A fast-track risk-management transformation to counter the COVID-19 crisis

An accelerated transformation to enhance efficiency and effectiveness will enable risk organizations to deal with the pandemic while addressing rising regulatory and cost pressures.

Before the coming of the pandemic, banks had been reducing the complications and costs that arose over the years as they dealt with escalating regulations and emerging risks by adding policies, processes, and people to their risk and compliance functions.

Then COVID-19 happened and threatened to complicate things all over again.

When banks shut branches and corporate offices, this altered how customers interact with them, forcing changes to long-held risk-management practices. Activities that typically happened in person were no longer possible, such as credit-committee meetings to approve underwriting for a new corporate client, or office visits by potential small borrowers to verify their creditworthiness or sign loan documents.

The banks’ risk-management functions, which act as a second line of defense between frontline employees who work directly with customers and the department’s backstop internal risk-audit teams, also had to adjust the way they operate. For starters, they had to manage employees who would now work from home and to prepare for the pandemic-triggered problems of small-businesses and other customers. They also had to adopt new practices to monitor existing risks and guard against new ones, including cyberrisks triggered by the pandemic. Such changes, we estimate, could raise the operating expenses of risk functions by 10 to 30 percent. That’s reason enough to make processes as efficient and effective as possible.

McKinsey had previously found that risk managers can improve their operations by digitizing and applying advanced analytics to a variety of department functions and by optimizing the organization, among other changes. Those directives still hold. Our latest research shows that to address the business problems COVID-19 has created and to mitigate the cost and regulatory pressures risk organizations still face, they must roll out digital and advanced analytics more aggressively and tie these moves to tactical improvements in governance.

More specifically, to win in the next normal, the risk-management function must make itself more efficient and effective—something high-performing risk organizations have already done. We have prioritized six specific moves risk organizations must make:

  • redesign underwriting to streamline processes and add automated ones
  • enhance monitoring
  • optimize and automate reporting
  • improve processes for reporting financial crimes
  • streamline the market-risk operating model
  • make other changes by taking a big-picture look at risk management’s overall organization, governance, and performance management

These changes are often part of a larger transformation that can take years to implement. Yet some risk-management functions have adopted the practices we’ve outlined much more quickly—in some cases, in only three months. When these changes are successful, we estimate that they can improve efficiency and effectiveness enough to raise the productivity of specific activities by 40 percent or more. Banking-sector risk organizations that had been relatively efficient before implementing these moves can use them to raise their productivity by 15 to 25 percent. Less efficient bank risk organizations can raise it by 30 percent or more.

Roadblocks to improving risk management

Well before the pandemic, risk organizations had to deal with the external pressures of increased industry regulation, and internal pressure to cut costs. Around the world, both the depth and breadth of banking regulations have increased. The reasons include the shift to digital channels and tools, a greater reliance on third parties and the cloud, and the threats that all these pose to the strength and integrity of risk functions. On top of that, bank leaders working to make their organizations more competitive expect the risk function to contribute to overall cost-cutting efforts.

COVID-19 has added to those challenges. Risk managers must understand the pandemic’s impact on credit and market portfolios to mitigate the effects on their own operations. They’ve had to track emerging threats to the newly remote workforce, to current and potential borrowers, and to other bank customers. They’ve implemented government-directed moratoriums on loan collections and abided by other local or national measures adopted in the pandemic’s wake. Those actions have cut into top-line revenues at a time when banks are adding expensive new risk-management practices.

But coping with the new requirements doesn’t have to mean adding staff. Risk-management activities—including resources in first-, second-, and third-line defense roles—already account for up to half of a bank’s employees and costs. Risk-organization staff in the second line of defense account for approximately 2 to 3 percent of the total number of bank employees, not including compliance and financial-crimes personnel. Although our research shows that scale is the single most important driver of efficiency, we have also found that the size and cost of multiple risk activities do not correlate directly with scale (Exhibit 1). For these activities, the different operating models of banks explain the variations.

