The future of bank risk management

By Philipp Härle, Andras Havas, and Hamid Samandari

Banks have made dramatic changes to risk management in the past decade—and the pace of change shows no signs of slowing. Here are six initiatives to help them stay ahead.

Risk management in banking has been transformed over the past decade, largely in response to regulations that emerged from the global financial crisis and the fines levied in its wake. But important trends are afoot that suggest risk management will experience even more sweeping change in the next decade.

The change expected in the risk function’s operating model illustrates the magnitude of what lies ahead. Today, about 50 percent of the function’s staff are dedicated to risk-related operational processes such as credit administration, while 15 percent work in analytics. McKinsey research suggests that by 2025, these numbers will be closer to 25 and 40 percent, respectively.

No one can draw a blueprint of what a bank’s risk function will look like in 2025—or predict all forthcoming disruptions, be they technological advances, macroeconomic shocks, or banking scandals. But the fundamental trends do permit a broad sketch of what will be required of the risk function of the future. The trends furthermore suggest that banks can take some initiatives now to deliver short-term results while preparing for the coming changes. By acting now, banks will help risk functions avoid being overwhelmed by the new demands.

Six trends

Six trends are shaping the role of the risk function of the future.

Trend 1: Regulation will continue to broaden and deepen

While the magnitude and speed of regulatory change is unlikely to be uniform across countries, the future undoubtedly holds more regulation—both financial and nonfinancial—even for banks operating in emerging economies.

Much of the impetus comes from public sentiment, which is ever less tolerant of bank failures and the use of public money to salvage them. Most parts of the prudential regulatory framework devised to prevent a repetition of the 2008 financial crisis are now in place in financial markets in developed economies. But the future of internal bank models for the calculation of regulatory capital, as well as the potential use of a standardized approach as a floor (Basel IV), is still being decided. The proposed changes could have substantial implications, especially for low-risk portfolios such as mortgages or high-quality corporate loans.

Governments are exerting regulatory pressure in other forms, too. Increasingly, banks are being required to assist in crackdowns on illegal and unethical financial transactions by detecting signs of money laundering, sanctions busting, fraud, and the financing of terrorism, and to facilitate the collection of taxes. Governments are also demanding that their banks comply with national regulatory standards wherever they operate in the world. Banks operating abroad must already adhere to US regulations concerning bribery, fraud, and tax collection, for example. Regulations relating to employment practices, environmental standards, and financial inclusion could eventually be applied in the same way.

Banks’ behavior toward their customers is also under scrutiny. The terms and conditions of contracts, marketing, branding, and sales practices are regulated in many jurisdictions, and rules to protect consumers are likely to tighten. Banks will probably be closely examined for information asymmetries, barriers to switching banks, inappropriate or incomprehensible advice, and nontransparent or unnecessarily complex product features and pricing structures. The bundling and cross-subsidizing of products could also become problematic. In certain cases, banks might even be obliged to inform their customers of more suitable products with better terms than the ones they have—such as a lower remortgage rate. (Utility suppliers in some markets are already obliged to do this.)

This tightening regulatory environment makes unviable the traditional model to manage regulatory risks; the risk function will need to build even more robust regulatory and stakeholder-management capabilities. Risk functions must not only ensure compliance with existing rules but also review the entire sales-and-service approach through a broad, principle-based lens. In addition, the risk function will play a vital role in collaborating with other functions to reduce risk—for example, by working more closely with the business to integrate and automate the correct behaviors and to eliminate human interventions. The risk function’s tasks will be to ensure that compliance considerations are always top of mind and not addressed perfunctorily by businesses after they have formulated their strategies or designed a new product.

Trend 2: Customer expectations are rising in line with changing technology

Technological innovation has ushered in a new set of competitors: financial-technology companies, or fintechs. They do not want to be banks, but they do want to take over the direct customer relationship and tap into the most lucrative part of the value chain—origination and sales. In 2014, these activities accounted for almost 60 percent of banks’ profits. They also earned banks an attractive 22 percent return on equity, much higher than the gains they received from the provision of balance sheet and fulfillment, which generated a 6 percent return on equity.1

The seamless and simple apps and online services that fintechs offer are beginning to break banks’ heavy gravitational pull on customers. Most fintechs start by asking customers to transfer a single piece of their financial business, but many then steadily extend their services. If banks want to keep their customers, they will have to up their game, as customers will expect intuitive, seamless experiences, access to services at any time on any device, personalized propositions, and instant decisions.

Banks’ responses to higher customer expectations will be automated: an instant response to retail and corporate credit decisions, for example, and a simple, rapid online account-opening process. For banks to deliver at this level, they will have to be redesigned from the perspective of customer experience and then digitized at scale.

Fintechs such as Kabbage, a small-business lender that operates in the United Kingdom and the United States, set a high customer-service bar for banks—and present new challenges for their risk functions. Kabbage does not require loan applicants to fill out lengthy documents to establish creditworthiness. Instead, it draws upon a wide range of customer information from data sources such as PayPal transactions, Amazon and eBay trade information, and United Parcel Service shipment volumes. While it remains to be seen how such fintechs perform in the longer term, banks are learning from them. Some are designing account-opening processes, for example, where most of the requested data can be drawn from public sources. The risk function will have to work closely with each business to meet these kinds of customer expectations while containing risk to the bank.

