Journal for Risk Management (ZfRM): Risk Management in Times of Transformation

Managing risk in complex transformation processes requires clear priorities, strong communication, and pragmatic solutions. Over the past few years, payment company Unzer has gone through a period of profound change, ranging from regulatory special audits and a comprehensive financial restructuring to the integration of numerous subsidiaries. In a dynamic yet highly regulated market environment, risk management became both an operational and strategic core function.

Dr. Max Steiger, Chief Compliance and Governance Officer at Unzer, played a key role throughout this phase. Drawing on his experience at large institutions such as Deutsche Bank, he brings a practical perspective on the relationship between risk, control, and entrepreneurial decision making. In this interview, he explains how effective risk management works in practice, especially when the challenges are particularly demanding.

Unzer has gone through major transformations in recent years. From your perspective, what were the biggest risk management challenges during that period?

The biggest challenge was clearly the complexity. We were dealing with many different subsidiaries, each with its own systems, processes, and corporate culture. At the same time, there was considerable regulatory pressure, especially as a result of the BaFin special audit.

So on the one hand, we had to address legacy issues, while on the other hand building a unified and future ready risk management framework. That was not a sprint. It was a marathon.

How did your role as Chief Compliance and Governance Officer evolve during this phase?

I joined Unzer in 2021, and together with my colleagues on the management team, we had already started redesigning risk management and compliance before the BaFin special audit began. So from the very beginning, my role was designed around transformation and around introducing a group wide three lines of defense model.

Because of that, I would not say my role fundamentally changed over the past few years.

I see myself as a values driven risk manager and, above all, as a bridge builder between regulation, operational business, risk management, and company culture. One particularly important aspect was shaping this role through communication as well: staying close to the teams, not operating from an ivory tower, and establishing governance as something that connects people rather than separates them.

You compare governance to a football match that ideally works without a referee. How can that philosophy work in the day to day operations of a heavily regulated company?

By trusting the players, meaning the employees.

The goal is to create an environment where everyone understands the rules of the game and genuinely wants to follow them. That is why we do not rely on constant control, but on clarity, ethics, and a strong culture.

Of course, there are still technical controls and monitoring systems in place. But ultimately, the idea is that colleagues should do the right thing because they believe in it, not because they are afraid of getting a red card.

We provide guidance, we train people regularly, and we encourage dialogue. But we do not want an atmosphere where people act correctly only because they fear sanctions. Governance is successful when employees act with integrity even when nobody is watching.

What concrete steps has Unzer taken to empower employees to act with integrity and personal responsibility?

We introduced a whole range of initiatives: regular training sessions, a whistleblower hotline, and clear ethical guidelines. Most importantly, though, we established a strong speak up culture. Everyone in the company knows they can raise concerns openly without fear. We also introduced formats such as open office hours, a virtual idea mailbox, and our CXO roadshow, where the management team personally answers questions from employees. That helps build trust. The goal is not just to communicate rules, but to explain the purpose behind them and make the “why” behind compliance clear.

Today, compliance has become part of our shared identity. We examined every part of the business, turned over every stone, and as a result, we are a very different company from the one we were five years ago.

What lessons did you take away from the BaFin special audit, both for the organization and for your personal understanding of governance and risk?

First of all, it was a tough but incredibly valuable experience. We had already started improving our compliance and governance processes before the audit, but the special audit accelerated the process significantly. For three years, this was the single most important project at Unzer, and rightly so. Today, we are far more resilient, and that resilience is not accidental. It is the result of consistent and disciplined work.

How do you establish a unified compliance and governance culture across a complex group structure that once consisted of 13 subsidiaries?

That does not happen overnight. You cannot simply impose culture. It has to grow over time. And of course, local differences still exist. Our colleagues in Denmark, for example, typically start work very early and finish around 4 p.m., while things work differently in Berlin. In Munich, colleagues might meet for a beer after work, while in Luxembourg they are more likely to share a glass of Riesling.

What matters most to us is having a shared understanding of values. How do we want to work together? What matters to us as a company?

Formats such as 360 degree feedback, all hands meetings, and our annual “All Unzarian” event helped us grow together as one group. Today, we genuinely feel that this culture is being lived across the company, and we are very proud of that.

What role does communication play in managing risk and building a resilient company culture?

