Risk and resilience priorities, as told by chief risk officers

| Article

At this moment, economies and societies are enduring several crises simultaneously. All have major humanitarian impact and potentially long-lasting second- and third-order effects. The era is defined by the interplay of complex disruptions with disparate origins and long-term consequences. Climate change, the COVID-19 pandemic, record inflation and monetary tightening, supply disruptions, and increased geopolitical risk—all pose urgent questions of organizational resilience that cannot be addressed in isolation.

In a business environment subject to constant disruption, superior risk management has become a competitive advantage in all industries. Financial institutions are no exception. They are seeking to become more resilient. With scenario-based foresight, monitoring of early indicators, and crisis-response capabilities, they can become capable of absorbing the shocks, pivoting, and accelerating into new realities. In this first of a series of articles on risk management in banks, we explore perspectives of chief risk officers (CROs) from some of the world’s leading banks on the evolving context and priorities.

What CROs are thinking

To discover the latest thinking of banks on risk and resilience, McKinsey conducted survey-based research in late 2021, engaging with more than 30 CROs. We asked about the current and evolving banking environment, risk management practices, and forthcoming priorities. We quickly discovered that the great majority of CROs were already taking a long-term view when planning actions and identifying future themes. This perspective was only strengthened by the 2022 disruptions such as high inflation and geopolitical turmoil. Here is what the CROs said.

The banking environment

Regarding the economy and business environment, respondents pointed out that banks were especially exposed to accelerating market dynamics, climate change, and cybercrime.

Most responding CROs (67 percent) cited pandemic effects as having had significant impact on employees and in the area of nonfinancial risk. Few, however, expected those effects to retain their force in three years’ time.

Climate change, on the other hand, is expected to grow in importance. Almost all respondents (92 percent) assessed climate regulation as one of the five most important forces in the financial industry in the coming three years. Three in four (75 percent) stressed the significance of climate-transition risk—those financial and other risks arising from the transformation of global energy systems away from carbon-based fuels.

Cybercrime was consistently assessed as one of the top five risks by most executives (58 percent and increasing), now and in the coming three years. Other high-ranking risks included evolution of work practices and AI—its use and misuse. Forty-two percent of CROs ranked these risks in their top five risks in the coming three years.

Looking at the evolution of financial services, CROs identified accelerated digitization and entry of nontraditional competitors, fintechs especially, as the top trends they are following. All respondents agreed that digital transformation is the most consequential initiative today; this will be true also in the coming three years, as these transformations bear significant operational and execution risks.

The entry of nontraditional competitors will significantly affect the financial sector, according to 75 percent of respondents; 67 percent see integration of fintech-vendor services into banks as a major trend in the coming years.

Interestingly, at the end of 2021, only one CRO identified the geopolitical environment as a risk of serious consequence for banks—a result not unlike the view most executives held in 2019 toward the danger of a global pandemic occurring in 2019. It is likely, therefore, that the industry is exposed now to unanticipated risks that could strike in the future. Building a resilient model means increasing banks’ ability to respond effectively to unforeseen events.

More on the major risks banks face

We noted that the top three risks which most concerned the CROs in our survey were direct financial impact, harm to customers, and reputational damage (such as from conduct events). Each of these risks were ranked first by approximately 30 percent of responding CROs. They ranked the potential harm caused by these risks as greater than that from other risks such as legal or regulatory events.

A great majority of CROs stated that cyber, data, and technology risks (including related IT and third-party risk) and climate risk will mostly underlie the adverse impact. Eighty percent of CROs, that is, identified these risks as rising in importance year after year and considered them among the top five risks. Credit risk also remained as one of the top risks for 70 percent of CROs, but was seen as decreasing in impact over time. Interestingly, other types of financial risks—for example, interest-rate risk, liquidity risk, and market or price risk—were rarely included among the top five risks.

On the topic of data, poor data quality was of greatest concern for 58 percent of respondents. The majority, that is, ranked this risk well above other data-related risks, such as unauthorized data access (28 percent) and lack of data availability. Half of respondents were also concerned that data issues will most hinder usage of advanced-analytics models. Regarding risks related to models, potential data issues ranked ahead of inaccurate models, model misuse, or privacy and security concerns.

Regarding time expenditure of CROs and board risk committees, the regulatory agenda ranked as the top time-consuming agenda item (40 percent) followed by emerging risks (15 percent), strategy for business growth or innovation (14 percent), and specific risk decisions (13 percent).