Technology also enables banks and their competitors to offer increasingly customized services. It may be possible eventually to create the “segment of one,” tailoring prices and products to each individual. This degree of customization is expensive for banks to achieve because of the complexity of supporting processes. Regulatory constraints might well be imposed in this area, however, to protect consumers from inappropriate pricing and approval decisions.

To find ways to provide these highly customized solutions while managing the risk will be the task of the risk function, working jointly with operations and other functions. Risk management will need to become a seamless, instant component of every key customer journey.

Trend 3: Technology and advanced analytics are evolving

Technological innovations continuously emerge, enabling new risk-management techniques and helping the risk function make better risk decisions at lower cost. Big data, machine learning, and crowdsourcing illustrate the potential impact.

  • Big data. Faster, cheaper computing power enables risk functions to use reams of structured and unstructured customer information to help them make better credit risk decisions, monitor portfolios for early evidence of problems, detect financial crime, and predict operational losses. An important question for banks is whether they can obtain regulatory and customer approval for models that use social data and online activity.

  • Machine learning. This method improves the accuracy of risk models by identifying complex, nonlinear patterns in large data sets. Every bit of new information is used to increase the predictive power of the model. Some banks that have used models enhanced in this way have achieved promising early results. Since they cannot be traditionally validated, however, self-learning models may not be approved for regulatory capital purposes. Nevertheless, their accuracy is compelling, and financial institutions will probably employ machine learning for other purposes.

  • Crowdsourcing. The Internet enables the crowdsourcing of ideas, which many incumbent companies use to improve their effectiveness. Allstate Insurance Company hosted a challenge for data scientists to crowdsource an algorithm for new car-accident insurance claims. Within three months, they improved the predictive power of their model by 271 percent.2

Many of these technological innovations can reduce risk costs and fines, and they will confer a competitive advantage on banks that apply them early and boldly. However, they may also expose institutions to unexpected risks, posing more challenges for the risk function. Data privacy and protection are also important concerns that must be addressed with due rigor.

Trend 4: New risks are emerging

Inevitably, the risk function will have to detect and manage new and unfamiliar risks over the next decade. Model risk, cybersecurity risk, and contagion risk are examples that have emerged.

  • Model risk. Banks’ increasing dependence on business modeling requires that risk managers understand and manage model risk better. Although losses often go unreported, the consequences of errors in the model can be extreme. For instance, a large Asia–Pacific bank lost $4 billion when it applied interest-rate models that contained incorrect assumptions and data-entry errors. Risk mitigation will entail rigorous guidelines and processes for developing and validating models, as well as the constant monitoring and improvement of them.

  • Cybersecurity risk. Most banks have already made protection against cyberattacks a top strategic priority, but cybersecurity will only increase in importance and require ever greater resources. As banks store an increasing amount of data about their customers, the exposure to cyberattacks is likely to further grow.

  • Contagion risk. Banks are more vulnerable to financial contagion in a global market. Negative market developments can quickly spread to other parts of a bank, other markets, and other involved parties. Banks need to measure and track their exposure to contagion and its potential impact on performance. Measures to reduce a bank’s total risk can reduce its capital requirements, as contagion risk is one of the main drivers for classification as a global systemically important bank (G-SIB) and for G-SIB capital surcharges.

To prepare for new risks, the risk-management function will need to build a perspective for senior management on risks that might emerge, the bank’s appetite for assuming them, and how to detect and mitigate them. And it will need the flexibility to adapt its operating models to fulfill any new risk activities.

Trend 5: The risk function can help banks remove biases

Behavioral economics has made great strides in understanding how people make decisions guided by conscious or unconscious biases. It has shown, for example, that people are typically overconfident—in a few well-known experiments, for example, enormous majorities of respondents rated their driving skills as “above average.” Anchoring is another bias, by which people tend to rely heavily on the first piece of information they analyze when forming opinions or making decisions.

Business, too, is prone to bias. Business cases are almost always inflated, and if the first person to speak in a discussion argues in favor of an idea, the likelihood is high that most present, if not all, will agree.

Biases are highly relevant for bank risk-management functions, as banks are in the business of taking risk, and every risk decision is subject to biases. A credit officer might write on a credit application, for example, “While the management team only recently joined the company, it is very experienced.” The statement may simply be true—or it may be an attempt to neutralize potentially negative evidence.

Leading academics and practitioners have developed techniques for overcoming such biases, and various industries are beginning to apply them. Some energy utilities are trying to eliminate bias by redesigning the processes they follow in making major investment decisions, for example. Banks are also likely to deploy techniques to remove bias from decision making, including analytical measures that provide decision makers with more fact-based inputs, debate techniques that help remove biases from conversations and decisions, and organizational measures that embed new ways of decision making.

The risk function could take the lead in de-biasing banks. It could even become a center of excellence that rolls out de-biasing processes and tools to other parts of the organization.

