Frequently Asked Questions
Common questions about engagements, scope, frameworks, and the founder.
What does DiGi Advisory do?
DiGi Advisory provides senior-led governance, risk, and compliance (GRC) advisory for financial institutions. The two productized offerings — the Governance and Controls Health Check and the Exam-Ready Documentation Uplift — are entry points, not the limits of the practice. The full practice engages across the GRC spectrum: enterprise risk programs, risk and control self-assessment (RCSA and PRCSA), regulatory change management, audit and exam remediation, model risk governance, third-party risk, financial crimes governance, and 1st and 2nd Line of Defense transformation.
What is a Governance and Controls Health Check?
A Governance and Controls Health Check is a structured assessment of a financial institution's first and second line of defense governance, risk, and control environment. The engagement delivers a plain-language risk and control maturity snapshot, top ten prioritized gaps with remediation actions and suggested owners, an evidence readiness pack, and a board-ready readout with a 30, 60, 90 day operator plan. Timelines vary based on scope, institution size, and current state.
What does IT policy documentation uplift involve?
IT policy documentation uplift is the structured process of reviewing existing IT policies, programs, standards, and procedures against industry frameworks and supervisory expectations, identifying gaps and outdated content, and producing publish-ready, examiner-ready documents. DiGi Advisory delivers this as a two-phase engagement. Phase 1 is a documentation assessment that includes a pilot of up to four documents, sized based on complexity and the current state of existing documentation. Phase 2 scales the model, delivering uplifted and net-new policies, programs, and standards across the technology estate plus roadmaps per IT function — and is where second line of defense (2LoD) socialization typically happens.
Which industries and institution types does DiGi Advisory serve?
DiGi Advisory serves banks (community, mid-sized, and money-center, both national and state-chartered), credit unions, asset managers, capital markets and broker-dealer firms, and trust and shareholder services organizations. Adjacent sectors including insurance and FinTech are considered case-by-case based on engagement scope and regulatory framework alignment.
Which regulatory frameworks and supervisory authorities does the firm align engagements to?
Engagements align to the most commonly used frameworks: NIST Cybersecurity Framework, NIST SP 800-53, NIST AI Risk Management Framework (NIST AI RMF), FFIEC examination handbooks, COSO ERM, Basel Committee standards, OCC Heightened Standards, ISO/IEC 27001 and 27002, CIS Controls v8, and COBIT 2019. This is the common set; engagements adopt additional frameworks as the institution's existing control environment requires. Charter-level work references the supervisory authority that examines the institution: OCC, FDIC, Federal Reserve, NCUA, or state banking departments.
How long does a typical engagement take?
Timelines vary based on scope, complexity, institution size, current state of documentation and controls, and supervisory timing. The Governance and Controls Health Check and Exam-Ready Documentation Uplift have typical engagement structures with phased delivery, but the time-on-task scales with what is actually in scope. Broader GRC engagements outside the productized offerings are scoped individually with timing set by the work the institution actually needs.
Who delivers the engagement?
Engagements are senior-partner-led by Thomas DiGiovanni, Partner and Founder. Vetted specialist contractors with direct sector or framework expertise are brought in to match engagement scope and sector requirements. The senior partner owns strategy, client relationship, and quality of every deliverable end to end. There are no junior handoffs.
What does AI-accelerated delivery actually mean?
AI handles the mechanical work of governance engagements: parsing existing artifacts, mapping evidence, surfacing gaps, and drafting initial document structure. Twenty five years of regulatory and framework experience handles the consequential calls — what to prioritize, what to challenge, what an examiner will accept. AI shortens documentation assessment timelines materially while preserving the senior-judgment-led drafting that examiners expect.
Who is Thomas DiGiovanni?
Thomas DiGiovanni is the Partner and Founder of DiGi Advisory. He has 25+ years driving first and second line risk management, regulatory compliance, and governance transformations across global financial institutions, including senior leadership at Credit Suisse (Global Head of Business Risk Management and Regulatory Change for Asset Management), Equiniti Trust Company (Chief Risk and Controls Officer), Bank of America, SunGard / FIS, and Deloitte. He holds an MBA from Dowling College and a BBA in Business Economics from Pace University.
How are engagements scoped and priced?
The Governance and Controls Health Check and Exam-Ready Documentation Uplift are delivered on a fixed-fee basis with scope and price set up front. Broader GRC engagements are scoped individually with a clear statement of work — fixed-fee where the work allows it, time-and-materials where it does not. Initial conversations are confidential and obligation-free.
Have a question we did not answer here? Let us know.
Start a Conversation