Interim Management · Compliance, Risk & Governance

DORA, MaRisk, VAG/MaGo and NIS2 —
not just advice. Implemented.

As an interim manager, I take on the hands-on implementation of regulatory requirements in banks, insurance companies, payment service providers, asset management companies, service providers and industrial companies — from gap assessment to an audit-proof handover to your line organisation.

25+ yearsof leadership experience in the financial sector
Banking · Insurance · Payments · AMCs · Service providers · Industryhighly regulated sectors
Hands-onimplementation in the line, not on slides

Focus areas

A clear focus. One standard: implementation.

No abstract opinion papers — concrete registers, processes, policies and evidence that stand up to scrutiny by supervisors, external auditors and internal audit. At the centre: implementing DORA, MaRisk, VAG/MaGo and NIS2.

DORA Art. 5–16 Art. 17–23 Art. 28–30

DORA implementation

Digital Operational Resilience Act — for banks, insurers, payment service providers and asset management companies

  • Build and maintain the register of information — including initial assessment and reporting readiness
  • Outsourcing & third-party management: due diligence, risk analyses, SLAs/KPIs, exit strategies
  • Establish ICT risk management and integrate it into enterprise risk management
  • Set up ICT incident management and reporting processes
  • Review and amend contracts to meet DORA minimum requirements
  • BCM & contingency management — including for critical-infrastructure service providers
  • Support during examinations: supervisors, external auditors, internal audit
MaRisk VAG / MaGo AT 9 Sec. 23 et seq. VAG

MaRisk & MaGo implementation

Business organisation requirements under the German Banking Act (KWG) and Insurance Supervision Act (VAG) — for banks and insurers

  • Gap analysis against the current MaRisk amendment or the MaGo, implemented in the written rules of procedure
  • Governance and business organisation under Sec. 23 et seq. VAG — roles, key functions, committees
  • Build and enhance the internal control system — control handbook, key controls, KPI reporting
  • Outsourcing management (AT 9 / Sec. 32 VAG) — aligned with the DORA requirements
  • Access rights management under AT 4.3.1, BAIT and VAIT
  • Establish central risk management and integrate ICT risks
  • Remediation of findings from supervisory and external audits
NIS2 Art. 20–21 Art. 23 NIS2UmsuCG

NIS2 implementation

Network and information security — for important and essential entities

  • Scoping analysis and gap assessment against the risk management measures
  • Anchor governance: operationalise the duties and liability of management bodies
  • Supply chain security: identify, assess and contractually integrate service providers
  • Implement reporting obligations: processes for 24-hour early warning and 72-hour incident notification
  • Create and roll out policies, ICS controls and training concepts
  • Evidence management and audit readiness vis-à-vis supervisors and auditors

Further focus areas

Sec. 44 KWG PS 951

Audit readiness & examination support

Making supervisory examinations manageable — before, during and after the audit

  • Preparation: readiness check, target/actual comparison of written rules versus lived practice, briefing of board members and senior managers
  • During the examination: audit management, document provision, ad-hoc analyses, sparring partner vis-à-vis the examiners
  • Remediation: root-cause-based measures for each finding, implementation in the line, evidence for follow-up examinations
  • Experience from Sec. 44 KWG, PS 951, external-audit and ECB examinations — on both the institution’s and the auditor’s side (Big Four)
IAM · PAM MaRisk / BAIT ch. 5 VAIT ch. 5

Access management that stands up to audits

Identity & access management and privileged access — regulatory-grade for banks and insurers

  • Audit-proof authorisation concepts and written rules — role models based on RBAC and ABAC
  • Joiner/mover/leaver processes, recertifications and SoD conflict management incl. exception processes
  • Securing privileged accounts (PAM): control, logging, emergency-user processes
  • Hands-on tool implementation and migration — incl. Garancy, One Identity, Omada, FSP, CyberArk, SailPoint and others; connected to AD, Entra ID, RACF
  • Remediation of IAM findings from ECB, BaFin and external audits
AI EU AI Act

How do I use AI the right way?

Productive use of AI in compliance & risk — value-adding and supervisory-compliant

  • Identify the use cases with real leverage: due diligence evaluation, contract analysis, monitoring of external risk sources
  • AI governance in line with the EU AI Act, DORA and supervisory expectations: AI register, risk classification, human oversight
  • AI strategy and policies — aligned with the ICS, data protection and outsourcing management
  • Already in production: AI agents for questionnaire evaluation with risk scoring and DORA-compliant contract review
  • Enabling your teams instead of creating dependency on external tools

Approach

From gap to an audit-proof line organisation

A proven implementation path — tailored in every mandate to the size, risk profile and maturity of your organisation.

