Financial Services Firm Modernizes Risk Management with Low-Code
When Meridian Capital Partners, a Chicago-based asset management firm with $12 billion in assets under management, faced mounting regulatory pressure and an increasingly complex risk landscape in early 2025, its leadership made a decision that would reshape the firm's entire operational backbone. Rather than embark on a multi-year, multi-million-dollar custom software development project — the traditional path for financial services modernization — the firm turned to low-code automation. The result was a transformation that reduced risk reporting cycle times by 40%, slashed manual data entry errors by 65%, and delivered a 312% return on investment over three years. This is the story of how they did it, what they learned, and what other financial institutions can take away from their experience.
Company Profile: Meridian Capital Partners
Founded in 2003, Meridian Capital Partners (MCP) is a mid-sized independent asset management and wealth advisory firm headquartered in Chicago, Illinois, with satellite offices in New York, London, and Singapore. The firm manages approximately $12 billion in assets under management (AUM) across institutional pension funds, corporate treasuries, family offices, and high-net-worth individuals. MCP employs 340 people globally, with roughly 85 staff dedicated to risk management, compliance, and internal audit functions.
By 2024, MCP had grown considerably from its boutique origins, but its risk management infrastructure had not kept pace. The firm relied on a patchwork of legacy systems, Excel spreadsheets, and manual workflows that had been stitched together over two decades of organic growth. Portfolio risk analytics ran on a legacy on-premise system that dated back to 2012. Compliance monitoring depended on spreadsheets shared across three time zones. Regulatory reporting for frameworks including the EU Digital Operational Resilience Act (DORA), which had come into full effect in January 2025, and evolving Basel Committee standards was a labor-intensive quarterly scramble that consumed hundreds of staff hours. A DLA Piper analysis of DORA enforcement confirmed that third-party risk management and incident reporting were the two heaviest operational lifts for firms of MCP's size.
"We were running a 2025-grade investment operation on a 2012-grade risk infrastructure," said Sarah Chen, Chief Risk Officer at Meridian Capital Partners. "Every quarter, my team would spend the first three weeks just pulling data from different systems, reconciling discrepancies, and manually formatting reports. By the time we had a clear picture of our risk exposure, the data was already two weeks old. In today's markets, that is an eternity."
The Challenge: A Risk Management System Under Strain
The problems at Meridian Capital Partners were not unique — they reflected challenges facing mid-sized financial institutions across the globe. What made MCP's situation particularly acute was the convergence of several pressure points that hit simultaneously in late 2024 and early 2025.
Regulatory Tsunami: DORA, Basel, and the Compliance Squeeze
The regulatory environment for financial services reached a tipping point in 2025. DORA, which took full effect on January 17, 2025, imposed sweeping new requirements on financial entities operating in or interacting with EU markets. The regulation mandated firm-wide digital operational resilience strategies, rigorous third-party ICT risk management, detailed incident reporting within tight timeframes, and regular resilience testing — including mandatory threat-led penetration testing for qualifying entities. According to the European Insurance and Occupational Pensions Authority (EIOPA), DORA represents the most comprehensive overhaul of financial sector ICT risk regulation in EU history. For MCP, which managed European client portfolios and maintained a London office, DORA compliance was non-negotiable.
Simultaneously, the Basel Committee's evolving standards on operational resilience and the UK's Operational Resilience Regulation — effective from March 31, 2025 — added overlapping but distinct requirements. The Basel Committee on Banking Supervision had issued revised principles for operational resilience that emphasized the same third-party oversight and incident management capabilities DORA required, but with different classification thresholds and reporting formats. MCP's compliance team found itself mapping the same business processes against three different regulatory frameworks, each with its own taxonomy, reporting cadence, and threshold definitions.
"The regulatory burden wasn't just heavy — it was fragmented," explained David Okafor, MCP's Head of Regulatory Compliance. "We had DORA asking for one set of metrics, Basel requiring another, and the UK's Operational Resilience framework demanding a third. Reconciling these manually across spreadsheets was not sustainable. We calculated that our compliance team was spending 60% of its time on data gathering and formatting, and only 40% on actual analysis and risk mitigation."
