The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

This blog is a collaboration piece by Claire Simm, Trevor Horwitz and Paul Jennings at Kroll.

Spend any time with CCOs and the same theme surfaces. Issues that used to sit in separate boxes no longer do. A cyber incident turns into a financial crime question, then a conduct issue, and very quickly something that lands in operational resilience. 

The idea that risk is converging is well accepted, and there is little debate that cyber, financial crime and conduct are now intertwined. Where things become more difficult is in execution, particularly when the regulatory environment does not always feel as joined up as the risk itself.

The contrast between the PRA and FCA comes through clearly. The PRA is generally seen as structured and predictable, which allows firms to plan and respond with confidence. The FCA is experienced rather differently, more fluid, more interventionist, and at times harder to second guess. Neither approach is wrong, but together they create friction.  For dual-regulated firms, it can feel less like operating within a single framework and more like reconciling expectations that do not always align in timing, emphasis or tone. 

That would be manageable if internal operating models had already evolved, but in many cases they have not. Most firms are organised around how risks used to be defined, with separate teams, processes and data. The result is that issues which are inherently connected are still handled in a fragmented way, with duplication in some areas and gaps in others. 

The role of the CCO has shifted. Compliance is expected to interpret how risks intersect, help shape responses, take ownership of first line issues and support strategic and commercial initiatives. These expectations sit uneasily alongside a traditional second line position. The distinction between the CCO and the CRO remains, but in practice the boundaries are harder to maintain when the issues themselves do not respect them. In addition, the sheer volume of data requests, thematic reviews and consultations creates resourcing pressures.  

At the same time, the basis on which effectiveness is judged is changing. Being able to point to policies, controls or monitoring activity is no longer sufficient. The focus is moving towards outcomes, whether controls actually work, and whether that can be demonstrated clearly. That exposes the limits of approaches built around periodic reviews or static indicators in what is now a more dynamic environment.

Data is increasingly expected to bridge that gap, although that is easier said than done. Bringing together information across cyber, compliance and risk functions is not straightforward, and even where the data exists, interpreting it consistently is not trivial. The growing use of automation and AI adds another layer, offering scale but raising questions around governance and explainability.

Taken together, this is less about complexity and more about misalignment. Risks are converging, expectations are increasing, but the structures designed to manage them are evolving more slowly and not always in step with the regulatory environment. That gap tends to accumulate where different pressures meet, which is why CCOs increasingly find themselves at the centre of it.

Not because the role was designed that way, but because the system now depends on it.

To discuss any of the above topics further please contact Claire.Simm@Kroll.com, Paul.Jennings@Kroll.com or Trevor.Horwitz@Kroll.com