Enterprise risk management: Unlocking competitive advantage in Malta’s financial and crypto sectors

The board of directors is ultimately responsible for establishing, implementing, and maintaining a risk management framework. This is not a delegable responsibility. The board must approve risk strategies, allocate resources, and receive regular reporting on the institution’s risk profile.

Why does this matter? Because the board is the institution’s highest governance body. It sets the tone for risk culture, approves strategic decisions, and holds management accountable for execution. When boards abdicate this responsibility—as seen in the Wirecard case—the consequences are catastrophic. A board that actively oversees risk management sends a clear signal to management, employees, investors, and regulators that the institution takes governance seriously. This builds confidence and attracts stakeholders who value professional management.

Institutions must establish processes to identify, assess, monitor, and manage all material risks—including strategic, operational, financial, technological, regulatory, and reputational risks. This is an ongoing process, not a one-time exercise.

Why does this matter? Because you cannot manage what you do not know. Institutions that lack systematic processes for identifying and assessing risks are flying blind. They may not discover vulnerabilities until they become crises. A mature risk identification and assessment process enables institutions to make informed strategic decisions. It allows management to allocate resources to the highest-risk areas and to implement controls proportionate to the risks they face. This is particularly critical as institutions scale. As Malta’s fintech sector grows, institutions must ensure that their risk management infrastructure scales with their business.

Institutions must establish an internal control framework that includes independent compliance, audit, and risk management functions. These functions must have sufficient authority, resources, and access to information to perform their roles effectively.

Why does this matter? Because internal controls are the institution’s immune system. They detect and prevent errors, fraud, and non-compliance. Without strong internal controls, institutions cannot ensure the integrity of their operations or their compliance with regulatory requirements. A robust internal control framework reduces operational risk, minimises compliance violations, and protects the institution’s reputation. It also provides management with reliable information for decision-making.

Institutions must identify, assess, and manage risks arising from outsourcing arrangements and third-party relationships. For critical or important functions, institutions must conduct due diligence on service providers, establish clear contractual terms, monitor performance, and maintain the ability to exit the arrangement if necessary.

Why does this matter? In today’s interconnected business environment, institutions rarely operate in isolation. They rely on payment networks, cloud providers, software vendors, and specialised service providers. Each of these relationships introduces risk. In 2022, attackers gained unauthorised access to Twilio systems, a cloud communications platform used by some payment processors to support customer messaging, authentication and service notifications, through social engineering, exposing thousands of customers to fraud and disrupting services for numerous downstream users. The incident illustrated how third-party failures can cascade across entire ecosystems if not properly managed. Effective third-party risk management enables institutions to leverage specialised capabilities and scale their operations without sacrificing control or visibility. It also protects the institution from being blindsided by third-party failures.  

Financial institutions must comply with the DORA. This includes establishing ICT governance, implementing an ICT Risk Management Framework, conducting regular digital operational resilience tests, maintaining robust incident management processes, and managing security risks associated with third-party service providers providing ICT services.

Why does this matter? Fintech institutions are digital-first businesses. Their entire value proposition depends on the security, availability, and integrity of their ICT systems. A cybersecurity breach can expose customer data, disrupt operations, and destroy customer trust in minutes. In 2023, widely-used software supply chain MOVEit was compromised through the exploitation of a zero-day vulnerability, affecting thousands of organisations globally. Institutions that had not implemented robust security controls and third-party security risk management were unable to detect or respond to the compromise. A mature ICT risk management framework protects the institution’s most critical assets—its systems and data. It also demonstrates to customers, partners, and regulators that the institution takes cybersecurity seriously. Cybersecurity and operational resilience are increasingly recognised as strategic business enablers, not just compliance requirements.  

Institutions must establish business continuity arrangements that include a business impact analysis (BIA), a business continuity plan (BCP), and a disaster recovery plan (DRP). These plans must be tested annually and updated based on testing results and lessons learned.

Why does this matter? Operational disruptions are inevitable. The question is not whether they will occur, but how quickly the institution can recover when they will occur. A well-designed business continuity plan can mean the difference between a minor inconvenience and a catastrophic failure. Business continuity planning enables institutions to maintain service delivery during disruptions, protecting customer relationships and revenue. It also demonstrates to regulators and customers that the institution has thought through worst-case scenarios and has plans in place to respond.

Institutions that hold client funds must safeguard those funds in segregated accounts or through insurance or comparable guarantees. They must implement controls to prevent loss through fraud, misuse, or negligence. They must conduct regular reconciliations and annual audits.

Why does this matter? Client funds are not the institution’s property. They are held in trust. Failure to safeguard client funds is not just a regulatory violation—it is a breach of fiduciary duty. In 2021, a European e-money issuer was fined €5 million for failing to safeguard client funds adequately, having not implemented proper segregation, reconciliations, or audit trails. Robust safeguarding arrangements protect clients and build trust. They also protect the institution from liability and regulatory enforcement.