Legacy Systems and the Data Integration Nightmare
MCP's technology stack was a textbook example of organic growth without architectural governance. The firm's risk data resided in at least seven separate systems: a legacy portfolio analytics platform (on-premise, 2012 vintage), a Bloomberg Terminal integration for market data, a CRM for client risk profiles, an ERP for financial data, a separate compliance tracking database, various Excel models maintained by individual analysts, and a newly adopted cloud-based ESG risk assessment tool. None of these systems communicated natively with one another.
Pulling together a consolidated risk report required a junior analyst to export data from each system, manually reconcile identifiers and timestamps across sources, normalize formats, and compile the result into a PowerPoint deck for the Risk Committee. The process took roughly 18 business days per quarter. Errors were common: a 2024 internal audit found that one in every eight data points in quarterly risk reports contained a material discrepancy traceable to manual data handling.
"We discovered that two different analysts were using two different definitions of 'concentration risk' in their Excel models. For six months, the Risk Committee was making decisions based on data that was internally inconsistent. That was the moment we knew we had to change."
— Sarah Chen, Chief Risk Officer, Meridian Capital Partners
Operational Risk Blind Spots
Beyond regulatory reporting, MCP struggled with day-to-day operational risk monitoring. The firm tracked roughly 70 risk indicators across credit risk, market risk, liquidity risk, operational risk, and compliance risk — but only about 65% of these indicators were monitored in real-time or near-real-time. The remaining 35% relied on periodic manual sampling, meaning potential issues could go undetected for weeks. For a firm managing $12 billion in client assets, the exposure was significant.
Third-party risk management was another blind spot. MCP worked with over 200 third-party vendors, including custodian banks, trading platforms, data providers, and cloud service providers. DORA required MCP to maintain a comprehensive register of ICT third-party providers, complete with risk assessments, contract audit rights, and exit strategies. At the start of 2025, the firm's vendor risk assessments were tracked in a shared spreadsheet that had not been fully updated in 18 months.
The cost of inaction was becoming concrete. An internal analysis projected that if MCP continued with its manual risk management approach, it would need to hire 12 additional full-time employees over the next two years just to keep up with regulatory requirements — an annual cost increase of approximately $1.8 million in salaries alone, before accounting for the hidden costs of errors, delays, and potential regulatory penalties. The stakes were underscored by industry-wide enforcement data: global financial regulators issued 139 penalties totaling approximately $1.23 billion in the first half of 2025 alone, a 417% increase year-on-year, according to compliance analytics provider Eastnets' analysis of global regulatory enforcement trends.
The Search for a Solution
By March 2025, MCP's executive leadership had reached consensus: the status quo was untenable. The question was not whether to modernize, but how. The firm evaluated four distinct approaches before arriving at its low-code automation decision.
Evaluating the Options
Option 1: Custom Software Development. MCP's first instinct was to build a custom risk management platform from scratch. The firm engaged two enterprise software consultancies for preliminary scoping and received estimates ranging from $4.5 million to $6.2 million, with projected delivery timelines of 18 to 24 months. Beyond the cost and timeline, the risk of scope creep and the ongoing maintenance burden gave leadership pause.
Option 2: Off-the-Shelf Risk Management Software. The firm evaluated three leading vendor solutions: SAS Risk Management, MetricStream, and IBM OpenPages. While each offered robust functionality, all three required significant customization to fit MCP's specific workflows and regulatory requirements. Licensing costs alone ranged from $350,000 to $600,000 annually, and implementation timelines were projected at 9 to 14 months. Moreover, MCP's IT team expressed concerns about vendor lock-in and the difficulty of adapting these platforms as regulatory requirements evolved.
