Intro

In the summer of 2025, German neobank N26 announced a significant leadership change: Chief Risk Officer (CRO) Carina Kozole will leave the company. She will be succeeded by Jochen Klöpper, formerly with Santander Consumer Bank.

Leadership transitions in key risk roles are always noteworthy – not only because of their impact on the organization itself, but also for what they reveal about the structural requirements of Governance, Risk, and Compliance (GRC) in fast-growing and heavily regulated businesses.

This article analyzes the developments at N26 through a systemic lens, outlines common challenges for digital financial service providers, and explains how integrated GRC systems help companies remain stable, compliant, and resilient during leadership transitions.

What Happened at N26?

Carina Kozole joined N26 in late 2023 as Chief Risk Officer and was responsible for enterprise-wide risk and compliance oversight. In 2025, the company announced her departure and named Jochen Klöpper as her successor. Klöpper brings extensive experience in risk management from his previous roles at Santander and other banks.

The timing is notable: N26, like many neobanks, is under increasing regulatory scrutiny. Topics such as AML compliance, IT security, credit risk, and internal controls are becoming critical not only from a regulatory perspective but also in terms of business continuity and market trust.

The Challenge: Growth, Complexity, and Regulatory Exposure

Digital organizations like N26 often face three structural issues:

1. Growth outpaces governance

Startups and digital scale-ups tend to prioritize innovation and customer growth. Governance, compliance, and process maturity often come later – sometimes too late.

2. Layered, evolving regulation

Digital banks operate under overlapping and evolving regulatory frameworks across jurisdictions. Without structured systems to track and manage these requirements, even competent teams can fall behind.

3. Dependency on individuals

In organizations where governance processes are not systematized, key responsibilities may rest with individuals. When those people leave, knowledge gaps, delays, or even compliance breaches can occur.

The GRC Perspective: Mitigating Risk Through Structure

Modern GRC systems help institutionalize risk and compliance processes, reduce dependency on individuals, and provide transparency across the organization.

What GRC software enables:

1. Centralized, auditable risk management

Risk categories, ownership, evaluations, and mitigation measures are documented in a structured, traceable system – not in spreadsheets.

2. Real-time regulatory oversight

Requirements (e.g., AML laws, data protection regulations, banking guidelines) are tracked centrally, with automated compliance status and escalation workflows.

3. Continuity during leadership transitions

With roles, responsibilities, deadlines, and documentation centralized, a new CRO can pick up critical tasks without process disruption or blind spots.

4. Visible governance culture

GRC systems can also track qualitative indicators – such as training effectiveness, audit response times, and cultural maturity – and contribute to an overall view of risk readiness.

Lessons Learned: From N26 to the Broader Market

• People matter – but systems carry the organization. GRC systems ensure continuity when leadership changes.
• Regulation is continuous, not project-based. Real-time visibility and structured compliance management are essential.
• Good governance combines structure and culture. Systems alone are not enough; values, communication, and accountability must follow.
• GRC tools are strategic, not just administrative. When well-integrated, they reduce risk exposure, improve investor confidence, and support long-term resilience.

Conclusion

The CRO transition at N26 illustrates the high stakes of governance and compliance in modern digital organizations. Especially in regulated sectors, leadership continuity and process integrity are inseparable.

A robust GRC system turns governance from a reactive obligation into a proactive capability – one that protects the organization, enables growth, and earns trust.

---

FAQ – Frequently Asked Questions on CRO Transitions and GRC

What does CRO stand for?
CRO stands for Chief Risk Officer – the executive responsible for enterprise-wide risk governance, including financial, regulatory, operational, and strategic risks.

Why is a CRO transition significant in banking?
Banks operate under strict regulatory regimes. A leadership change in the risk function may signal strategic shifts, regulatory attention, or internal restructuring. It can also affect market perception.

What happened at N26?
Carina Kozole will leave N26 in 2025. She will be succeeded by Jochen Klöpper, a seasoned risk executive from Santander. The move comes amid continued focus on strengthening risk and compliance capabilities.

What is a GRC system?
GRC (Governance, Risk, and Compliance) systems are software solutions that integrate regulatory management, risk monitoring, policy controls, and reporting into one framework.

How does a GRC platform support leadership transitions?
It ensures that responsibilities, regulatory obligations, and ongoing tasks are transparent and documented. That way, new leaders can take over without disruption or knowledge gaps.

Is GRC only relevant to large corporations or banks?
No. Any organization facing regulatory complexity, rapid growth, or cross-functional risk exposure can benefit from GRC systems – including in health care, energy, technology, and public administration.

What are the benefits of using GRC software?

• Full visibility into risks and control measures
• Regulatory tracking and automated compliance reporting
• Role continuity and institutional memory
• Improved audit readiness and accountability
• Enhanced risk culture and decision-making