Most respondents (60 percent) expected the institutional share of staff dedicated to the regulatory agenda to grow in the coming three years, with additional regulatory resources needed most of all for climate risk, a number of nonfinancial risks (cyber, conduct), and credit risk.

How can risk functions lead the resilience effort?

Leading organizations, public and private, including financial institutions, are attempting to move to a resilient stance in relation to the disrupted environment. The drive for resilience is a turn away from the narrow crisis-response reflex and toward an agile state, where large, complex organizations protect against proximate risks, absorb shocks, and then pivot into the new realities. Decisions made during crises have lasting effects, beyond the downturn. Resilience is a leadership orientation—toward making choices in the crisis that set up organizations for growth in recovery periods. Risk must now become a function contributing to, if not leading, the resilience efforts of banks.

Resilience is a leadership orientation—toward making choices in the crisis that set up organizations for growth in recovery periods.

CROs acknowledge that they need to spend more time considering “over the horizon risks.” This gap in thinking was brought into sharp focus by the heavy impact the COVID-19 pandemic and geopolitical tensions had on their institutions’ risk profiles—including second- and third-order effects—such as supply chain risk, inflation, and rising interest rates—which were not anticipated by most banking executives.

Institutions were little prepared to address these highly consequential risks. The failure goes well beyond risk functions, however. Many organizations used forecasting to develop market strategies, but this approach failed to pick up major reality shifts in the recent past—from the financial crisis of the 2000s to the pandemic to geopolitical realignments. Leading institutions are moving to scenario-based foresight to increase institutional resilience against over-the-horizon risks. The risk function can play an important role here in ensuring that the scenarios capture existing and expected risks, while aligning function priorities against scenarios.

In this area, risk leaders can focus on two important themes:

  1. Risk functions need to develop more sophisticated risk-identification processes. New risks emerge quickly in this dynamic environment, so they need to be discovered fast, along with their potential impact areas.
  2. Investment is needed in foresight tools, such as “nowcasting,” which can feed nearly live quantitative data to help define scenarios and understand their impact on the main metrics of the bank. The risk and resilience function, modeling the strategic institutional stance, can develop planning cadences in which scenarios and action plans are continually refreshed.

Where is risk management going?

CROs are seeing five main areas that are structurally evolving to shape risk management in the future.

1. Evolution of the three-lines-of-defense model

Expectations on the role of the risk function are changing, and greater collaboration is expected across the lines of defense. The first line of defense, the owners of particular processes and operations, are seen by CROs as becoming more proficient in risk management and therefore handling more risk-taking decisions, such as those entailed in underwriting, collections, fraud management, and, in some cases, designing regulatory models.

As a consequence, the three-lines-of-defense framework is evolving to refocus the risk function on typical second-line responsibilities, including appetite setting and monitoring, policy setting, the challenge role, and second-line controls and reporting. To be effective in its second-line role, the function should be stepping up its competence in new risk types arising in the domains of cyber and tech security as well as climate change.

Almost all respondents to our survey said that for financial risks, the delineation of roles and responsibilities between the first and second lines is clearly defined and well understood in their organization. The divisions are less clear for nonfinancial risks, however.

2. Digitization: New technology, tools, data, and an ‘old’ issue

The risk function can rely on new technologies, tools, and more data, even if some of these building blocks retain “old” issues. For example, new internal and external data and new technology, including AI, can improve the quality of risk monitoring and decision making, with early warning systems and real-time controls. Here, the digital transformation, highly valued by all responding CROs, is expected to improve the basic efficiency of the function.

Many CROs believe, however, that they will continue to be affected by the old issue of poor data quality. As previously mentioned, more than half of respondents (58 percent) believe that advanced-analytics applications will be negatively affected by data issues, especially poor data quality. The vulnerabilities can be addressed by exploring and developing new types of algorithms to improve the quality of risk decisions. The effort can be supported by an analytics center set up within the bank.

Reporting and monitoring, a core responsibility of the risk function, remains excruciatingly difficult, prone to manual intervention, and burdensome in most institutions, despite almost ten years of costly interventions after BCBS 239.1 Improvements are therefore sorely needed. Digital budgets have already grown significantly in recent years, however. Only 25 percent of CROs foresee an increase in the share of budget dedicated to digitizing activities. This means that needed improvements in reporting and monitoring will have to be achieved largely through improving risk-function efficiency.