Option 3: Robotic Process Automation (RPA) Alone. MCP considered deploying RPA bots to automate specific manual tasks — data extraction, reconciliation, report formatting. However, RPA alone could not address the underlying need for a unified risk data model, integrated workflows, or real-time dashboards. RPA was a bandage, not a cure.
Option 4: Low-Code Automation Platform. The firm explored low-code platforms that could serve as an orchestration layer across existing systems while enabling rapid application development. After evaluating platforms including Mendix, OutSystems, Microsoft Power Platform, and the Informat low-code platform, MCP selected Informat as its core automation platform, supplemented by targeted RPA for legacy system integration.
| Evaluation Criteria | Custom Dev | Off-the-Shelf | RPA Only | Low-Code Platform |
|---|---|---|---|---|
| Estimated Cost (3-Year TCO) | $5.2M avg. | $1.8M – $2.4M | $400K – $600K | $850K – $1.1M |
| Time to First Value | 18 – 24 months | 9 – 14 months | 3 – 6 months | 8 – 12 weeks |
| Customization Flexibility | Unlimited | Limited | Moderate | High |
| Ongoing Maintenance Burden | High | Medium | Medium | Low |
| Unified Data Model | Yes (if built) | Yes (rigid schema) | No | Yes (configurable) |
| Regulatory Adaptability | Expensive to update | Vendor-dependent | Limited | Rapid reconfiguration |
| Citizen Developer Enablement | No | No | Limited | Yes |
The low-code approach offered the strongest balance of speed, cost, flexibility, and long-term sustainability. Critically, it also aligned with MCP's strategic goal of building internal capability rather than perpetual reliance on external vendors.
Why Did MCP Choose a Low-Code Approach?
Several factors tipped the scales decisively toward low-code. First, the speed of regulatory change demanded a platform that could be reconfigured quickly — not a hard-coded system that required a development sprint every time a reporting threshold changed. Second, MCP wanted to empower its risk and compliance professionals — the people who understood the requirements best — to build and modify workflows directly, rather than translating requirements through an IT backlog that was already stretched thin. Third, the cost differential was compelling: the low-code path promised a roughly 75% lower total cost of ownership compared to custom development, with value delivery starting within weeks rather than years. Industry research from Forrester's Total Economic Impact study on low-code development platforms has consistently found that composite organizations achieve a three-year ROI exceeding 300%, with payback periods under six months — projections that aligned closely with MCP's own internal modeling.
"We looked at the custom development quotes and thought — by the time this system goes live, the regulatory landscape will have shifted again. Low-code gave us the ability to build, learn, and adapt in rapid cycles. That agility was worth more to us than any single feature set."
— Michael Tan, Chief Technology Officer, Meridian Capital Partners
Implementation: A Phased Approach
MCP adopted a deliberate, phased implementation strategy designed to deliver incremental value while building organizational confidence. The entire transformation was completed in eight months, from initial platform configuration in April 2025 to full operational deployment by December 2025.
Phase 1: Foundation — Data Integration and Unified Risk Dashboard (April – June 2025)
The first phase addressed the most fundamental problem: fragmented data. MCP's implementation team — a cross-functional group of six people, including two risk analysts, one compliance officer, two IT engineers, and an external Informat platform consultant — focused on building a unified risk data layer.
Using Informat's low-code integration connectors, the team built APIs and data pipelines that pulled information from all seven source systems into a centralized risk data repository. The legacy portfolio analytics system, which lacked modern APIs, was integrated through a lightweight RPA bridge that extracted and transformed data on a scheduled basis. Within 10 weeks, the team had deployed a real-time risk dashboard that consolidated all 70 risk indicators into a single pane of glass, accessible to the Risk Committee, compliance team, and portfolio managers.
"The first time we pulled up the unified dashboard during a Risk Committee meeting, there was a palpable shift in the room," recalled Chen. "For the first time, everyone was looking at the same numbers, at the same time, drawn from the same source. We eliminated the meta-conversation about whose data was correct and could finally focus on what the data was telling us."
