Pay.UK is the recognized operator and standards body for the UK’s interbank retail payment systems, which means that risk, for them, isn’t just a compliance checkbox, it is a critical function that ensures the robustness and resilience of its core payment systems for the UK economy.

With a view to enhancing the effective management of its risks and controls, through Protecht ERM, Pay.UK moved from spreadsheet-driven risk management to a real-time, fully integrated system that delivers instant insights, accountability, and automation, in just six months.

“We’ve transformed risk. What used to be a time-consuming process is now instant. No more chasing spreadsheets, no more missing data.” — Terri Neat, Risk Manager, Pay.UK

About Pay.UK

Pay.UK provides the digital networks that make payments secure, safe and simple for the UK’s banks and building societies, payment service providers and their customers.

As the recognized operator and standards body for the UK’s interbank retail payment systems, Pay.UK runs the UK’s retail payments operations, which include the Bacs Payment System, the Faster Payment System and the Image Clearing System. It also delivers a variety of services relating to payments, such as the Current Account Switch Service, Confirmation of Payee and Request to Pay.

Through its infrastructure and services, it enables billions of pounds of payments, safely and securely, every single day, meaning that it has a critical role supporting the UK economy.

In 2023, Pay.UK processed 11.4 billion retail payments to a value of just under UK£9.3 trillion (US$12.3 trillion). That’s nearly 40 million payments a day. As an operator of systemically important payment systems and services that are central to the UK economy, Pay.UK’s approach to risk management is fundamentally systemic. It manages risks that have the potential to impact both its central infrastructure and the broader ecosystem of its customers. Disruption in both of these spheres could impact the ability of end users to make and receive payments, and potentially affect the financial stability of the UK economy.

The challenge: spreadsheet fatigue and fragmented risk management

“One of the biggest wins for us was how easy Protecht was to use. We didn’t need months of training – people could just log in and get it.” – Terri Neat

Before implementing Protecht ERM, Pay.UK’s risk management process relied on the use of spreadsheets, making it slow, fragmented, and highly manual.

The organization tracked risk using over 30 spreadsheets, all with varying levels of detail and quality. If someone asked how many risks they had inside or outside appetite, it could take hours to compile the answer.

Compiling risk reports for executives and regulators was a time-consuming process. Every month, the team had to manually pull together data, cross-referencing spreadsheets, and formatting reports.

Without automated workflows, risk-related tasks were dependent on email reminders and manual follow-ups and compliance processes relied on individuals remembering to update their files. With no structured system to track responsibilities, many risk owners saw risk management as a once-a-quarter exercise rather than an ongoing, proactive process.

Pay.UK needed to move beyond spreadsheets and invest in a system that provided:

• Real-time, centralized risk visibility
• Automation to reduce manual effort
• Clear accountability and structured workflows
• A reporting solution that saved time instead of consuming it

Why Pay.UK chose Protecht

“The decision was unanimous – Protecht was the best fit. It had everything we needed, and it just worked.” — Lone Le Roux, Director, Risk & Compliance, Pay.UK

Pay.UK knew it needed more than just a reporting tool. Its ideal solution had to provide real-time visibility, automation, and structured risk processes – all while being flexible enough to adapt to its evolving needs.

Risk focus

Unlike many GRC tools that treat risk as an add-on to an audit system, Protecht ERM is built from the ground up for enterprise risk management, designed with risk professionals in mind.

Protecht’s framework aligned seamlessly with Pay.UK’s risk maturity model, ensuring that every aspect of its risk function – from controls testing to issue tracking – was structured and interconnected.

Self-serve configurability

One of the key differentiators was Protecht’s self-serve configurability. Unlike legacy GRC tools that require expensive consultants or developers for every change, Protecht empowered Pay.UK’s team to tailor the system themselves.

This meant that Pay.UK could adapt the system to their needs in real time, without waiting weeks (or months) for external support.

Easy for frontline staff to use

A common challenge with risk management platforms is getting non-risk professionals to engage with the system. Protecht’s user-friendly interface ensured that first-line teams could navigate and update risks without requiring extensive training.

The visual, interactive elements, such as heatmaps and dashboards, made it easier for teams to understand and engage with risk rather than seeing it as an abstract compliance task.

Insightful reporting

For Pay.UK, manual reporting was one of the biggest pain points. Protecht’s real-time dashboarding and integration with Power BI meant that risk insights were always up to date and instantly available.

Instead of static, one-time reports, Pay.UK’s leadership could now access live risk insights – enabling more informed decision-making and proactive risk management.

Third-party vendor risk management

As an organization dealing with multiple third-party vendors, Pay.UK needed a robust vendor risk management (VRM) solution that integrated seamlessly with their risk framework.

