Some SMB business owners aren't open to having a risk assessment done. It's expensive, not because the study is costly, but the recommendations often require changes in how the business operates. However, these days, you really can't operate without understanding where you're vulnerable. It's not enough to set strong passwords and enable multi-factor authentication. Security has to be approached holistically. Ignoring it may affect your reputation or bottom line.
Case Study
Helping Establish Risk Frameworks at a Midsized Finance Company
Case Study: Bringing Clarity and Control to Risk in a Growing Student Lending Organization
The Situation
A mid-sized financial organization specializing in student lending had reached a point where growth and complexity were outpacing visibility.
On the surface, the business was performing well. Loan origination was steady, partnerships were expanding, and systems were functioning. But underneath, there was a sense, especially among leadership, that risk was not fully understood, let alone consistently managed.
This wasn’t due to a lack of effort. In fact, the opposite was true. Different teams were doing what they believed was right: technology was implementing controls, operations was focused on throughput, and leadership was balancing growth with caution. The challenge was that each group was operating with a slightly different definition of risk, and no shared framework to bring those perspectives together.
The Engagement
When I engaged with the organization, the goal wasn’t just to “check compliance boxes.” It was to create a clear, shared understanding of how the business operated, where risk actually lived, and how to manage it in a way that supported growth rather than slowed it down.
I started by learning the business. That meant understanding not just what the company did, but how it did it: how loans moved from application to approval, how data flowed through systems, and how third-party vendors fit into the process. In parallel, I worked to understand the technology landscape: what systems were in place, how they were integrated, and where data was created, transformed, and stored.
From there, I mapped the flow of data across the organization. This step was critical. It revealed not only how information moved, but also where it accumulated, where it was duplicated, and where it extended beyond the company’s direct control. At the same time, I aligned these findings with the relevant regulatory and compliance requirements that governed the organization, as well as the expectations outlined in the NIST Cybersecurity Framework.
What emerged was a much clearer picture of risk, one grounded in how the business actually operated, rather than how it was assumed to operate.
Two issues stood out immediately.
The first was the absence of a formal data retention policy. Over time, the organization had taken a “keep everything” approach, driven by a desire to avoid losing potentially useful information. While understandable, this created a growing liability. Sensitive, nonpublic financial data was being retained far longer than necessary, increasing exposure in the event of a breach and expanding the scope of potential regulatory impact.
The second issue was the proliferation of data across vendor systems. As the company grew, it had integrated with a variety of third-party platforms to support different parts of the loan lifecycle. Each integration made sense in isolation, but collectively, they significantly broadened the organization’s risk surface. Data was no longer contained within a controlled environment, it was distributed across multiple external systems, each with its own controls, limitations, and dependencies.
Individually, these risks were manageable. Together, they represented a structural issue: the organization did not have a consistent way to evaluate, prioritize, or communicate risk.
The Approach
To address this, I introduced a standardized risk matrix that allowed risks to be scored in a consistent and transparent way. Instead of subjective discussions, the organization could now evaluate risk based on defined criteria: impact, likelihood, and control effectiveness. This provided a common language for decision-making.
Building on that, I worked with leadership to develop a formal risk appetite statement. For the first time, the organization had a clear articulation of how much risk it was willing to accept across different domains—operational, financial, and technological.
This changed how risk conversations happened. Technology teams could now explain risks in terms that aligned with business priorities. Executives could make decisions with a clearer understanding of trade-offs. What had previously been friction between groups became alignment, because everyone was working from the same framework.
From there, we were able to prioritize and address the most critical issues. Data retention policies were defined to ensure information was kept only as long as required. Vendor data flows were reviewed and rationalized, reducing unnecessary exposure and tightening control over where sensitive information resided.
The Results
The result was not just improved compliance, but a more confident organization. Leadership gained visibility into risk. Technology gained clarity on priorities. And the business as a whole was better positioned to grow without unintentionally increasing its exposure.
In the end, this wasn’t about adding more controls. It was about creating structure where there had been ambiguity—turning risk from something reactive and fragmented into something intentional and managed.