Key deliverables in Phase 1 included automated data extraction and normalization pipelines, a real-time risk indicator dashboard with configurable thresholds and color-coded alerts, automated third-party vendor risk register with scheduled review reminders, and role-based access controls aligned to MCP's governance structure.
Phase 2: Workflow Automation — Regulatory Reporting and Incident Management (July – September 2025)
With the data foundation in place, Phase 2 focused on automating the workflows that consumed the most staff hours: regulatory reporting and incident management.
The team built a DORA-compliant incident management module within the Informat platform that automated the full incident lifecycle — from initial detection and classification through investigation, escalation, regulatory notification, and post-incident review. The module incorporated DORA's specific classification criteria for "major incidents" and automatically populated the required regulatory notification templates with data from the unified risk repository. What had previously taken analysts an average of 4.5 hours per incident to document and report was reduced to roughly 45 minutes.
For regulatory reporting, the team built configurable report generators that could produce DORA, Basel, and UK Operational Resilience reports from the same underlying data set, each formatted to the specific regulator's requirements. A quarterly risk report that previously took 18 business days to produce could now be generated in approximately three days, with most of that time spent on analysis and narrative rather than data wrangling.
The team also built a real-time compliance monitoring dashboard that tracked key regulatory deadlines, automated evidence collection for audit trails, and flagged potential compliance gaps before they became issues. This proactive approach replaced the previous reactive model of discovering compliance problems during quarterly reviews.
Phase 3: Advanced Analytics — Predictive Risk Modeling and Scenario Analysis (October – December 2025)
Phase 3 moved the needle from reactive and descriptive analytics to predictive and prescriptive capabilities. Leveraging the clean, unified data set built in Phase 1, MCP's risk team — now equipped with low-code tools they could configure themselves — built a suite of advanced risk models.
A concentration risk monitor used configurable rules to track portfolio concentration across sectors, geographies, and counterparties, automatically flagging positions that approached pre-defined thresholds. A liquidity stress testing module allowed the team to run scenario analyses based on historical market events and hypothetical shocks, with results generated in minutes rather than the days required by the previous manual process. A counterparty risk tracker integrated real-time market data and credit ratings to continuously assess exposure to key trading partners.
Perhaps most significantly, the team built a regulatory change impact analyzer that mapped proposed regulatory changes against MCP's existing policies, procedures, and controls, identifying gaps and estimating the operational impact before new rules took effect. This tool alone was projected to save the compliance team 400+ hours annually in regulatory change management activities.
How Long Did the Implementation Take?
The full implementation spanned eight months — significantly faster than the 18-to-24-month timeline projected for custom development. The phased approach was critical to this speed. By delivering value incrementally, the team maintained executive sponsorship and built organizational momentum. Each phase's success made the case for the next phase's investment. The cross-functional team composition also proved essential: having risk and compliance professionals as builders — not just requirements providers — eliminated the communication gaps that typically plague IT projects in financial services.
Results and ROI
The transformation delivered measurable results across every dimension of MCP's risk management operation. An independent post-implementation review conducted by a third-party consultancy in February 2026 quantified the impact.
Operational Efficiency Gains
| Metric | Pre-Implementation (Q1 2025) | Post-Implementation (Q1 2026) | Improvement |
|---|---|---|---|
| Quarterly risk report production time | 18 business days | 3 business days | 83% reduction |
| Incident documentation and reporting (per incident) | 4.5 hours | 0.75 hours | 83% reduction |
| Risk indicators monitored in real-time | 65% (46 of 70) | 98% (69 of 70) | 51% increase in coverage |
| Manual data entry errors in risk reports | 12.5% error rate | 4.4% error rate | 65% reduction |
| Third-party vendor risk assessments (current) | 38% (76 of 200) | 96% (192 of 200) | 153% increase in coverage |
| Regulatory change impact analysis cycle | 3 – 4 weeks | 2 – 3 days | 89% reduction |
| Compliance team time on data gathering vs. analysis | 60% gathering / 40% analysis | 15% gathering / 85% analysis | Inverted ratio |
Financial Impact
The financial case for low-code automation at MCP proved compelling when measured against both hard savings and cost avoidance:
- Hard cost savings of $1.4 million annually, driven primarily by the elimination of 8 planned new hires that the automation rendered unnecessary, plus reduced external consultant spend on regulatory reporting preparation.
