CFO Risk & Compliance Management

How does a UK CFO actually lead risk and compliance management — given that risk extends well beyond financial reporting risk into operational, strategic, regulatory and reputational dimensions, and given that the UK regulatory environment in 2026 places more direct accountability on senior finance leaders than at any point in recent memory?

The risk and compliance dimension of the UK CFO role has expanded materially over the last three years. Provision 29 of the 2024 UK Corporate Governance Code, in effect from January 2025 for premium-listed companies, requires Boards to declare the effectiveness of material internal controls — putting accountability for control environment integrity at director level in a way the previous Code did not. The new Failure to Prevent Fraud offence under the Economic Crime and Corporate Transparency Act 2023, in force from September 2024, creates corporate criminal liability for fraud committed by an associated person where reasonable fraud prevention procedures were not in place. The FCA’s operational resilience framework now applies in full. The EU’s Digital Operational Resilience Act (DORA) affects UK businesses with EU financial services activity. Sanctions regimes have proliferated and tightened. The accumulated effect is a risk and compliance environment that demands more substantive senior finance engagement than was required even five years ago.

For UK CFOs in mid-market and larger businesses, this expansion of risk and compliance scope intersects with the existing finance-specific risk responsibilities — financial reporting integrity, audit quality, control environment design, fraud prevention specifically within finance, regulatory financial reporting, tax compliance. The combined scope is substantial, and the consequences of inadequate engagement have become more directly personal — director duties, Senior Manager Function accountability where applicable, and the new corporate criminal liability framework have all moved senior finance leaders’ personal exposure forward.

This guide sets out how UK CFOs lead risk and compliance management. The risk and compliance dimensions that fall within CFO scope, the partnership with CROs where they exist, the 2025-26 UK regulatory developments shaping the role, the recurring risk categories CFOs engage with, the three lines of defence framework, the relationship with internal audit, and the wider question of how CFOs build risk culture rather than just compliance process.

It is written from the perspective of FD Capital’s team — a specialist finance recruitment firm placing CFOs into UK businesses since 2018, including extensive engagement with FCA-regulated firms and other businesses where risk and compliance scope is material.

Call 020 3287 9501 or email recruitment@fdcapital.co.uk to discuss CFO requirements with risk and compliance scope.

---

What Falls Within the CFO’s Risk and Compliance Scope

The CFO’s risk and compliance responsibilities vary by business size, sector, and whether a separate Chief Risk Officer exists. In businesses without a separate CRO, the CFO typically owns the entire risk and compliance framework. In businesses with a CRO, the CFO and CRO partner, with specific finance-related risk categories owned by the CFO and broader risk leadership owned by the CRO.

Specific risk and compliance areas that typically fall within CFO scope:

Financial reporting integrity and the control environment. The integrity of management accounts, statutory accounts, and any required regulatory financial reporting. The control environment — segregation of duties, authorisation limits, reconciliation discipline, journal entry controls, supplier and customer master data integrity — that protects financial reporting integrity. Under Provision 29 of the 2024 UK Corporate Governance Code, premium-listed company Boards must declare the effectiveness of material internal controls; the CFO’s contribution to that declaration is substantial.

Tax risk and compliance. Corporation tax, VAT, PAYE, employment taxes, transfer pricing for international groups, R&D tax claims, share scheme reporting. Tax risk includes compliance risk (failing to meet obligations) and position risk (taking aggressive positions that may not survive HMRC challenge). The CFO ensures both dimensions are managed appropriately.

Treasury and banking risk. Cash flow management, working capital risk, banking covenant compliance, FX risk where applicable, interest rate risk on borrowings, counterparty risk on bank deposits and other financial counterparties. Treasury risk is fundamentally CFO scope.

Fraud prevention. The new Failure to Prevent Fraud offence under the Economic Crime and Corporate Transparency Act 2023 creates corporate criminal liability where fraud is committed by an associated person and reasonable prevention procedures were not in place. The defence depends on having adequate fraud prevention procedures — risk assessment, due diligence, communication and training, monitoring and review, and proportionate procedures based on the assessed risk.