Most CROs see existing digitization resources as the means to gain efficiency in traditional risk areas as well, especially credit risk, which will attract the bulk of investments, as credit decision making is digitized and the controls are automated.

3. Regulatory expectations

Prudential regulation is already having a significant impact on banks’ market positioning and risk agenda. These effects are expected to retain their strength (or grow in importance) in the next three years.

New regulatory areas, including refinements to existing regulation, continue to emerge. AMLA, the European Union’s new anti–money laundering authority, for example, will become operational in 2023. It is expected to pursue regulatory harmonization across borders, which will affect banks’ coordination and supervisory responsibilities. This move is in line with the general regulatory push for consistency in policies, tools, and risk decisions in complex institutions, along with the ability of those institutions to perform global oversight.

While retaining focus on existing regulation, CROs are closely watching the development of climate and environmental, social, and governance (ESG) regulation, which is set to evolve and tighten in the next three years. CROs believe that climate and ESG will soon be among the main regulatory themes affecting the financial-services industry.

Banks have been prone to poor regulatory remediation processes. In response, risk functions at leading institutions are seeking to build best-in-class processes, specialized skills, and organizational models needed to lead regulatory projects. In particular, attention is being given to agile ways of working. Overall, early and proactive engagement with regulators is the most important means to achieve alignment of regulatory demands with compliance and control strategies.

4. Market shifts and new risk priorities

Banks are coming under increased cost pressures as risk levels could rise in the short term. Low-cost market entrants, such as fintechs, are challenging business models. CROs are about evenly split in their expectations on the size of future risk budgets. Most of those who see a reduction in real spending are from banks that are leading in the digital transformation of the function. These institutions are driving cost reduction programs at the group level. Most CROs expect risk budgets will reflect shifting priorities and maturity in managing the different risks. For example, risk professionals have observed a 5 percent decrease in credit risk over the past two years; conversely, they expect certain risks to rise in importance, including model risk, climate risk, and technology-related risks. Such changes tend to affect the risk skill mix rather than the size of the function.

5. Creating and demonstrating value as a risk function

Historically, the risk and compliance functions in banks have focused on defining frameworks and establishing standard risk processes and governance—such as those around risk identification and assessment, monitoring and reporting, and remediation. Now, leading organizations are starting to focus on the value that those functions can and should create. This helpful shift moves attention and resources from more bureaucratic, documentation-oriented exercises to execution and business outcomes. When properly carried through, the focus on value becomes a powerful lever for business simplification, helping to rationalize processes and controls, reduce unprofitable products and services, and consolidate risk assessments. The path ultimately supports better institutional performance, including fewer losses experienced and reduced capital requirements for potential large, idiosyncratic events. Successful institutions able to focus on positive outcomes are more productive and more responsive to all stakeholders—customers, investors, and regulators.

CROs’ future priorities

CROs are preparing for the future by leading a number of long-term efforts simultaneously. They are seeking to deepen and accelerate the digital transformation of the function, to win the war for risk talent, and to build state-of-the art expertise in regulation, cybersecurity, analytics, and digital innovation. Rather than seeing fintechs and other new entrants as adversarial threats, for example, forward-looking risk leaders are embracing the new approaches. They are designing digital and lean transformations within the bank to become catalysts for innovation, possibly including partnering with fintechs. Those efforts are ongoing even as risk managers address more immediate macroeconomic and political disruptions.

Clearly, in this period of economic crisis and change, risk capabilities are needed more than ever. The needs grow in the areas of digital processes, with strong analytics and data control. Equal attention must be given to the “hard” components of these changes—analytics engines and data infrastructure—and to the “soft” ones as well—the upskilling of people.

The CROs of leading banks are increasingly seeing the risk function’s role as central to institutional strategy and resilience building. Progress toward this shift—to a holistic resilience function with a strategic role—has accelerated under the stress of simultaneous crises. Risk is able to anticipate evolving trends in the economic and regulatory environment and identify emerging threats. Foresight in traditional focus areas for banking as well as in newer topics such as ESG, cyber, and geopolitical changes creates potential first-mover advantages. Only by locating risk within institutional strategy will banking CEOs and CROs be able to exploit such valuable intelligence. In times of crisis, resilient organizations find the ways to make consequential moves early and accelerate into the new realities. As conditions improve, they can shift into growth faster than those they left behind.

Explore a career with us