 banks in the UK who are Direct Participants of Bacs.
One of the things I love most in this role is that we often have to play a mix of the arbiter, ambassador, and the enforcer roles. This often involves handling difficult conversations with our stakeholders, both inside and outside the company. We don’t want to apply any ‘red tape’ for the sake of it and we are all on the same team. While this can be challenging at times, I find it incredibly rewarding to work in an environment where transparency and focusing on ‘problems, not people’ is at the heart of these conversations.
The collaboration and positive relationship between the three lines of defence here at Monzo is something that differs from other places I’ve worked before. It's such a refreshing change to feel that we all have a collective goal in mind to want Monzo to have an effective risk management framework in place, with the right controls to support that. I also love that I can see the difference that my team makes through real-time risk management, whether it be from suggesting that we implement a control that I then see live on the app, or performing a risk assessment which identifies an issue that we need to halt on a change till we resolve. The job is never boring!
Second line of defence: Oversight and challenge
Platform Technology Risk, Data Privacy Risk, Data Management Risk and Information Security Risk are all classed as Operational Risks. Operational Risk can be found in many of the teams across the bank due to our fusion of banking and technology. I’m Hollie and I help to manage those Operational Risks in the second line. The role of the second line of defence is to give assurance to Monzo’s Board that we are operating within our risk appetite. Our Compliance teams also make sure that our operations are compliant with relevant regulations, and completed with minimal potential for customer harm.
You can think of us like the co-pilots for 1st Line Risk and Control Leads and for risk management at Monzo. We support, guide and challenge that Monzonauts are doing the right activities for Monzo and Monzo’s customers, in the right way, and that we do it within the amount of risk we are comfortable taking.
The second line of defence has specialist teams to help us to co-pilot on many types of risks, including: Strategic Risk, Financial Risk, Credit Risk, Financial Crime Risk, Operational Risk, and Conduct and Compliance Risks. We get involved in any Major Technology Changes and also complete activities like Compliance Assurance Reviews where we review business procedures to make sure our controls are effective and compliant. A few recent examples include supporting & challenging the first line that we are embedding new Consumer Duty rules compliantly, or assuring that our Payment Services alerting runs smoothly and is in line with Payment Services Regulations. Being in the second line team at Monzo means we have to be very dynamic in terms of how we work, especially ensuring we drive forward real time risk management and control monitoring. We review & provide challenge on recorded risks in our risk register to ensure that they are accurate, and ensure new risks or weaknesses are recorded. This can help Risk Owners make well-informed strategic decisions with awareness of how much risk appetite we have, and where we may be vulnerable to an undesirable outcome. This can also help the 1st line prioritise resolving control gaps with the most impact. We have to be ready at the ‘drop of a hat’ to re-prioritise to ensure we can assist on incidents and support the first line to make changes quickly and within appetite. This means we have to be able to make trade-offs based on impact, rather than taking everything on.
I really enjoy working with different people across the business, learning from their unique perspectives and subject matter expertise. Being in the second line of defence can mean having to focus objectively on control gaps, weaknesses or areas of potential non-compliance. This is done with the intent of making us a better, stronger, and more resilient bank as we continue to mature and scale with our elegant and user friendly technology. It can sometimes mean having difficult conversations to keep us honest that we are scaling with control - this is when it is most important to be hard on problems, not people. These conversations can be really rewarding when we work as one team with clear accountabilities to solve not just technical hurdles, but think about the stability and scalability of the bank.
Third line of defence: Independent audit and assurance
I’m Ken, a Technology Auditor in the third line of defence. My role is to provide an independent and objective assessment of the technology and processes used within Monzo. I work with Becky’s team to identify key risks and controls, and to assess the design and effectiveness of controls. I also work with Hollie’s team to review and test the risk management framework and to provide feedback on areas for improvement.
Much like Becky and Hollie, my role is to make sure our technology and processes are used effectively, efficiently and safely. This includes identifying potential risks and vulnerabilities in the technology, evaluating the effectiveness of controls, and recommending improvements where necessary.
In practice, my day-to-day activities involve working closely with stakeholders to plan and execute audits, conducting conversations and data analytics, and preparing reports that summarise my findings and recommendations. I also spend time following up on previous audit recommendations and meeting with individuals and teams to discuss their progress.
An example of an audit is where we review and evaluate Monzo's access control mechanisms and policies to make sure they protect sensitive data and systems. The audit involves assessing Monzo's access management framework, including user account creation and termination processes, authentication mechanisms, authorisation controls, and monitoring & reporting capabilities. The objective of the audit is to identify gaps and weaknesses in the access management process and to make recommendations that would make us more secure and make sure we comply with regulatory requirements.
We work closely with other Monzo teams to make sure that our audits are aligned with their objectives and that our recommendations are actionable and effective.
What I enjoy most about this role is the opportunity to work with a variety of teams and individuals across Monzo. I get to learn about different technologies and processes, and I have the satisfaction of knowing that my work helps to improve the company's overall performance and security. Additionally, as a technology enthusiast, I appreciate the opportunity to stay up-to-date with the latest developments in the industry and to help make sure that Monzo is using technology in the most effective and efficient way possible.
Working together to manage technology changes
In the world of Monzo, managing technology changes is a critical aspect of risk management. However, there are often myths surrounding the idea that good risk management slows down progress. In fact, we find making small changes frequently can actually improve safety and reduce risk. By avoiding big bang releases we can better identify and correct issues. This approach helps us make over 100 deployments to production a day, and do so safely.
Of course, there are still times when larger changes are necessary. When working together to manage a large change, the three lines of defence can collaborate effectively to ensure that the change is implemented safely and efficiently. The engineers making the change can work closely with the risk management team to identify potential risks and develop strategies to mitigate them. The internal audit team can then verify that the change has been implemented correctly and that all risks have been addressed.
In the end, effective risk management is crucial for the success of any bank. By working together and using the three lines of defence model, we can make sure technology changes are made safely, without sacrificing innovation and progress.
Help us keep our customers and Monzo safe
Thank you for joining us on this whistle stop tour through risk management in tech. As we continue to explore this topic in future discussions, we want to hear from you. Let us know what risk management topics you want to hear more about or any questions you may have.
We are also looking for more folks to join our team. If you’re interested in a career in technology risk management, please check out our open roles including some below for starters, or reach out to us directly.