Trend 6: The pressure for cost savings will continue

The banking system has suffered from slow but constant margin decline in most geographies and product categories. The downward pressure on margins will likely continue, not least because of the emergence of low-cost business models used by digital attackers. As a result, the operating costs of banks will probably need to be substantially lower than they are today. After exhausting traditional cost-cutting approaches such as zero-based budgeting and outsourcing, banks will find that the most effective remaining measures left are simplification, standardization, and digitization. The risk function must play its part in reducing costs in these ways, which will also afford opportunities to reduce risks. A strong automated control framework, for example, can reduce human intervention, tying risks to specific process break points. As the pressure to reduce costs will persist, the risk function will need to find further cost-savings opportunities in digitization and automation while delivering much more for much less.

Preparing for change

The six trends suggest a vision for a high-performing risk function come 2025. It will need to be a core part of banks’ strategic planning, collaborate closely with businesses, and act as a center of excellence in analytics and de-biased decision making. Its ability to manage multiple risk types while complying with existing regulation and preparing for new rules will make it more valuable still, while its role in fulfilling customer expectations will probably render it a key contributor to the bottom line. For most banks, their risk function is some way off from being able to play that role. The optimal function would have the following attributes and capabilities:

  • full automation of decisions and processes with minimal manual interventions

  • increased reliance on advanced analytical models to de-bias decisions

  • close collaboration with businesses and other functions to provide a better customer experience, de-biased decisions, and enhanced regulatory preparedness

  • strong advocacy of corporate values and principles, supported by a robust risk culture that is clearly defined, communicated, and reinforced throughout the bank

  • a talent pool with superior advanced-analytics capabilities

To put all this in place, risk functions will need to transform their operating models. How can they begin? They cannot prepare for every eventuality, but initiatives can be implemented that will bring short-term business gains while helping build the essential components of a high-performing risk function over the next decade. Here are some examples of such initiatives that can be launched immediately:

  • Digitize core processes. Simplification, standardization, and automation are key to reducing nonfinancial risk and operating expenses. To that end, the risk function can help speed the digitization of core risk processes, such as credit applications and underwriting, by approaching businesses with suggestions rather than waiting for the businesses to come to them. Increased efficiency, a superior customer experience, and improved sales will likely be additional benefits.

  • Experiment with advanced analytics and machine learning. In the same vein, risk functions should experiment more with analytics, and particularly machine learning, to enhance the accuracy of their predictive models. Risk functions can be expected to use these models for a number of purposes, including financial-crime detection, credit underwriting, early-warning systems, and collections in the retail and small-and-medium-size-enterprise segments.

  • Enhance risk reporting. Ever-broader regulation and the need to adjust to market developments require rapid, fact-based decision making, which means better risk reporting. While regulatory requirements have already done much to improve the quality of the data used in risk reports and their timeliness, less attention has been given to the format of reports or how they could be put to better use for making decisions. Replacing paper-based reports with interactive tablet solutions that offer information in real time and enable users to do root-cause analyses would enable banks to make better decisions faster and to identify potential risks more quickly as well.

  • Collaborate for balance-sheet optimization. Given regulatory constraints, balance-sheet composition is arguably more important than ever in supporting profitability. The risk function can help optimize the asset and liability composition of the balance sheet by working with finance and strategy functions to consider various economic scenarios, regulation, and strategic choices. How prepared would the bank be, for example, if the loan portfolio were contracted or expanded? Such analyses, optimized with analytical tools, can help banks find ways to improve returns on equity by 50 to 400 basis points, while still fulfilling all regulatory requirements.

  • Refresh the talent pool. High-performing risk functions commonly depend on a high-performing IT and data infrastructure—a central “data lake” with harmonized definitions and clear data governance, for example. Building the right mix of talent is equally important. Data scientists with advanced mathematical and statistical knowledge are needed to collaborate across the bank in the conversion of data insights into business actions. Risk managers will become trusted counselors to business areas, while traditional operational areas will require fewer staff. Attracting talented employees will itself be a challenge, as potential candidates would tend to prefer technology firms unless banks strengthen their value propositions.

  • Build a strong risk-management culture. The detection, assessment, and mitigation of risk must become part of the daily job of all bank employees and not only those in risk functions. With automation and more sophisticated analytical and technical capabilities, human intervention is needed to ensure appropriate and ethical application.

The risk function will have a dramatically different role by 2025. To get there, needed changes will take several years, so time is already short. The actions recommended here can equip the risk function with the capabilities it needs to cope with new demands and help the bank to excel among its competitors.

Download the full report on which this article is based, The future of bank risk management (PDF–7.36MB).

About the author(s)

Philipp Härle is a senior partner in McKinsey’s London office, Andras Havas is an associate principal in the Budapest office, and Hamid Samandari is a senior partner in the New York office.

The authors wish to thank Andreas Kremer and Daniel Rona for their contributions to this article.

More on Risk

The next-generation operating model for the digital world

Article - McKinsey Quarterly

What makes a CEO ‘exceptional’?

Article - McKinsey Quarterly

Three game changers for energy

Article - McKinsey Quarterly

How functional leaders become CEOs