Audit relationship. External auditor selection (subject to audit committee oversight where applicable), audit fee negotiation, ensuring audit-ready records year-round, managing the audit fieldwork, addressing any control or accounting findings, supporting the audit committee’s review of the audit. The CFO is the primary management interface to the auditor.

Sanctions compliance. Sanctions screening of customers, suppliers, and counterparties; export control compliance; reporting to the Office of Financial Sanctions Implementation (OFSI) where required. For internationally-active businesses, sanctions compliance has become a substantial CFO responsibility — see our companion CFO Leadership: International & Cross-Border Finance.

Anti-money laundering compliance. Where the business is in scope of UK AML regulations, the appointment of an MLRO (Money Laundering Reporting Officer), establishment of customer due diligence procedures, ongoing monitoring, and suspicious activity reporting. In smaller regulated businesses the MLRO function sometimes sits with the CFO; in larger businesses it sits with a dedicated compliance leader.

Insurance programme. Business insurance covering D&O, professional indemnity, public liability, cyber, business interruption, and other categories appropriate to the business. The CFO ensures the insurance programme is appropriate to the risk profile, that broker relationships are properly managed, and that material claims are handled effectively.

Companies Act compliance. Statutory filings, persons of significant control reporting, share allotments, beneficial ownership disclosures, and the broader Companies House compliance calendar. Companies Act director duties apply to the CFO as a statutory director where applicable.

Pension governance. For businesses with defined benefit schemes, the CFO leads or supports the engagement with pension trustees, contribution decisions, and any specific pension regulatory matters. Defined contribution scheme governance is typically lighter but still requires CFO attention.

---

The 2024 UK Corporate Governance Code: Provision 29 in Practice

The 2024 UK Corporate Governance Code, in effect for accounting periods beginning on or after 1 January 2025, includes Provision 29 — requiring Boards to provide a declaration of the effectiveness of material internal controls in the annual report. The provision is the closest UK equivalent to the US Sarbanes-Oxley Act Section 404 control attestation requirement, though structured differently.

Provision 29 requires Boards of UK premium-listed companies to:

• Identify the material internal controls relevant to financial, operational, reporting and compliance dimensions of the business
• Monitor the effectiveness of these controls
• Declare in the annual report whether these controls were effective during the reporting period
• Where any material control was not effective, explain what action was taken or is being taken to address it

The CFO’s role in Provision 29 compliance is substantial:

Material control identification. Working with the audit committee to identify which controls are material — controls whose failure would create material risk to the business’s financial reporting, operations, regulatory compliance, or strategic direction. The identification process requires substantive judgement rather than mechanical checklist application.

Control documentation. Each material control documented — what the control is, who owns it, how it operates, how its effectiveness is monitored. Documentation supports both ongoing operation and the eventual Board declaration.

Effectiveness monitoring. Periodic testing of control effectiveness through internal audit, management self-assessment, or external review where appropriate. Monitoring needs to be substantive rather than ritualistic.

Deficiency response. Where control deficiencies emerge, structured response — root cause analysis, remediation plan, retest after remediation. Substantive response distinguishes businesses managing the framework actively from those treating it as a compliance exercise.

Board engagement and declaration. The Board ultimately makes the declaration. The CFO supports the Board with the analysis and judgement underlying the declaration, ensuring the Board has substantive basis for the position taken.

External assurance considerations. While Provision 29 doesn’t require external attestation of the controls (unlike US SOX), some companies may seek external review for assurance purposes. The CFO contributes to the decision on whether external assurance is appropriate.

Premium-listed companies are deep into Provision 29 implementation as of 2026. AIM-listed companies are not directly subject to the 2024 Code but increasingly face investor expectation that controls disclosures meet equivalent standards. Private companies are largely outside the formal framework but benefit from applying similar discipline as preparation for any future listing or sale.

---

The Failure to Prevent Fraud Offence: A New Compliance Reality

The Failure to Prevent Fraud offence — created by Section 199 of the Economic Crime and Corporate Transparency Act 2023, in force from September 2024 — is one of the most material UK compliance developments in recent years. It creates corporate criminal liability where fraud is committed by an associated person (employee, agent, subsidiary, or other person performing services for the body) for the benefit of the body or its clients, and reasonable prevention procedures were not in place.