Without clear and honest communication, none of this works. People only embrace change when they understand the goal and why certain measures are necessary. That is why we communicate regularly through internal channels, explain strategic decisions transparently, and actively involve teams in the process. And equally important: we listen. Our anonymous employee surveys regularly show us where we stand and where we still need to improve.

How does Unzer balance regulatory compliance with entrepreneurial flexibility?

By viewing compliance not as a restriction, but as a competitive advantage. A strong regulatory framework creates trust with customers, partners, and regulators alike. At the same time, we make sure our structures remain flexible. Our compliance management system is designed to provide security without slowing the business down. We automate many processes, use modern software solutions, and create room for the business to stay agile. Compliance should not block innovation. It should enable it.

What can other companies, especially mid sized businesses, learn from Unzer’s restructuring and transformation?

I would say there are three key lessons.

First, transformation needs a strong “why.” People need to understand the purpose behind change, otherwise there will be no real acceptance. Second, transformation is not a one time event. It is an ongoing process. And third, cultural topics are just as important as technical or structural ones. Companies that focus only on systems and processes without bringing people along will not succeed in the long run.

And let me add a fourth point specifically about compliance: compliance has to become a leadership priority. It is not just about rules. It is about mindset. A strong compliance culture makes a company more resilient and ultimately more valuable for its owners. That is not an abstract goal. It is a real competitive advantage, especially for mid sized businesses where mindset often plays a decisive role.

How do you assess today’s regulatory landscape in payment services when it comes to effective risk management?

It is demanding, but also necessary. Especially after the Wirecard scandal, it was important to raise standards. We operate in a highly sensitive environment, and that requires clear rules. What I would like to see, however, is more trust and more proportionality.

In Germany generally, I observe a very process driven mindset. There is often more focus on procedures than on outcomes. That leads to attempts to make processes completely watertight and document everything in exhaustive detail so that mistakes, and therefore personal accountability, become almost impossible. Behind that is a deeply rooted culture of mistrust that seems to assume everything and everyone must be controlled.

I think we should turn that logic around again and start from the assumption that companies themselves have a strong interest in acting responsibly. Then regulators could work more with targeted spot checks and impose severe penalties in cases of misconduct. I would like to see the courage to try that approach because it could unlock far more creativity, innovation, motivation, and personal responsibility.

To what extent is technology both an enabler and a risk factor within your governance approach?

It is both. Technology helps us automate processes, identify risks early, and make more data driven decisions. Without technology, modern risk management would simply not work anymore, especially in areas such as transaction monitoring, sanctions screening, KYC processes, or operational resilience against cyberattacks. Our UnzerOne platform is a good example. It combines all payment processes into one system, which also reduces potential vulnerabilities.

At the same time, every new technology introduces new risks: cyber security issues, data privacy concerns, or simple misconfigurations. That is why our approach is to use technology consciously and responsibly.

How do you measure the success of your governance and compliance strategies beyond audits and regulatory reviews?

We measure it by how our culture is actually lived. Do people have open conversations? Does our speak up culture work? Is there trust? Are the established processes, especially in risk management, consistently applied? What do our own internal controls tell us? We also look at internal metrics such as training participation rates, whistleblower reports, and employee survey feedback. And of course, when regulators return trust to the company, as happened with the lifting of the special supervisory mandate, that is naturally a very strong signal.

In times of uncertainty, what capabilities are essential for people working in risk management?

Vision, judgment, and strong communication skills.

Risk management is not just about identifying risks. It is also about understanding them in a business context. Good governance combined with an effective risk and compliance management system is not a static condition. It is an ongoing process. People who truly understand risk can not only avoid it, but consciously take the right risks as well. That is what entrepreneurial decision making is about. And for that, you need integrity.

The past few years have shown me once again how important strong governance structures are, not just on paper, but in daily practice. For Unzer, this process was a wake up call to fundamentally rethink and rebuild many things. Looking back, it was certainly a demanding period, but it was also one that genuinely moved us forward.

If you could give one piece of advice to colleagues working in risk management, what would it be?

Stay curious. Risk is constantly changing. Anyone who believes a static setup will keep them safe forever is mistaken. Compliance is not a popularity contest, but it is one of the roles with the greatest impact in any organization. Effective risk management requires people who stay open -minded, keep developing themselves, and are willing to ask uncomfortable questions.

And most importantly: bring people with you. No system is stronger than the culture in which it is embedded.