Germán Fuentes Capella

About me

I operationalise cyber resilience in regulated financial institutions across critical functions, ICT dependencies and governance structures.

With 15 years of experience in payments and financial services, I combine an engineering background with a data-driven approach to translate regulatory and risk requirements into operating models that work in practice.

I have led and implemented operational resilience and ICT risk frameworks within financial institutions regulated in the UK and Luxembourg, working under direct supervisory scrutiny. My focus is not on producing compliance artefacts, but on building capabilities that withstand disruption and scale sustainably.

Having held senior engineering and security leadership roles, I operate in environments where trust, reliability and service continuity are fundamental to the business model. In such contexts, resilience is a strategic capability rather than a regulatory exercise.

Who I help

I work with:

• CROs and Heads of Operational Risk accountable for operational resilience
• CISOs responsible for ICT risk governance
• COOs accountable for service continuity

Particularly in institutions where operational failure would materially impact customers, counterparties, market confidence and supervisory trust.

My approach

Operational resilience is not a compliance exercise. It is the capability to withstand, adapt to and recover from disruption across people, process, technology and third-party dependencies.

Cyber resilience ensures that ICT disruption does not translate into failure of critical financial services.

My work focuses on three questions:

1. What must remain operational during disruption?
2. What dependencies could prevent that?
3. How do we build governance that enables, not bureaucratizes?

I operate at the intersection of enterprise risk management, regulatory expectations and technology delivery.

Core capabilities

1. Operational & Cyber resilience

Critical function identification, impact tolerance calibration, Business Impact Analysis, scenario testing, recovery design and integration of resilience into enterprise risk structures.

More on this: Operational & Cyber Resilience.

2. ICT third-party oversight

Critical dependency mapping, ICT provider segmentation, risk-based oversight, continuous monitoring governance, concentration risk management and regulatory register architecture and data integrity.

More on this: Third-Party Oversight.

3. Security governance & operating models

3 Lines of Defence design, decision rights and escalation paths, and risk ownership models supported by KRIs. Integration of ICT risk into operational risk frameworks, control mapping and ownership, risk taxonomy harmonisation, and testing-based assurance to validate capability between review cycles.

More on this: Security Governance & Operating Models.

4. Resilience Engineering

Design of preventive control guardrails that are validated at the point of change, embedded into infrastructure configuration and delivery workflows.

This moves validation into the change process and reduces reliance on after-the-fact detection and remediation.

By blocking drift before it reaches production, exception volume and compliance overhead decrease, freeing capacity for higher-order resilience governance and concentration risk decisions.

More on this: Resilience Engineering.

5. Resilience transformation & delivery

Multi-stream resilience transformation programmes from requirements through delivery, including remediation roadmap ownership, requirements engineering, product specification, UAT coordination, and supervisory response preparation.

More on this: Resilience Transformation & Delivery.

Experience

Recent work includes:

• DORA implementation & cyber resilience strategy (Financial institution, 2024)
• Operational resilience & BC/DR programme design (Financial institution, 2023-2025)
• Interim CISO role coordinating PCI DSS & ISO 27001 recertification (Financial institution, 2024)

I’ve delivered across BaFin, CSSF and FCA regulatory environments.

How I work

What makes my approach different:

✓ Requirements-driven, not compliance theatre I start with what must remain operational, not with regulatory checklists

✓ Proportionality-based Calibrated to your risk profile and complexity, not one-size-fits-all frameworks

✓ Integration-focused Resilience fits into existing governance, not parallel bureaucracy

✓ Delivery-oriented Roadmaps, user stories, UAT coordination. Not just binders