The offence applies to large organisations — those meeting at least two of three criteria: turnover above £36m, balance sheet total above £18m, or 250+ employees. Many UK mid-market and larger businesses fall within scope.

The defence depends on having reasonable prevention procedures. The Home Office’s six-principle guidance covers:

Top-level commitment. Senior management commitment to fraud prevention demonstrated through tone, resourcing, and active engagement. Tone-from-the-top isn’t just a phrase — it materially affects the framework’s effectiveness.

Risk assessment. Documented assessment of the specific fraud risks the business faces, with the assessment refreshed periodically. The assessment shapes the proportionate procedures the business adopts.

Proportionate procedures. Procedures designed to mitigate identified fraud risks, proportionate to the business’s risk profile. Smaller, lower-risk businesses don’t need the same procedures as larger, higher-risk ones — but the procedures must be substantive rather than ritualistic.

Due diligence. Risk-based due diligence on persons performing services for the business — particularly where they could commit fraud benefiting the business or its clients.

Communication and training. Embedded fraud awareness across the business through training, communication, and culture. The framework operates through people; their awareness determines its effectiveness.

Monitoring and review. Ongoing monitoring of the framework’s effectiveness, with periodic review and refinement. Static frameworks don’t remain effective as the business and its environment change.

The CFO’s role in implementing and operating the fraud prevention framework is substantial. Many of the specific procedures — financial controls, expense governance, supplier due diligence, sanctions screening — sit naturally within finance scope. The fraud risk assessment requires CFO input on financial fraud risks specifically. The training and communication programme often includes finance-led modules. The monitoring and review depends on management information that finance produces.

For wider context on financial controls specifically see our Interim FD: Crisis, Turnaround & Financial Controls, which addresses the controls dimension in detail.

---

The Three Lines of Defence Framework

UK businesses with mature risk and compliance frameworks typically operate the three lines of defence model — a framework that distinguishes the operational ownership of risk, the oversight and monitoring of risk, and the independent assurance of the framework’s effectiveness.

First line: operational management. Operational managers own the risks in their function — sales managers own commercial risk, operations managers own operational risk, technology managers own cyber risk, finance managers own financial control risk. The first line is where risks are actually managed day-to-day.

Second line: risk and compliance oversight. Specialist risk and compliance functions provide oversight, framework design, monitoring, and challenge to the first line. In larger businesses this is the CRO’s domain; in smaller businesses it may sit within finance, legal, or as a dedicated function reporting to the CFO.

Third line: internal audit. Independent assurance — assessing whether the first and second lines are operating as designed and whether the overall framework is effective. Internal audit reports to the audit committee rather than to executive management, providing the independence the assurance role requires.

The CFO’s positioning across the three lines depends on the business. In businesses without a CRO, the CFO leads the second line. Where a CRO exists, the CFO partners with the CRO on the second line, with specific overlap in financial control oversight, fraud prevention, and tax compliance. The CFO works with internal audit (third line) on planning, scope, and findings response, while respecting internal audit’s independence from executive management.

The framework matters because risk ownership confusion produces failures. Where everyone thinks risk ownership belongs to someone else, gaps emerge. Where everyone owns everything, accountability is diffuse and action doesn’t happen. The clear allocation of risk ownership across three distinct lines, with appropriate boundaries between them, supports a framework where risks are actually managed.

---

Working With the Chief Risk Officer (Where One Exists)

In larger businesses — typically FCA-regulated firms above material thresholds, large listed companies, and complex international groups — a separate Chief Risk Officer leads the risk and compliance framework. The CFO-CRO relationship determines how effectively risk is managed across the business.

Strong CFO-CRO partnership has specific characteristics:

Clear scope allocation. Specific risk categories owned by CFO (financial reporting, control environment, treasury, tax, audit) and others owned by CRO (operational risk, regulatory risk, strategic risk, conduct risk in regulated firms, cyber risk in many businesses). Overlap areas (fraud prevention, sanctions compliance) handled through agreed division of responsibility.

Coordinated Board reporting. Risk reporting to the Board coordinated between CFO and CRO rather than producing inconsistent or duplicative content. The audit committee typically receives both the CFO’s financial reporting and control content and the CRO’s broader risk content; the two functions ensure consistency.

