Banks and the changing face of risk

The world is changing in ways that are reshaping the risk landscape. We see three inter-related changes as particularly relevant for banks. First, the digital revolution is drastically increasing the availability and use of data, and the speed at which decisions are made. Second, technological innovation is accelerating changes in the competitive and customer landscapes. Finally, hyper-connectivity is escalating the pace of information flow and reshaping how people think and act.

These changes are creating exciting new opportunities for banks. For example, McKinsey Global Institute research suggests that, together, artificial intelligence (AI) and advanced analytics (AA) in banking could generate as much as $1 trillion globally in annual economic value. Examples of opportunities linked directly to risk management include improvements in credit underwriting, fraud detection, and trade surveillance.

However, the fundamental changes we are seeing also bring increased uncertainty and new threats. For instance, AI and AA can trigger a host of unwanted, and sometimes serious, consequences including privacy violations, erratic automated processes, and discriminatory model outcomes. For banks, these challenges are new and heightened by the complexity of outsourced services and other third-party relationships.

Non-financial risks are also evolving. Rare, severe events like a rogue trader or natural disaster have always been part of the risk landscape. Today, while automation reduces the risk of human error, technological advances have increased the pain that some isolated events can inflict on a bank. Examples include infrastructure failures (e.g., data center incidents), model risk (e.g., trading decisions relying on flawed analytics), financial crimes (e.g., synthetic identity fraud), and data privacy violations (e.g., cyber-attacks on insufficiently secured data).

At the same time, the banking operating environment is shifting in irreversible ways, yielding a new risk normal. Fintech disintermediation—by giving customers more freedom to pick and choose specific banking services—is reducing the so-called “lifetime value” that customers deliver to the banking relationships and changing how customers interact with their banks. Such changing customer preferences can also shorten deposit durations, affecting bank liquidity and rate sensitivity. Beyond technological shifts, climate change also represents a broad structural shift in the overall risk profile for banks; for example, decisions on whether to finance electric utilities or heavy producers or consumers of aluminum will need to account for potential impacts of changing weather and new regulation.

Amplifying the impacts of change, when risk events occur, they escalate far more rapidly in today’s hyper-connected world than they would have in an earlier time—and regimented and committee-based decision-making are often unable to keep pace. As has been seen repeatedly and increasingly over the past decade, a crisis can turn into a truly existential threat, including the loss of customer and shareholder trust.

In the face of these changes, we believe that banks need to develop new risk management capabilities. They will need to be able to delimit their appetite for risk taking, detect both new potential risks and weaknesses in controls, and decide on the appropriate approach to risk management.

Delimiting risk appetite

This encompasses setting limits on risk taking in a way that takes the bank’s values, strategy, risk management capabilities, and competitive environment into account—and having a dynamic view of those risk limits at any given time. Banks need to answer three questions:

Should we avoid any risks entirely? Instead of declarations about zero tolerance for certain types of risk, banks need a more realistic perspective on avoiding risks, based on an objective fact base. If this is a risk we are comfortable taking, how much should we take? And does our risk appetite adequately reflect our control effectiveness? Banks will need to rethink investments in control capabilities.

For example, as we mention earlier, climate change alters the risk calculus on decisions regarding whether to finance real estate in coastal regions—both from the pragmatic economic perspective and the potential for reputational damage. And even when the decision is made to proceed, new risks require new approaches to risk appetite. For example, will new energy regulations reduce the value of clients’ loan collateral? Finally, banks need to consider whether they have the capabilities to stress test the portfolio to understand its vulnerabilities to climate change.

Detecting risks and control weaknesses

This encompasses the abilities to anticipate, predict, and observe threats based on disparate internal and external datapoints, as well as the ability to assess the magnitude of the risk and the duration of its impact. Banks need to answer three questions:

What will happen in the future?Institutions will need to cast a net wide enough to detect potential risks that have not yet occurred and will need a real-time view based on internal and external indicators. What is the magnitude of the risk?; Banks should think of magnitude in terms of direct financial impact, and also reputational, regulatory, and legal implications. How will the risk play out over time? Some risks are slow moving, while others can change and escalate rapidly. They can be cyclical and mean-reverting, or structural and permanent.

Historically, most banks have been well-equipped to manage cyclical, mean-reverting risks, such as credit risk. Losses have ebbed and flowed, but the fundamental long-term economics have held firm, requiring only minor tweaks in underwriting policies through the cycle. But the kinds of structural changes at work in the industry today threaten to disrupt these longstanding economics. For example, as fintechs eat into banking value chains, commercial lenders might no longer be able to depend on the fee income that brings a sufficient return on capital for the business. That’s a risk that requires more than a tweak to address.

Deciding on the risk management approach

Given how quickly the world can change, banks need more agile governance processes and approaches to risk mitigation and controls. They need to answer three questions:

If we decide to take a risk, what mitigation should we have in place? Banks need automated control systems that detect anomalies in real-time and controls guided by advanced analytics. How should we integrate what we learn into risk decisions, detection, and delimitation? Banks will need a dynamic feedback loop to continuously learn from risk events to improve processes and controls.If a risk event or control breakdown occurs, what immediate response is required? Institutions need to be able to switch to crisis-response mode quickly, guided by an established playbook of actions.

For example, deep learning models and natural language processing have revolutionized the detection of financial crime, but banks need to do more to continuously improve processes and controls. As an example, advanced analytics models for credit underwriting or for identifying “high risk” accounts as a part of know-your-customer can continuously improve with use, incorporating any shifts in the customer populations they analyze.

Finally, bank leadership teams will need to enhance decision quality with new levels of insight, challenge, de-biasing, and speed.




The risk landscape is changing rapidly. Internal and external risks are rising while stakeholders—customers, regulators, legislators, shareholders, and the broader community—all expect banks not to make any mistakes. We believe successful banks will deploy highly skilled, diverse, and agile risk organizations, enabling them to develop a strong and dynamic understanding of risks and much-improved organizational mechanisms for managing them.