Transforming Risk Culture: How Stater Strengthened First-Line Ownership and Assurance with CERRIX

Stater, a leading mortgage service provider in the Netherlands, manages over €330 billion in assets for major financial institutions like ABN AMRO, ING, and ASR, etc. As a critical player in the financial ecosystem, the organization faces stringent regulatory demands and high expectations for risk oversight and compliance assurance.

Laying the Foundation: From Manual Processes to First Steps with CERRIX On-Premise

Before adopting CERRIX, Stater’s risk and compliance activities were largely manual—spread across Excel sheets, documents, and emails. “It came down to the consistency of people in the risk team,” says Petra Pannevis, Manager Risk Management at Stater. “There was little automation, and the first line was mostly passive.”

The organization took its first digital step in 2017 by adopting an on-premise version of CERRIX, which helped formalize second-line activities like control testing and evidence collection. While effective at the time, the solution was intentionally focused in scope and did not yet extend to the broader organization, still narrowly used by the second line. As the organization evolved and faced growing external assurance requirements—such as ISAE 3402 and SOC 2—Stater made a shift in 2024 to CERRIX’s cloud-based platform to better support its compliance ambitions and growing risk complexity.

Upgraded to the CERRIX Cloud Platform: Empowering First-Line Ownership & Real-Time Insights

The transition to the CERRIX cloud version was driven by a strategic vision: bring risk management closer to the business and empower the first line of defense with real-time insights and better control execution.

“Before, managers would wait for a monthly report to see findings,” Petra explains. “Now, they have access to real-time dashboards and can track progress on their own. Risk is no longer just a second-line task—it’s integrated into everyone’s daily work.”

Key Advantages of CERRIX for Stater:

Real-Time Dashboards – Managers gain instant visibility into findings, controls, and test progress. Enhanced First-Line Ownership – Day-to-day access helps business units stay in control and accountable. Centralized Risk Framework – A single source of truth supports better alignment and oversight. Standardized Workflows – Automation of recurring tasks to saves time and ensures consistency. Scalable Compliance Support – Built-in frameworks support external assurance like ISAE 3402 and SOC 2.

Building Trust Through Assurance  

With its expanded use of CERRIX, Stater is reinforcing trust with its banking partners by achieving a high level of assurance maturity. The company is among the first in the Netherlands to pursue full-scope SOC 2, extending beyond security and continuity to include privacy, confidentiality, and processing integrity.

As Petra describes, “When banks entrust us with their most valuable asset—their mortgage portfolios—they want to be sure we care for them as well as they would themselves. We need to do it really, really well.”

A Platform for Long-Term Vision  

In addition to day-to-day control execution, CERRIX is also enabling Stater to advance its long-term risk and compliance strategy. Priorities for 2025 include:

Automating control testing to increase efficiency and reduce manual workload Strengthening third-party risk management in response to growing regulatory scrutiny Finalizing SOC 2 implementation and continuously improving assurance practices

“We want to bring risk management closer to where the real decisions are made—in day-to-day business operations,” Petra notes. “CERRIX is helping us embed risk ownership across the organization.”

A Collaborative Outlook on Risk Management

Reflecting on the broader role of risk and compliance in the industry, Petra emphasizes the importance of community over competition:

“Help each other improve. We don’t need to compete on risk management—everyone benefits when we do it better, together.”

‍