Phase 1

Analysis & scoping

Gap assessment against DORA, MaRisk, VAG/MaGo and NIS2, prioritisation by risk and deadline, a sound basis for management decisions.

Phase 2

Target picture & roadmap

Target operating model, roles, committees and reporting lines — including decision papers for the board and executive management.

Phase 3

Implementation in the line

Registers, processes, policies, contracts and tools are built — leading interdisciplinary teams from compliance, risk, IT and legal.

Phase 4

Audit readiness & handover

Evidence management, support during audits and an orderly handover to your line organisation — including enabling your staff.

Interim means: I come in, implement and hand over. No never-ending consulting — a functioning organisation that runs without me.

References

Selected mandates

Build-up and implementation mandates in banks, insurance companies and financial service providers.

Insurance company

Building a compliance organisation & operationalising DORA

Overall responsibility for building a compliance, governance and risk organisation. Integrated GRC model, executive reporting for the board, AI-supported automation of due diligence evaluation and contract analysis.

IT & media service provider for banks (critical infrastructure)

Outsourcing management & central procurement under DORA, NIS2, PSD2

Complete register of information and outsourcing register, third-party management with an SLA/KPI model, BCM for a critical-infrastructure service provider, handover of the department to the line organisation.

Insurance group

DORA implementation in third-party management

Register of information, definition of critical functions and providers, due diligence processes, DORA-compliant contract amendments, exit planning and exit strategy.

International insurance group

Strategic advisory VAIT / DORA

Written rules of procedure for all VAIT/DORA topics, policies for IAM and information security, roll-out of a GRC tool, register of information with initial assessment.

IT service provider for banks

ICS, IAM & support of regulatory examinations

Roll-out of Garancy, SoD conflict management incl. exception processes, audit-proof authorisation concepts. Support of Sec. 44 KWG, PS 951, external and data protection audits and remediation of the findings.

Custodian bank / fund platform

Project lead & IAM architecture

Leading a ten-person project team, transforming the IAM solution to the cloud, building IT contingency management and outsourcing processes, protection needs analysis and information security.

Further roles (selection): Big Four audit firm · Direct bank · Landesbank · Central institution of the cooperative banks · European energy exchange · IT subsidiary of a major bank · Securities house of the German savings banks

Partner network

One point of contact — and around 50 specialists behind me.

For 25 years I have been working in a successful, well-established partnership with around 50 independent consultants — specialists who are available on call. This allows us to handle larger programmes as well, without you buying the overhead of a large consultancy.

The decisive difference: these teams are well-rehearsed. We know each other’s working styles, strengths and interfaces from many joint mandates — which is why we can assemble fully operational teams at short notice, tailored to your project. And you always keep a single point of contact: me.

~50 consultantsavailable on call
25 yearsof established partnership
Short noticewell-rehearsed teams ready to deploy

Covered functional areas (selection)

Procurement Securities back office Securities settlement Money market trading FX trading Trading Derivatives trading Derivatives settlement Fund settlement Custody business Treasury Liquidity management Payments Lending Credit back office Credit risk management Accounting Controlling Regulatory reporting Tax Legal department Contract management AML / financial crime prevention KYC / client onboarding Internal audit Data protection Information security BCM Contingency planning ICT incident management IT operations Data management / BCBS 239 Test management Project management / PMO
Portrait of Michael Schwendemann

Michael Schwendemann

Interim CIO, CRO / Head of Compliance & Risk / Head of Governance

More than 25 years of leadership experience in banks, insurance companies, payments, asset management companies, service providers and industry. Specialised in building and transforming compliance, risk and governance organisations in highly regulated companies — with a proven track record in implementing major regulatory programmes and supporting supervisory examinations.

I combine board-level strategic advice with a distinctly hands-on mentality: decision papers that get decided. Registers that are maintained. Processes that are lived.

Location
Hamburg, Germany — assignments across Europe & remote
Languages
German, English, Italian (basic)
Roles
Interim manager · Project lead · Sparring partner to executive management
Focus
Regulation, governance & standards: DORA, MaRisk, BAIT, VAIT, NIS2 as well as information security and resilience standards under ISO/IEC 27001, 27002, 27005 and ISO 22301; complemented by data protection governance and privacy requirements in the context of GDPR / ISO 27701 as well as audit and attestation standards under SOC 2

Download short profile (PDF)

Let’s talk about your implementation.

Whether gap assessment, register of information or building an entire organisation — in a no-obligation initial consultation we clarify where you stand and the fastest path to audit readiness.

m.schwendemann@sifor.eu Reply usually within 1 hour +49 171 4453 822 Mobile — reachable at short notice

Hamburg, Germany · Assignments across Europe