- Cost avoidance of $620,000 annually, representing the estimated value of errors prevented, regulatory penalty risk mitigated, and productivity gains redeployed to higher-value activities.
- Total annualized benefit of $2.02 million against a total implementation investment of $980,000, yielding a first-year ROI of 206% and a projected three-year ROI of 312%.
- Payback period of 5.8 months — meaning the entire investment was recouped before the end of 2025.
"The numbers speak for themselves, but what the ROI calculation does not capture is the cultural shift. Our risk team went from being data janitors to being strategic advisors. That is a harder thing to quantify, but it may be the most valuable outcome of all."
— James Harrington, Chief Financial Officer, Meridian Capital Partners
Regulatory Readiness
By February 2026, MCP had successfully passed its first DORA compliance review with no material findings — a result the compliance team attributed directly to the automation platform. The firm's DORA-required Register of Information was complete and maintained in real-time. Incident reporting workflows met the mandated timelines. Third-party risk assessments were current and documented. The platform's built-in audit trails provided regulators with full traceability from reported metrics back to source data.
"When the examiners asked to see our incident log, we pulled it up on screen in real-time — with every incident classified, documented, and linked to remediation actions. The lead examiner actually commented that our documentation was among the most comprehensive he had seen from a firm of our size," said Okafor, MCP's Head of Regulatory Compliance.
Lessons Learned
MCP's transformation was not without challenges. The implementation team encountered obstacles that yielded valuable lessons for other financial institutions considering a similar path.
What Challenges Did MCP Encounter During Implementation?
Data quality was the hardest problem. Despite knowing their data was fragmented, the team underestimated the extent of inconsistency across source systems. Client identifiers, instrument codes, and date formats varied across platforms, and reconciling them required substantial effort in Phase 1. The team ultimately dedicated three weeks solely to data mapping and normalization — time they had not fully budgeted.
Cultural resistance was real but manageable. Several senior analysts who had built their careers on Excel-based risk modeling were initially resistant to the new platform. Their concerns were not unreasonable: they worried about losing the flexibility and intuition that their spreadsheet models provided. MCP addressed this by involving these analysts in the design process and ensuring the platform preserved — and enhanced — the analytical capabilities they valued, rather than replacing them with rigid, pre-configured logic.
Governance had to be designed upfront. The team learned early that the speed of low-code development could become a liability without proper governance. In the first month, two different team members built overlapping workflows for the same process because there was no central registry of what was being developed. MCP subsequently established clear governance protocols: a central backlog managed by the implementation lead, mandatory design reviews before any new workflow was built, and a naming convention enforced across all platform components.
Integration with legacy systems required creative workarounds. MCP's 2012-vintage portfolio analytics system had no modern API and could not be easily connected to the low-code platform. The team's solution — an RPA bridge that extracted data on a schedule — was functional but introduced latency. The lesson: budget extra time and resources for legacy system integration, and be prepared for imperfect solutions where full real-time integration is not feasible.
What Were the Key Success Factors?
Reflecting on the transformation, MCP's leadership identified five factors that were critical to the project's success:
- Executive sponsorship from Day One. Sarah Chen, the CRO, was the project's most visible champion. Her active involvement — attending weekly stand-ups, clearing roadblocks, communicating wins to the board — kept the initiative moving when obstacles arose.
- Cross-functional team composition. Having risk analysts and compliance officers as hands-on builders — not just stakeholders writing requirements documents — eliminated the translation gaps that doom many IT projects. The people who understood the risk domain best were the ones configuring the workflows.