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Lower costs don’t necessarily make a bank’s risk operations less effective. In fact, a McKinsey analysis found that banks with the strongest risk operations have 10 to 15 percent fewer full-time-equivalent employees than their less effective counterparts do (Exhibit 2). 1

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Six actions that improve risk-management productivity

Risk functions can face their old and new challenges, without increasing their size or costs, if they operate more efficiently and effectively. Banks have a number of options. They can deploy some of the moves outlined below relatively quickly to make themselves more efficient and effective while also adapting their risk-management practices to the COVID-19 environment (Exhibit 3).

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

1. Redesign underwriting

Assessing a borrower’s creditworthiness is a long, labor-intensive process that’s prone to inefficiencies, which make it ripe for improvement. The desire of borrowers for more transparency into the underwriting process has exacerbated the existing complexities. Customers—in particular, retail companies and small and medium-size enterprises (SMEs)—want to know immediately if they qualify for a loan and when they can access the funds. That didn’t change when COVID-19 hit: risk functions must still meet customers’ expectations even while dealing with them remotely.

Credit underwriting already accounts for a substantial part of the total resources of the risk organization—an average of 30 percent (and up to 50 percent) of its employees. Adding staff therefore isn’t the answer. In fact, our research indicates that the workforce at the most efficient organizations tends to be substantially smaller than it is at the least efficient ones.

In the next normal, the ability to speed up underwriting turnaround times will become an important differentiator. Risk teams that had already digitized underwriting before the pandemic responded more successfully under the lockdown. By 2021, we expect others to follow suit, pushing up the adoption of digital channels for credit underwriting by 5 to 15 percent.

Banks have three primary avenues to improve the efficiency and effectiveness of their credit-underwriting processes:

  • Adopt straight-through processing (STP) for credit-underwriting workflows. Upgrading to digital from manually inputting data, through data spreading or other means, could help reduce end-to-end workflow costs by up to 40 percent. STP applications include tools that prepopulate credit forms with data from clients or internal or external databases as well as incorporate delegation and structure information.
  • Automate underwriting for retail and SME customers. Using software to calculate the creditworthiness of a small business by standard criteria, rather than having staff make these decisions, could raise margins by 5 to 10 percent. Software could also improve (by 10 to 25 percent) an underwriting department’s ability to correctly predict whether an SME is a good credit risk. Banks that have already automated the function might consider increasing underwriting thresholds—for example, to $500,000, from $250,000. To mitigate the increased potential for fraud that typically accompanies changes in this area, automated banks must also improve their controls.
  • Simplify corporate-credit underwriting. Banks can streamline underwriting that cannot be automated, because of the counterparty’s size or the complexity involved, by reducing the credit-application documentation and analysis required. For large, well-established, or public companies, risk managers could review a dozen documents instead of 50 and reserve the more intensive scrutiny for less prominent or smaller enterprises. Other methods to rework corporate underwriting processes include defining credit limits by company type or industry (rather than on a deal-by-deal basis) and creating a special-case system to handle the most complex or urgent requests.

2. Enhance monitoring

The widespread economic fallout from COVID-19 has forced risk managers to rethink how and what they monitor to evaluate risks, including creditworthiness and the ability to repay loans. The virus’s spread and reactions to it continue to shift, often quickly. These developments have helped some industries and hurt others—boosting the revenues of grocery chains, for example, while cutting into restaurant sales. They have also affected segments within industries differently, so risk managers have to monitor trends at a more granular level. On top of that, risk managers need to account for the actions that governments are taking to help constituencies respond to the virus. Many of these actions, including moratoriums on payments for mortgages and business loans, affect the environment for credit.

The widespread economic fallout from COVID-19 has forced risk managers to rethink how and what they monitor to evaluate risks.

Before the pandemic, risk-monitoring activities accounted for about 15 percent of risk-management costs. Banks traditionally executed a not insubstantial portion of these activities manually, so they are ripe for change. Risk departments can adopt a range of digital systems and tools to automate risk-monitoring tasks:

  • Digitize counterparty-level credit-monitoring tools. Risk functions can program advanced analytics into early-warning systems to improve reviews of earnings releases, real-time financial news, transaction data to find information that could affect a client’s credit outlook. We estimate that algorithms could support 40 percent of counterparty-level credit-monitoring decisions. Banks that have already implemented these techniques reduced their credit losses by 20 to 30 percent, through early detection of potential deterioration of counterparty creditworthiness—while reducing monitoring costs by 30 to 40 percent (Exhibit 4).
  • Digitize portfolio-level credit-monitoring tools. Historically, risk-monitoring personnel manually reviewed industry news to extract data that could be used to make decisions about the changing credit landscape of different economic sectors. Risk departments that adopt applications using artificial intelligence (AI) and machine learning to track industry news and developments could reduce related data entry by up to 15 percent.