Shared management information. Both functions draw on the same underlying management information, with consistent definitions and shared analytical infrastructure. Two parallel reporting systems with different numbers undermines both.

Aligned risk appetite framework. The Board sets risk appetite — the level of risk the business is willing to accept in pursuit of its strategy. CFO and CRO both contribute to risk appetite definition and both report against it.

Coordinated regulatory engagement. Where the business is regulated (FCA, PRA, sector-specific), the CFO and CRO coordinate engagement with the regulator rather than the regulator receiving inconsistent messages. In FCA-regulated firms this often involves the Senior Manager Function regime — both CFO and CRO typically hold SMFs with allocated responsibilities.

Constructive challenge. CFO challenges CRO analysis where appropriate; CRO challenges CFO analysis where appropriate. The challenge improves both functions’ output rather than producing defensive territorial behaviour.

Mutual support during difficulty. When the business faces specific risk events — operational failures, regulatory engagement, cyber incidents, fraud discovery — CFO and CRO partner on the response rather than competing for visibility or accountability.

Many UK CFO appointments now include explicit consideration of how the candidate will work with the CRO function. Candidates demonstrating constructive partnership instinct typically appoint better than those showing territorial behaviour around risk scope.

---

Risk Categories CFOs Engage With Substantively

Beyond the general framework, specific risk categories require substantive CFO engagement. The categories below are the recurring focus areas in modern UK CFO risk and compliance work.

Financial reporting risk. Risk of misstatement in management accounts, statutory accounts, or regulatory financial reporting. Sources include accounting judgement errors, control failures, fraud, system errors, and inappropriate accounting treatments. The CFO’s primary risk responsibility.

Liquidity and going concern risk. Risk of running out of cash or breaching banking covenants. Going concern is now a substantial annual disclosure for UK listed and large companies, with the CFO leading the analysis underlying directors’ going concern assessment.

Tax risk. Risk of tax compliance failure, aggressive tax positions failing under HMRC challenge, or tax exposure from business activities not being properly managed. Tax risk has become more material as HMRC scrutiny has tightened.

Operational risk. Risk of operational failures producing financial loss — system outages, process failures, key person dependency, supplier failure, business continuity disruption. CFOs partner with operational leadership on operational risk where it could produce material financial impact.

Regulatory and compliance risk. Risk of regulatory breach producing penalties, restrictions, or reputational damage. Includes both sector-specific regulation (FCA, PRA, sector regulators) and cross-cutting regulation (data protection, employment law, sanctions, AML).

Cyber risk. Risk of cyber incidents producing operational disruption, data loss, financial loss, or regulatory liability. Cyber risk has expanded substantially over recent years; CFOs increasingly engage substantively with cyber risk alongside the technology function. See our companion CFO’s Guide to Cybersecurity Risk.

Strategic risk. Risk that the business’s strategy fails to achieve its objectives — market shifts, competitive pressure, technological disruption, business model challenge. CFOs contribute to strategic risk analysis through financial framing of strategic alternatives.

Geopolitical risk. Risk from political and security developments affecting the business. Sanctions exposure, trade restriction risk, supply chain geopolitical risk, customer concentration risk in specific countries. Geopolitical risk has elevated materially since 2022.

Reputational risk. Risk of reputational damage from any source — financial misstatement, regulatory action, ESG failure, conduct failure, customer or employee mistreatment. Reputational damage is hard to quantify but its consequences (customer churn, employee departure, capital access friction, valuation pressure) are real.

ESG and climate risk. Climate-related financial risk, sustainability reporting compliance, ESG governance. UK climate-related financial disclosure requirements for large companies create specific reporting obligations; CFOs lead the financial dimensions of climate risk analysis.

Concentration risk. Concentration with specific customers, suppliers, geographies, or counterparties creates risk that concentration realisation could produce. CFOs surface concentration risk through structured analysis of the business’s concentration profile.

Fraud risk. Internal fraud (employees, contractors, agents) and external fraud (vendors, customers, third parties). The new Failure to Prevent Fraud offence has elevated fraud prevention to material compliance scope.

