Regulation Targets Observable Risk

When JPMorgan Chase was hit with a record fine by the European Central Bank, the headline focused on scale. But the real story is how risk is now judged.

Modern enforcement is no longer anchored in internal intent, policies, or even stated controls. It is grounded in what regulators can observe.

This is a massive shift. Historically, firms could defend themselves based on process: documented controls, completed audits, and formal compliance frameworks. Today, regulators are acting on externally visible signals including gaps, inconsistencies, delays, and exposures that exist regardless of what a firm believes is happening internally.

In other words: enforcement is moving from what you say and moving towards what can be seen.

We’ve seen this play out repeatedly. 

• The U.S. Securities and Exchange Commission has issued enforcement actions against dozens of financial institutions  based on off-channel communications—signals surfaced through message metadata and device usage patterns, not internal attestations. While many investigations began with voluntary samples from employee devices, recent actions have increasingly relied on metadata and usage patterns to identify widespread failures in recordkeeping and supervision.
  

• The Office of the Comptroller of the Currency has taken action against banks for third-party risk failures where the issue was not intent, but observable breakdowns in vendor oversight and operational resilience. In 2024, The OCC issued a $65 million civil money penalty for systemic deficiencies in operational and compliance risk management. The action emphasized a lack of effective internal controls and failures to meet heightened standards.
  

Regulators are no longer waiting for firms to self-report perfectly. They are triangulating reality from external data.

This changes the game entirely for risk leaders, and requires an “outside-in” view of risk.

From Internal Control to Observable Exposure

For Chief Risk Officers, this shift introduces a new mandate: understanding not just managed risk, but observable risk.

The challenge is that the surface area of what is observable has expanded dramatically. Risk no longer sits neatly within defined categories like credit or market exposure. It spans an increasingly complex set of domains:

• Cyber vulnerabilities and third-party attack surfaces
  

• AI model behavior, bias, and governance gaps
  

• Operational resilience across global infrastructure
  

• Financial exposure tied to liquidity, counterparties, and concentration
  

• Reputational risk driven by media, sentiment, and external perception
  

Each of these domains produces explicit and indirect signals that regulators, counterparties, and markets can now access and interpret.

The implication is clear: CROs must understand how risk appears externally and focus where the gaps are.

Observable gaps take many forms—and increasingly, they show up in ways regulators can directly validate:

• Delayed disclosures or inconsistent reporting. In the SolarWinds cyberattack, multiple firms were impacted through a vendor compromise, but disclosure timelines varied widely. In some cases, external security researchers identified the breach before companies formally reported it—creating a visible lag that regulators later scrutinized. More recently, enforcement actions tied to incident disclosure rules have focused not just on whether firms disclosed, but when and how consistently across channels.
  

• Mismatches between stated controls and external signals. The U.S. Securities and Exchange Commission has fined major banks for off-channel communications, where firms claimed strong compliance controls but employees were widely using unauthorized messaging apps. The external signal—message metadata and enforcement findings—directly contradicted internal assurances.
  

• Silent dependencies in third- and fourth-party ecosystems. During the Fastly outage, major websites and services went down simultaneously—not because of their own systems, but due to a shared infrastructure provider. Many firms believed they had diversified risk, but hidden dependencies created a single point of failure that became immediately visible.
  

• Early indicators of stress not captured internally. In the lead-up to the collapse of Silicon Valley Bank, external signals—declining bond values, concentrated depositor risk, and market sentiment—were visible well before internal risk frameworks fully reflected the severity. Similarly, vendor risk can show up early through credit downgrades, leadership churn, or negative media coverage—signals that exist externally before internal systems react.
  

In today’s environment, the absence of a signal is itself a signal.

Risk Is No Longer Isolated—It’s Systemic

Compounding this challenge is the fact that risk no longer behaves in isolation.

Modern risk operates as a multi-vector system, where disruptions move across domains and amplify as they travel.

A single point of failure can cascade:

• A cyber vulnerability from a third or fourth party vendor becomes an operational outage
  

• An operational outage triggers financial loss and liquidity pressure
  

• Financial stress leads to regulatory scrutiny and reputational damage
  

What begins as a localized issue quickly becomes enterprise-wide.

This is the defining feature of modern risk: interconnectedness.

And yet, many risk frameworks remain fragmented—organized by function, measured in silos, and reported independently.

This creates a dangerous disconnect.

Risk intelligence is not about understanding isolated categories. It is about understanding how risks relate, interact, and amplify across the system.

It requires:

• Mapping dependencies across third-, fourth-, and nth-party ecosystems
  

• Identifying hidden concentrations and shared infrastructure risk
  

• Monitoring how signals in one domain translate into impact in another
  

• Detecting propagation pathways before they fully materialize
  

In short, it requires a systemic view.

Without it, firms are always reacting one step too late.

The Scale Problem: Why Observable Gaps Are So Hard to See

One of the core challenges in identifying observable gaps isn’t just awareness—it’s scale.

The volume of external data that must be evaluated to truly understand risk exposure is enormous, fragmented, and constantly changing. Signals are not confined to structured reports or regulatory filings. They exist across a sprawling ecosystem of technical telemetry, market data, disclosures, and unstructured information.

Consider just a few examples:

• Cyber and infrastructure exposure: A single global bank may have thousands of third-party vendors, each with their own digital footprint—IP ranges, certificates, software dependencies, and vulnerability profiles. Monitoring this surface area in real time means tracking millions of data points across scanning tools, threat feeds, and security disclosures.
  

• Third-, fourth- and nth-party dependencies: Mapping extended supply chains requires ingesting vendor disclosures, sub-processor lists, and open-source intelligence to uncover hidden relationships. One “critical” vendor can expand into hundreds of downstream dependencies—most of which are invisible to traditional TPRM processes.
  

• Market and reputational signals: News cycles, analyst reports, earnings calls, and social sentiment generate a continuous stream of signals. A single counterparty or vendor can produce thousands of relevant data points per week, each potentially indicating emerging stress.

Blind spots persist because they are buried in overwhelming scale.

Weave Helps You See What Regulators See

If enforcement is now based on what regulators can observe, the question for every CRO becomes: Do you have the same view they do?

Weave.AI is built to answer that question.

Weave extends risk management beyond internal systems by interpreting external signals at scale—surfacing the same indicators regulators, markets, and adversaries use to assess exposure.

Its approach centers on external signal interpretation:

• Signal Aggregation: Ingesting vast external datasets—technical footprints, incident data, disclosures, media signals, and market indicators
  

• Dependency Mapping: Revealing third-, fourth-, and nth-party relationships that define real exposure
  

• Gap Detection: Identifying mismatches between internal posture and external reality, including silent or delayed signals
  

• Propagation Analysis: Understanding how disruptions in one domain cascade across operational, financial, and regulatory dimensions
  

• Benchmarking: Positioning risk posture relative to peers based on observable exposure
  

Crucially, Weave treats both signal presence and signal absence as first-class inputs—because in modern risk environments, silence can be as telling as noise.

This does not replace internal risk management. It complements it.

Internal systems tell you what should be happening. Weave shows you what can be seen.

And in today’s regulatory environment, that distinction is everything.

The New Standard of Risk

The lesson from JPMorgan’s ECB fine is not about one institution. It is about a broader shift in how risk is evaluated, enforced, and understood.

Risk is no longer judged by internal intent. It is judged by observable reality.

For CROs, this requires a fundamental evolution:

• From control validation to exposure visibility
  

• From siloed risk categories to systemic intelligence
  

• From internal assurance to external alignment
  

Because ultimately, the standard that matters is not what you manage.

It’s what the world—and your regulators—can see.