    Some of these AI-based monitoring tools can trigger real-time alerts based on sector-level indicators, such as point-of-sales systems. To estimate the impact of new information on sector-wide rating scores, these tools may also use machine-learning models (such as hyperparameter random-forest modeling) tailored to specific industries or clients. In addition to analytics engines, digital-monitoring suites typically include smart-workflow capabilities that focus analytic work on areas where human judgement is necessary, such as parameter changes in the models that are not associated with a high level of confidence.

  • Monitor portfolios in a more granular way. Risk functions typically use back testing and internal ratings–based models to evaluate the soundness of their credit portfolios. Because the pandemic has had such a profound impact on the global economy, which continues to shift unpredictably, the typical indicators of creditworthiness have been affected. Risk functions that in the past may have analyzed 20 to 30 economic sectors may need to review ten times that number of industry subsectors to understand how they are faring in the crisis. Some institutions have gone as far as to subdivide the restaurant industry, for example, into 15 subsegments, the better to distinguish between top and bottom performers and predict nonperforming loans. Instead of analyzing the beverage industry, therefore, banks may need to review what’s happening in soft drinks, bottled water, soft alcohol, and hard alcohol, to name a few subsegments.
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

3. Optimize and automate reporting

Banking regulators have increased their reporting requirements—for example, by asking for more and better data on risk practices and more closely scrutinizing these data. We estimate that as a result, the risk functions of banks devote 10 to 15 percent of their total resources to comply with such reporting requirements. Automation gives risk managers additional insights into the risk profiles they must review to meet these requirements—but without adding personnel to a low-value task. As circumstances and requirements change, automation can also help managers adjust what reports cover.

Several moves could make risk functions more efficient and effective in this area:

  • Actively monitor reporting requirements. By constantly tracking what regulators want and managers need, risk functions can manage the risks their banks face and provide what’s required, without wasting resources sharing unnecessary information. Some banks that have started to merge regulatory and internal reports have cut the number of reports they produce in half.
  • Offer self-service reports. Risk managers can use self-service reporting tools to update or review reporting information directly, including both high-level data and the underlying information it’s based on. We estimate that self-service reporting, by itself, could cut the costs of risk departments by up to 30 percent.
  • Improve data architecture and management. It’s not unusual for banks’ risk data to reside in several databases or other applications—the result of mergers, expansion into new markets, divisions that use different systems, or operations that span several countries or continents. For such institutions, complying with reporting requirements may involve manually culling data from these manifold sources.

    A data architecture that can pull information from disparate databases into a central location can not only alleviate the need for manual processes but also provide other benefits. As part of such an upgrade, risk functions could create reporting-competence centers for frontline and risk-management personnel in multiple business units or subsidiaries. We estimate that automating and unifying data architecture and management could cut risk-reporting costs by 10 to 20 percent and halve the number of reports that include errors. Depending on how a bank is structured, these efficiency changes could take place within either the operations or IT organization.

4. Optimize processes for detecting financial crimes

Since global regulators began to intensify financial-crime-compliance activities a decade ago, they’ve launched scores of enforcement actions and levied $36 billion in fines around the world. An average of 2 to 3 percent of a bank’s total staff therefore works in second-line financial-crime monitoring and reporting efforts. For a global bank with 100,000 employees, this means that 2,000 to 3,000 people could be tracking anti–money laundering (AML) and another compliance processes.

When COVID-19 measures forced banks to send their risk-management staffs home to work, it disrupted the face-to-face activities these employees rely on to know their customers—still one of the strongest ways to assess the risk of financial crime. But regulators are not giving institutions a pass because of the pandemic, so risk organizations face the added burden of finding ways to assess, monitor, and report on financial-crime compliance under remote working conditions.