- Phased delivery with measurable milestones. The three-phase approach meant the team could demonstrate concrete value every 8 to 10 weeks. Each delivered phase built confidence and justified the next phase's investment. There was never a long "dark period" where the business was waiting for IT to deliver.
- Platform selection aligned to the use case. MCP chose Informat in part because its low-code architecture was purpose-built for enterprise workflow automation and data integration — not a generic app builder being retrofitted for financial services. The platform's pre-built connectors for common financial data sources and its configurable compliance modules accelerated Phase 1 significantly.
- Governance designed for speed, not bureaucracy. The team implemented lightweight governance — a central backlog, design reviews, naming conventions — that prevented chaos without slowing development. The goal was governed agility, not unmanaged speed.
Can Low-Code Automation Scale Beyond Risk Management?
One of the most encouraging outcomes of the risk management transformation was its catalytic effect on other parts of the business. By Q1 2026, MCP had already launched three additional low-code initiatives inspired by the risk project's success:
- Client onboarding automation — reducing new client setup time from 12 business days to 3 days, with automated KYC/AML checks and document generation.
- Investment committee workflow — digitizing the end-to-end process for investment proposal review, approval, and documentation.
- Employee compliance certification — automating the annual compliance training, attestation, and tracking process for all 340 employees.
"The risk project proved the model," said Michael Tan, MCP's CTO. "Once the business saw what was possible in eight months with a small team and a low-code platform, every department had ideas for what they wanted to automate next. Our challenge now is prioritization — a good problem to have."
Key Takeaways for Financial Institutions
Meridian Capital Partners' experience offers several actionable insights for other financial institutions contemplating low-code automation for risk management:
- Start with data, not dashboards. The most valuable work happens in the integration layer — cleaning, normalizing, and unifying data across source systems. Without a solid data foundation, any dashboard or workflow built on top will be unreliable.
- Let risk professionals build risk solutions. The people closest to the problem should be empowered to configure the solution. Low-code platforms make this possible, but only if organizations trust their domain experts and invest in their platform literacy.
- Plan for governance from the start. The speed of low-code is an asset, but ungoverned speed creates technical debt. Establish naming conventions, design review processes, and a central backlog before the first workflow is built.
- Measure what matters to the board. MCP's executive sponsorship held because the team communicated results in terms the board cared about: regulatory readiness, cost savings, and risk coverage — not platform features or technical milestones.
- Expect — and embrace — the catalytic effect. A successful initial project creates demand across the organization. Plan for scaling from the outset, including platform licensing, training capacity, and governance frameworks that can accommodate broader adoption.
Conclusion
Meridian Capital Partners' modernization of its risk management function through low-code automation is not just a technology story — it is a story about organizational agility in an industry not known for moving fast. In eight months, a cross-functional team of six people replaced a fragmented, manual, error-prone risk infrastructure with a unified, automated platform that delivered a 312% three-year ROI and positioned the firm for confident regulatory compliance in an increasingly demanding environment.
The broader lesson for the financial services industry is clear: the traditional choice between expensive, slow custom development and rigid, expensive off-the-shelf software is no longer the only path. Low-code automation platforms offer a third way — one that combines the speed and flexibility that modern risk management demands with the governance and security that financial regulation requires. As Gartner's latest analysis of low-code adoption in banking confirms, financial institutions that embrace low-code platforms for risk and compliance workflows consistently report faster time-to-value and greater regulatory agility than those relying on traditional development approaches. As regulatory frameworks continue to multiply and the pace of market change accelerates, the institutions that thrive will be those that, like Meridian Capital Partners, build the capability to adapt faster than the rules themselves can change.
For mid-sized financial institutions facing similar challenges — the regulatory squeeze, the legacy system tangle, the manual process burden — MCP's experience demonstrates that transformation is achievable without a Fortune 500 technology budget. It requires clear vision, strong executive sponsorship, a willingness to trust domain experts with new tools, and the discipline to govern speed without killing it. The payoff, as MCP discovered, is not just a better risk management system — it is a more resilient, more responsive, and more competitive organization.