---

The Internal Audit Relationship

Internal audit (where it exists as a function) provides independent assurance on the risk and compliance framework. The relationship between CFO and internal audit needs careful management — internal audit’s independence from executive management is foundational to its value, but constructive working relationships support the function’s effectiveness.

Reporting line. Internal audit typically reports to the audit committee for substantive matters and to a senior executive (often CFO or CEO) for administrative purposes. The reporting line preserves independence on substance while supporting practical operation.

Audit plan engagement. The CFO contributes to internal audit planning — surfacing areas of concern, supporting prioritisation, providing context — without compromising internal audit’s independence in determining the actual plan.

Findings response. When internal audit identifies findings, the CFO engages substantively with the response — root cause analysis, remediation plan, timeline. Strong CFOs treat internal audit findings as opportunities for improvement rather than as criticism to be defended against.

Resource adequacy. Internal audit needs adequate resourcing to perform its role. The CFO supports internal audit’s case for appropriate resourcing rather than treating it as a cost to be minimised.

External audit coordination. Internal audit and external audit have overlapping concerns. Strong coordination between them — supported by the CFO and audit committee — produces more effective combined assurance than uncoordinated parallel activity.

Ad hoc engagement. Specific situations sometimes warrant internal audit engagement outside the planned programme — fraud investigations, control failure response, specific control reviews requested by management. The CFO and internal audit work together on these engagements.

Where internal audit doesn’t exist as a separate function (smaller businesses), the assurance role is sometimes filled by external internal audit providers (Big 4 advisory, mid-tier accountancy firms) on a project basis. CFOs in these situations commission external internal audit work where the value justifies the cost.

---

Building Risk Culture, Not Just Compliance Process

One of the more sophisticated CFO contributions in risk and compliance leadership is building genuine risk culture rather than just compliance process. Process without culture produces ritualistic compliance — boxes ticked, declarations made, but the underlying behaviour unchanged. Culture supported by appropriate process produces substantive risk management.

Specific elements of risk culture:

Tone from the top. Senior leadership behaviour visibly demonstrates that risk and compliance matter — not through speeches but through actual decisions. Decisions that prioritise short-term commercial gain over compliance integrity damage culture; decisions that absorb commercial cost to maintain compliance integrity build it.

Speak-up culture. Employees feel able to surface risk concerns without fear of retaliation. Whistleblowing channels exist and operate substantively. Concerns raised get investigated rather than dismissed.

Accountability without blame for honest mistakes. When things go wrong, the response distinguishes honest mistakes (where learning is the right response) from negligent or wilful failures (where consequences are appropriate). Cultures that punish honest mistakes drive concerns underground; cultures that don’t address negligent failures provide insufficient consequence to support culture.

Risk awareness as everyone’s responsibility. Risk isn’t compartmentalised to risk and compliance functions; it’s integrated into operational decision-making across the business. Sales colleagues consider conduct risk in customer engagements; procurement colleagues consider supplier risk; technology colleagues consider cyber risk in architecture decisions.

Constructive challenge welcomed. Senior leaders encourage challenge to their analysis, decisions, and proposals. Cultures that punish challenge produce decisions made without sufficient scrutiny; cultures that welcome challenge produce better decisions.

Substantive training. Risk and compliance training that engages with the business’s actual situations rather than generic content. Specific scenarios, real examples, calibrated to the audience’s role and seniority.

Compensation and incentive alignment. Compensation structures don’t reward outcomes that depend on compliance failures. Sales targets achievable only through aggressive compliance corner-cutting create cultural pressure that undermines the framework. Properly designed incentives support rather than undermine risk culture.

Building culture is slower than implementing process, but the cultural foundation is what makes process effective. CFOs who invest in cultural development alongside process implementation produce sustained risk and compliance outcomes; those who implement process without cultural investment produce ritualistic compliance that fails when tested.

---

FCA-Regulated Firms: The Senior Manager Function Dimension

For UK CFOs in FCA-regulated firms, the Senior Manager and Certification Regime (SMCR) creates specific personal accountability that goes beyond general director duties. Most CFOs in regulated firms hold the SMF2 (Chief Finance Function) Senior Manager Function, with allocated responsibilities documented in the firm’s Statement of Responsibilities.