We see three ways to make these practices more efficient and effective:

  • Automate customer onboarding. Risk organizations could automate the collection and verification of the documents that prospective customers must present to open a credit or savings account. Risk functions that do so, we estimate, could reduce their financial-crime-compliance spending by 10 to 20 percent and improve the accuracy of customer data by 40 percent. In addition to costing less, algorithms that read and extract data from verification documents eliminate the possibility that employees could be paid to falsify information. This would also free up time that first-line bank staff and internal audit teams could use for other work.
  • Optimize AML alerts. All banks use AML alerts to flag unusual transactions that could signal irregularities. But false positives are common—in some cases, accounting for more than nine alerts out of ten. The use of advanced analytics to monitor transactions, often in parallel with existing rules-based tools and models, can improve the accuracy of alerts and thereby reduce the number of false positives to six or fewer out of ten. (Exhibit 5). More accurate alerts can reduce the need for manual interventions and free up risk-management personnel for other tasks.
  • Streamline know-your-customer (KYC) processes to meet local requirements. The customer documentation that risk functions must provide to satisfy financial-crime-compliance requirements vary from region to region. Many risk functions apply the same standards throughout the organization, creating unnecessary work and expense. By adjusting monitoring and reporting to local requirements, risk functions can meet their obligations and reduce costs. That kind of streamlining could reduce the number of required KYC documents by 50 percent and speed up the onboarding of new customers.
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

5. Streamline the market-risk operating model

Some banks use dated or very complex operating models, data systems, and architectures to buy and sell fixed-income equities or engage in other large-market investment activities for clients. A front-to-back review of this data architecture and systems, as well as of the associated roles, responsibilities, and processes, can result in significantly lower costs and sizable improvements in risk management. We see three important actions that market-risk managers can take in such a review:

  • Use the same valuation models throughout the organization. Different functions not uncommonly use separate means or models to estimate the worth of the same asset, and that makes it hard or impossible to come up with a consensus value. Front-office staff may use one equity-derivatives valuation model to calculate profit and loss (P&L) estimates and projections, while the risk department uses a different model to determine regulatory P&L and key risk indicators. If the front office and risk organizations use the same market, counterparty-credit-risk (CCR), and liquidity models and systems, they can reduce data inconsistencies by 80 to 90 percent and valuation-related reworks by 20 to 30 percent. Risk management’s model-risk-management (MRM) function could challenge and validate these models and develop different ones only when supervisors require them or if the models truly diverge from front-office practices.
  • Integrate the system architecture of the front office and the risk function. In addition to adopting the same valuation models, risk functions can use front-office data architecture to calculate P&L and risk. When data sources are centralized through integrating data architecture, run-the-bank and change-the-bank technology costs and external spending decline. Some banks that integrated these functions have become up to 20 percent more efficient, though the extent of the improvement depends largely on a particular institution’s operations and starting point.
  • Integrate front-office and risk reporting. Integrated reporting creates a single source of truth that can minimize data reconciliations, and improve the risk function’s efficiency and effectiveness. Institutions can adopt different organizational models: the integrated reporting function can sit in risk, finance, the front office, or operations. Banks that integrate reporting have reduced related costs by 40 percent or more. But to get there, risk functions need strong management to push for collaboration and overcome the challenges that such an integration effort might encounter.

6. Improve organization, governance, and performance

Over the past half-dozen years, risk and compliance functions added resources, controls, and policies to contend with increased regulation and other demands. Meanwhile, their budgets increased twice as much as those of other bank functions.

When a function expands so quickly, the big picture of how it is performing can be obscured by daily demands. Policies or committees are created piecemeal, sometimes duplicating work done elsewhere. On top of all these problems, the pandemic forced risk functions to set up new ways of working, including the addition of new (and often ad hoc) committees and policies to assess and monitor risks. The new structures sometimes overlap with ongoing work or obscure its importance.

