Financial crime is rarely the only risk a supervisor scrutinises. Operational failures, fragile outsourcing chains, payments incidents, weak operational resilience and a conduct culture that does not match the controls on paper are now examined just as closely. A non-financial risk review provides structured, evidence-based assurance over exactly these areas: how your operational risk controls are designed, whether they work in practice, and whether your three lines of defence genuinely function as one system rather than three disconnected layers.
Alsina Advisory delivers these reviews as a focused, senior-led boutique. We are independent of any software vendor, outsourcing provider or remediation shop, so our findings are objective and carry weight with your board, your audit committee and your national competent authority. We work across the EU, rooted in the Netherlands, and frame every finding against the operational risk, conduct and resilience expectations that now apply to firms like yours.
What a non-financial risk review covers
We assess how the non-financial risk layers connect, because supervisors examine the whole system rather than isolated controls. A typical engagement covers six areas, scoped to your business model and risk profile.
Operational and process controls
An operational risk review of your core processes, key controls, error and incident handling, and whether the control environment described in policy matches how work is actually performed.
Third party and outsourcing
Due diligence, contractual safeguards, concentration risk, oversight of critical providers and sub-outsourcing, and whether you could exit or substitute a critical service if you had to.
Payments operations
Payment processing controls, reconciliation, safeguarding of client funds, fraud and error handling, and the operational resilience of the rails your business depends on.
Operational resilience and DORA
An operational resilience review against the EU Digital Operational Resilience Act (DORA): ICT risk management, incident reporting, resilience testing and oversight of ICT third-party providers.
Conduct and culture
A conduct and governance review of whether your stated risk appetite, incentives and day-to-day behaviour reinforce the controls, or quietly work against them.
Governance and three lines
Board and committee oversight, the clarity of first, second and third line roles, and whether management information genuinely surfaces non-financial risk to the people accountable for it.
How the review works
Scoping
We start with a short scoping conversation about your business model, risk profile and objectives, then agree the scope, timeline and a fixed fee or day rate in writing up front.
Evidence and testing
We review documentation, interview the first, second and third lines, and test real processes, incidents and provider arrangements rather than relying on self-assessment.
Assessment against expectations
We benchmark what we find against DORA, applicable operational resilience and outsourcing expectations and good industry practice, rating each area on design and operating effectiveness.
Reporting
You receive a clear, prioritised report that any board member or supervisor can follow: findings, root causes, risk ratings and pragmatic, proportionate recommendations.
Independent re-testing
Where you need it, we re-test remediated areas and provide independent confirmation that the gaps have genuinely been closed.
What you get
Why an independent review
Independence is the point. A non-financial risk review only reassures a board or a regulator if the people performing it have nothing to sell you afterwards. We are not a software vendor, an outsourcing provider or a remediation shop, so we have no incentive to find work for ourselves or to flatter the controls we are assessing.
Non-financial risk is also where polished documentation most often hides a weaker reality. As a senior-led boutique, your engagement is run by an experienced auditor who has seen how operational, resilience and conduct failures actually happen inside Tier-1 banks, global payments businesses and fintechs, not handed to a bench of juniors. That means sharper findings, fewer people in your environment, and a report you can stand behind in front of your board and your national supervisor.
Whether you need a one-off independent review, DORA or operational resilience readiness, or a recurring assurance programme, we can usually scope and start within weeks.