The SMF2 holder is personally accountable for the financial reporting and control environment of the regulated firm. Specific responsibilities typically include:

Financial reporting integrity. Personal accountability for the integrity of financial information reported to the FCA, the PRA where applicable, the Board, and external stakeholders.

Capital and liquidity reporting. Where the firm has prudential capital or liquidity requirements, personal accountability for the accuracy and timeliness of regulatory reporting on these dimensions.

Internal controls over financial reporting. The control environment that supports financial reporting integrity — particularly where the firm faces specific regulatory expectations on financial reporting controls.

Audit relationship. The relationship with external auditors, particularly where audit findings affect regulatory matters.

Other allocated responsibilities. The firm’s Statement of Responsibilities allocates specific accountability to each SMF holder. The SMF2 may hold responsibilities beyond financial reporting depending on the firm’s allocation.

The accountability is personal — the SMF holder may face FCA enforcement action where the firm’s failures relate to their allocated responsibilities and they did not take reasonable steps to prevent the failure. The Senior Managers Conduct Rules apply throughout the SMF holder’s tenure and persist for offences during the tenure even after departure.

For CFOs considering moves into FCA-regulated firms, the SMF dimension is material — the personal accountability is substantial and not always present in non-regulated equivalent roles. Strong candidates for regulated firm CFO roles understand the SMF framework substantively and engage with it deliberately rather than as administrative overhead.

---

How FD Capital Works on Risk-Intensive CFO Placements

FD Capital places CFOs into UK businesses where risk and compliance scope is material — including FCA-regulated firms, listed companies preparing for Provision 29 declarations, internationally-active businesses with sanctions and geopolitical exposure, and businesses with material operational complexity.

Our network includes CFOs with direct experience leading risk and compliance frameworks — Provision 29 implementation, Failure to Prevent Fraud framework design, FCA SMF2 holders with regulated firm track record, and CFOs who have led businesses through specific risk events successfully. We match candidates to the specific risk and compliance context the business faces.

Adrian personally screens candidates for risk-intensive CFO roles given the personal accountability involved and the stakes for the engaging business. Initial introduction is typically within 48 hours for urgent requirements, with full shortlist within eight working days for less time-pressured engagements.

Initial consultation is confidential and at no charge. Call 020 3287 9501 or email recruitment@fdcapital.co.uk to discuss a CFO requirement with risk and compliance scope.

---

Related Reading

• The CFO’s Guide to Cybersecurity Risk — cyber-specific risk dimension
• CFO Strategic Leadership: The Complete UK Guide — strategic CFO contribution including risk leadership
• Interim FD: Crisis, Turnaround & Financial Controls — controls restoration including post-fraud rebuild
• Interim CFO for Crisis & Turnaround — risk-led crisis stabilisation
• CFO Leadership: International & Cross-Border Finance — sanctions and international compliance
• CFO & FD Boardroom Influence — Board engagement on risk and compliance
• CFO Value Creation in PE Portfolio Companies — PE portfolio risk and compliance
• CFO Leadership in Crisis and Recession — risk leadership through external shocks
• NEDs in Audit Committees — audit committee oversight of CFO’s risk work

FD Capital Recruitment Services

• CFO Recruitment — permanent CFO search
• CFO Executive Search — retained senior search
• Finance Director Recruitment — permanent FD search
• Recruitment for FCA Regulated Firms — regulated firm specialist recruitment
• Risk and Compliance Recruitment — risk and compliance specialist roles
• Chief Risk Officer Recruitment — CRO recruitment
• Chief Compliance Officer Recruitment — Chief Compliance Officer recruitment
• Interim CFO — time-limited CFO cover

External References

• ICAEW — professional body for Chartered Accountants
• UK Corporate Governance Code 2024 — including Provision 29 on internal controls
• Economic Crime and Corporate Transparency Act 2023 — including Failure to Prevent Fraud offence
• Home Office Failure to Prevent Fraud Guidance — official guidance on the new offence
• FCA Senior Managers and Certification Regime — SMCR framework for FCA-regulated firms
• OFSI — UK financial sanctions enforcement
• Companies Act 2006 — director duties applicable to all directors

---