To ensure that risk functions are structured in the most effective way, they can examine four key organizational elements:

  • Clarify roles and responsibilities for all three lines of defense. Regulatory scrutiny of risk practices led many institutions to add controls (and the jobs associated with them) haphazardly, with limited clarity about who does what. Some banks switched oversight for technology and cyberrisk from the risk function to a technology group and then back to the risk function—moves that not only sowed confusion about roles and responsibilities but also created potential gaps in coverage and duplicate responsibilities. Banks can improve efficiency by mapping out the duties of the front line, the risk organization, and internal audit departments to identify gaps, fix overlaps, and ensure accountability. A clearer organizational chart could result in cost savings of up to 5 percent.
  • Centralize shared resources and add agile practices. Risk managers can move these haphazardly added activities and staff into centers of excellence—both virtually and physically—which handle common activities such as risk data and analytics, reporting, testing, and monitoring. We estimate that if risk functions adopt both centers of excellence and agile methodologies, they can increase the efficiency of the centralized activities by 10 to 20 percent and save up to 20 percent of their outsourcing costs. A number of the 20 largest North American banks have already created centers of excellence that report directly to a chief risk officer. Many of these groups focus on data, analytics, and reporting.
  • Rationalize risk governance and policies. To focus on what matters most, banks should consider streamlining their downstream procedures and policies. Reducing the number of committees, for example, can not only improve focus, accountability, and lines of escalation but also save executives’ time. It’s not uncommon for midsize and large banks to have thousands of risk and compliance policies spawning dozens of procedures, which in turn influence processes and the design of controls. If banks structure their policies to focus on the areas of highest risk, they can remove needless red tape. We have seen institutions eliminate up to 30 percent of their policies while improving the quality of the rest, reducing costs and efforts associated with policy administration and management. Institutions undertaking such a transformation may find that they could adjust or rewrite nearly all of their policies to make them more clear, reflect their current risk appetite, or achieve the appropriate level of detail. The renovation of risk policies can start with the establishment of design principles to understand the challenges and identify the end goals that policies are meant to achieve.
  • Put a performance-management system in place. Historically, risk organizations have monitored key risk indicators—for example, the percentage of nonperforming loans or performance against controls—but not their own key performance indicators (KPIs). They may not, for example, track how many credit files a risk-function employee processes a day, how many models each validator manages, and the way those figures trend over time. By failing to measure their own performance, risk operations neglect opportunities to fine-tune the way they work and thus to make themselves more efficient and effective. We recommend that risk organizations track their KPIs for credit risk, market risk, operational risk, and the like, as well as the related outcomes (Exhibit 6).
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

How to update risk-management practices in the short term

Transforming risk management across the six areas we’ve described could take at least a year if a bank adopted any traditional approach. Many banks do have multiyear transformation projects in the works. Yet risk managers can take a number of steps that yield high-impact results in far less time. In this way, banks can make the entire risk organization upward of 30 percent more productive—including cost efficiencies of 40 percent or more in selected activities—in as little as three months.

Many banks do have multiyear transformation projects in the works. Yet risk managers can take a number of steps that yield high-impact results in far less time.

Analyze and prioritize activities that must change

To determine which aspects of operations would gain from the kinds of changes we propose, look at the risk organization’s cost base and workforce to uncover functions or processes that increase costs unnecessarily and to benchmark your operations against those of comparable institutions. Conduct workshops, observe people at work, and interview risk-function managers and staff to understand how work gets done and which practices could improve.

These insights can serve as the basis for a list of actions and their expected short-term impact or productivity gains. Risk managers can use such a list to decide which actions to take first based on the overall health or goals of the risk organization or the bank. From there, they can create a full implementation plan.

Launch and execute priority actions

Once an implementation plan is in place, risk managers have to create an infrastructure that defines how the work will be done and who will do it. In addition, they must determine if they have the right tools for the work, the staff has the necessary skills, and change-management and skill-building programs are required. Finally, they need to establish regular check-ins and delivery milestones; provide support, coaching, and other kinds of help for the teams running the program; and map out how to measure outcomes, such as tracking the cost reductions resulting from the changes.


Risk-management functions increase the odds of creating lasting change if the moves they make are part of a well-conceived, well-executed plan, are supported by top leaders, and are part of a broader shift in behavior across the organization. Organizations that have successfully navigated this path know that while it may not be easy, the rewards of more effective—yet less expensive—risk management are well worth the challenge.

Related Articles