Protecht’s VRM capabilities – including risk assessments, issue tracking, and compliance monitoring – met all its needs. Its vendor management team immediately saw the value in Protecht’s VRM solution.

Implementation and support

The Protecht team’s responsiveness and flexibility also played a crucial role in Pay.UK’s decision. Unlike some vendors who offered rigid, one-size-fits-all approaches, Protecht’s team took the time to understand Pay.UK’s unique needs and tailor the demo experience accordingly.

The sales process was consultative rather than pushy, and the team remained supportive throughout the RFP and evaluation stages, standing out from competitors.

With its risk-first approach, intuitive interface, self-serve configurability, and seamless reporting, Protecht ERM outperformed all alternatives – both in functionality and overall ease of adoption.

Implementation: a fast-tracked digital transformation

Rolling out a new risk management system is often a lengthy and complex process. Many organizations spend years transitioning from spreadsheets to an enterprise risk management platform – often encountering internal resistance, technical challenges, and low adoption rates.

But Pay.UK had a different experience.

With Protecht ERM, Pay.UK was up and running with the core system in just 60 days. The full rollout was completed in just six months – a speed that both the Pay.UK team and its external consultants found remarkable.

This wasn’t just a technical deployment; it was a cultural shift in how risk was managed.

From the outset, Pay.UK took a disciplined yet flexible approach to implementation. Instead of waiting for a perfect, fully customized system, they focused on getting core risk processes live quickly, then refining and expanding from there.

The rollout included:

• Digitizing all risk registers, risk events, and controls
• Automating workflows for risk reviews, approvals, and escalations
• Building Power BI dashboards to provide real-time risk insights
• Rolling out training and onboarding for first-line and second-line teams

Aligning technology and culture

At the same time, Pay.UK focused on embedding risk awareness across the organization.

• First-line teams were given clear, practical training on how to use the system.
• Senior leaders were engaged early to ensure they understood how Protecht would improve risk oversight.
• Automated notifications were introduced gradually to avoid overwhelming users.

By the time Protecht ERM went live, the results were immediate.

• First-line teams found the system easy to use, reducing the time spent on risk updates.
• Reporting, which used to take hours, was now instantaneous.
• Risk managers had real-time oversight of issues, controls, and incidents – no more chasing down spreadsheets.

“They [the external consultants] came in and said, ‘We don’t know how you did this – it’s incredible.’” — Lone Le Roux

Because Protecht ERM is designed for configurability, Pay.UK’s team could make adjustments on its own, without relying on external consultants – allowing for a much faster rollout.

Immediate results: transforming risk visibility and efficiency

In just six months, Pay.UK’s risk function transformed from a fragmented, spreadsheet-driven process to a fully digital, real-time risk management system. The impact was immediate:

• 50% reduction in reporting time – What used to take hours is now instant. The team can generate board-level reports at the click of a button.
• Real-time risk insights – The team can see their full risk profile in one place. No more chasing spreadsheets, no more missing data.
• Increased accountability – Automated workflows mean no more forgotten risk updates. Risk is now embedded into daily operations.
• Enterprise-wide adoption – Used across all three lines of defense, with risk insights now shaping executive and board-level decisions
• Cost savings and efficiency – The system’s automation enabled Pay.UK to restructure its risk team, reallocating resources to higher-value risk advisory work

With Protecht ERM, Pay.UK has moved beyond spreadsheets for good. Risk is now proactive, strategic, and fully visible – setting them up for even greater success in the future.

What’s next: The future of risk management at Pay.UK

While Pay.UK has achieved a major step forward, its journey with Protecht is far from over. The next priorities include:

• Enhancing operational resilience by integrating resilience frameworks into the platform.
• Strengthening data protection governance through automated DPIAs.
• Exploring predictive analytics and AI-driven risk insights to stay ahead of emerging threats. Pay.UK is excited by Protecht’s product roadmap and upcoming AI features, and these will be key to building further adoption and driving greater efficiency in the future.

“We’ve transformed risk management in six months. Now, we’re looking at how far we can take this.” — Lone Le Roux, Director, Risk & Compliance, Pay.UK

Why Protecht?

Protecht ERM helped Pay.UK move from fragmented, manual processes to an integrated, data-driven approach to risk:

• Risk-first platform: Designed for GRC, not an audit add-on.
• Configurable and self-serve: Empowering teams without IT dependency.
• Real-time dashboards: Enabling better decision-making at every level.
• Proven efficiency and governance impact: Saving time and improving control

Find out more about Protecht ERM and book your own personalized demo: