Risk & Resilience Practice

Risk and resilience

priorities, as told by
chief risk officers
Amid the storm of crises and disruptions, leading financial institutions
are recognizing risk’s strategic and resilience-building role.
This article is a collaborative effort by Marc Chiapolino, Filippo Mazzetto, Thomas Poppensieker,
Cécile Prinsen, and Dan Williams, representing views from McKinsey’s Risk & Resilience Practice.

© Ulrike Schmitt-Hartmann/Getty Images

December 2022
 At this moment, economies and societies are
enduring several crises simultaneously. All have
major humanitarian impact and potentially long-
lasting second- and third-order effects. The era is
defined by the interplay of complex disruptions with
disparate origins and long-term consequences.
Climate change, the COVID-19 pandemic,
record inflation and monetary tightening, supply
disruptions, and increased geopolitical risk—all
pose urgent questions of organizational resilience
that cannot be addressed in isolation.
In a business environment subject to constant
disruption, superior risk management has become
a competitive advantage in all industries. Financial
institutions are no exception. They are seeking
to become more resilient. With scenario-based
foresight, monitoring of early indicators, and
crisis-response capabilities, they can become
capable of absorbing the shocks, pivoting, and
accelerating into new realities. In this first of a series
of articles on risk management in banks, we explore
perspectives of chief risk officers (CROs) from some
of the world’s leading banks on the evolving context
and priorities.
What CROs are thinking
To discover the latest thinking of banks on risk and
resilience, McKinsey conducted survey-based
research in late 2021, engaging with more than 30
CROs. We asked about the current and evolving
banking environment, risk management practices,
and forthcoming priorities. We quickly discovered
that the great majority of CROs were already
taking a long-term view when planning actions and
identifying future themes. This perspective was only
strengthened by the 2022 disruptions such as high
inflation and geopolitical turmoil. Here is what the
CROs said.
The banking environment
Regarding the economy and business environment,
respondents pointed out that banks were especially
exposed to accelerating market dynamics, climate
change, and cybercrime.
Most responding CROs (67 percent) cited pandemic
effects as having had significant impact on
employees and in the area of nonfinancial risk. Few,
however, expected those effects to retain their force
in three years’ time.
Climate change, on the other hand, is expected to
grow in importance. Almost all respondents (92
percent) assessed climate regulation as one of the
five most important forces in the financial industry
in the coming three years. Three in four (75 percent)
stressed the significance of climate-transition
risk—those financial and other risks arising from the
transformation of global energy systems away from
carbon-based fuels.
Cybercrime was consistently assessed as one of
the top five risks by most executives (58 percent
and increasing), now and in the coming three years.
Other high-ranking risks included evolution of work
practices and AI—its use and misuse. Forty-two
percent of CROs ranked these risks in their top five
risks in the coming three years.
Looking at the evolution of financial services, CROs
identified accelerated digitization and entry of
nontraditional competitors, fintechs especially, as
the top trends they are following. All respondents
agreed that digital transformation is the most
consequential initiative today; this will be true also
in the coming three years, as these transformations
bear significant operational and execution risks.
The entry of nontraditional competitors will
significantly affect the financial sector, according
to 75 percent of respondents; 67 percent see
integration of fintech-vendor services into banks as
a major trend in the coming years.
Interestingly, at the end of 2021, only one CRO
identified the geopolitical environment as a risk of
serious consequence for banks—a result not unlike
the view most executives held in 2019 toward the
danger of a global pandemic occurring in 2019. It is
likely, therefore, that the industry is exposed now to
unanticipated risks that could strike in the future.
Building a resilient model means increasing banks’
ability to respond effectively to unforeseen events.
More on the major risks banks face
We noted that the top three risks which most
concerned the CROs in our survey were direct

2 Risk and resilience priorities, as told by chief risk officers

financial impact, harm to customers, and
reputational damage (such as from conduct
events). Each of these risks were ranked first by
approximately 30 percent of responding CROs.
They ranked the potential harm caused by these
risks as greater than that from other risks such as
legal or regulatory events.
A great majority of CROs stated that cyber, data,
and technology risks (including related IT and third-
party risk) and climate risk will mostly underlie the
adverse impact. Eighty percent of CROs, that is,
identified these risks as rising in importance year
after year and considered them among the top
five risks. Credit risk also remained as one of the
top risks for 70 percent of CROs, but was seen as
decreasing in impact over time. Interestingly, other
types of financial risks—for example, interest-rate
risk, liquidity risk, and market or price risk—were
rarely included among the top five risks.
On the topic of data, poor data quality was of
greatest concern for 58 percent of respondents.
The majority, that is, ranked this risk well above
other data-related risks, such as unauthorized data
access (28 percent) and lack of data availability.
Half of respondents were also concerned that data
issues will most hinder usage of advanced-analytics
models. Regarding risks related to models, potential
data issues ranked ahead of inaccurate models,
model misuse, or privacy and security concerns.
Regarding time expenditure of CROs and board
risk committees, the regulatory agenda ranked as
the top time-consuming agenda item (40 percent)
followed by emerging risks (15 percent), strategy
for business growth or innovation (14 percent), and
specific risk decisions (13 percent).
Most respondents (60 percent) expected the
institutional share of staff dedicated to the
regulatory agenda to grow in the coming three
years, with additional regulatory resources needed
most of all for climate risk, a number of nonfinancial
risks (cyber, conduct), and credit risk.
How can risk functions lead
the resilience effort?
Leading organizations, public and private, including
financial institutions, are attempting to move
to a resilient stance in relation to the disrupted
environment. The drive for resilience is a turn away
from the narrow crisis-response reflex and toward
an agile state, where large, complex organizations
protect against proximate risks, absorb shocks,
and then pivot into the new realities. Decisions
made during crises have lasting effects, beyond the

Resilience is a leadership orientation—

toward making choices in the crisis
that set up organizations for growth in
recovery periods.

Risk and resilience priorities, as told by chief risk officers 3

 downturn. Resilience is a leadership orientation— Where is risk management going?
toward making choices in the crisis that set up
CROs are seeing five main areas that are
organizations for growth in recovery periods. Risk
structurally evolving to shape risk management in
must now become a function contributing to, if not
the future.
leading, the resilience efforts of banks.
1. Evolution of the three-lines-of-defense model
CROs acknowledge that they need to spend more
Expectations on the role of the risk function are
time considering “over the horizon risks.” This
changing, and greater collaboration is expected
gap in thinking was brought into sharp focus by
across the lines of defense. The first line of defense,
the heavy impact the COVID-19 pandemic and
the owners of particular processes and operations,
geopolitical tensions had on their institutions’
are seen by CROs as becoming more proficient
risk profiles—including second- and third-order
in risk management and therefore handling more
effects—such as supply chain risk, inflation, and
risk-taking decisions, such as those entailed in
rising interest rates—which were not anticipated
underwriting, collections, fraud management, and,
by most banking executives.
in some cases, designing regulatory models.
Institutions were little prepared to address these
As a consequence, the three-lines-of-defense
highly consequential risks. The failure goes well
framework is evolving to refocus the risk function
beyond risk functions, however. Many organizations
on typical second-line responsibilities, including
used forecasting to develop market strategies,
appetite setting and monitoring, policy setting,
but this approach failed to pick up major reality
the challenge role, and second-line controls and
shifts in the recent past—from the financial crisis
reporting. To be effective in its second-line role, the
of the 2000s to the pandemic to geopolitical
function should be stepping up its competence in
realignments. Leading institutions are moving to
new risk types arising in the domains of cyber and
scenario-based foresight to increase institutional
tech security as well as climate change.
resilience against over-the-horizon risks. The risk
function can play an important role here in ensuring Almost all respondents to our survey said that
that the scenarios capture existing and expected for financial risks, the delineation of roles and
risks, while aligning function priorities against responsibilities between the first and second
scenarios. lines is clearly defined and well understood in
their organization. The divisions are less clear for
In this area, risk leaders can focus on two important
nonfinancial risks, however.
themes:
2. Digitization: New technology, tools, data,
1. Risk functions need to develop more
and an ‘old’ issue
sophisticated risk-identification processes.
The risk function can rely on new technologies,
New risks emerge quickly in this dynamic
tools, and more data, even if some of these building
environment, so they need to be discovered fast,
blocks retain “old” issues. For example, new internal
along with their potential impact areas.
and external data and new technology, including
2. Investment is needed in foresight tools, such AI, can improve the quality of risk monitoring and
as “nowcasting,” which can feed nearly live decision making, with early warning systems and
quantitative data to help define scenarios and real-time controls. Here, the digital transformation,
understand their impact on the main metrics highly valued by all responding CROs, is expected to
of the bank. The risk and resilience function, improve the basic efficiency of the function.
modeling the strategic institutional stance, can
Many CROs believe, however, that they will continue
develop planning cadences in which scenarios
to be affected by the old issue of poor data quality.
and action plans are continually refreshed.
As previously mentioned, more than half of

4 Risk and resilience priorities, as told by chief risk officers

respondents (58 percent) believe that advanced-
analytics applications will be negatively affected
by data issues, especially poor data quality. The
vulnerabilities can be addressed by exploring and
developing new types of algorithms to improve the
quality of risk decisions. The effort can be supported
by an analytics center set up within the bank.
Reporting and monitoring, a core responsibility of
the risk function, remains excruciatingly difficult,
prone to manual intervention, and burdensome in
most institutions, despite almost ten years of costly
interventions after BCBS 239.1 Improvements are
therefore sorely needed. Digital budgets have
already grown significantly in recent years, however.
Only 25 percent of CROs foresee an increase in the
share of budget dedicated to digitizing activities.
This means that needed improvements in reporting
and monitoring will have to be achieved largely
through improving risk-function efficiency.
Most CROs see existing digitization resources as
the means to gain efficiency in traditional risk areas
as well, especially credit risk, which will attract the
bulk of investments, as credit decision making is
digitized and the controls are automated.
3. Regulatory expectations
Prudential regulation is already having a significant
impact on banks’ market positioning and risk agenda.
These effects are expected to retain their strength (or
grow in importance) in the next three years.
New regulatory areas, including refinements to
existing regulation, continue to emerge. AMLA,
the European Union’s new anti–money laundering
authority, for example, will become operational
in 2023. It is expected to pursue regulatory
harmonization across borders, which will affect
banks’ coordination and supervisory responsibilities.
This move is in line with the general regulatory push
for consistency in policies, tools, and risk decisions
in complex institutions, along with the ability of those
institutions to perform global oversight.
While retaining focus on existing regulation, CROs
are closely watching the development of climate
1
A standard for risk data aggregation and risk reporting developed by the Basel Committee on Banking Supervision in 2013.
and environmental, social, and governance (ESG)
regulation, which is set to evolve and tighten in the
next three years. CROs believe that climate and
ESG will soon be among the main regulatory themes
affecting the financial-services industry.
Banks have been prone to poor regulatory
remediation processes. In response, risk functions
at leading institutions are seeking to build
best-in-class processes, specialized skills, and
organizational models needed to lead regulatory
projects. In particular, attention is being given to
agile ways of working. Overall, early and proactive
engagement with regulators is the most important
means to achieve alignment of regulatory demands
with compliance and control strategies.
4. Market shifts and new risk priorities
Banks are coming under increased cost pressures
as risk levels could rise in the short term. Low-cost
market entrants, such as fintechs, are challenging
business models. CROs are about evenly split in
their expectations on the size of future risk budgets.
Most of those who see a reduction in real spending
are from banks that are leading in the digital
transformation of the function. These institutions
are driving cost reduction programs at the group
level. Most CROs expect risk budgets will reflect
shifting priorities and maturity in managing the
different risks. For example, risk professionals have
observed a 5 percent decrease in credit risk over
the past two years; conversely, they expect certain
risks to rise in importance, including model risk,
climate risk, and technology-related risks. Such
changes tend to affect the risk skill mix rather than
the size of the function.
5. Creating and demonstrating value as
a risk function
Historically, the risk and compliance functions
in banks have focused on defining frameworks
and establishing standard risk processes
and governance—such as those around risk
identification and assessment, monitoring
and reporting, and remediation. Now, leading
organizations are starting to focus on the value that
Risk and resilience priorities, as told by chief risk officers 5

Find more content like this on the
McKinsey Insights App
Scan • Download • Personalize
6 Risk and resilience priorities, as told by chief risk officers
those functions can and should create. This helpful
shift moves attention and resources from more
bureaucratic, documentation-oriented exercises to
execution and business outcomes. When properly
carried through, the focus on value becomes
a powerful lever for business simplification,
helping to rationalize processes and controls,
reduce unprofitable products and services, and
consolidate risk assessments. The path ultimately
supports better institutional performance, including
fewer losses experienced and reduced capital
requirements for potential large, idiosyncratic
events. Successful institutions able to focus
on positive outcomes are more productive and
more responsive to all stakeholders—customers,
investors, and regulators.
CROs’ future priorities
CROs are preparing for the future by leading a
number of long-term efforts simultaneously. They
are seeking to deepen and accelerate the digital
transformation of the function, to win the war for
risk talent, and to build state-of-the art expertise
in regulation, cybersecurity, analytics, and digital
innovation. Rather than seeing fintechs and other
new entrants as adversarial threats, for example,
forward-looking risk leaders are embracing the
new approaches. They are designing digital and
lean transformations within the bank to become
catalysts for innovation, possibly including
Marc Chiapolino is a partner in McKinsey’s Paris office, Filippo Mazzetto is an associate partner in the Milan office, Thomas
Poppensieker is a senior partner in the Munich office, Cécile Prinsen is an expert in the London office, and Dan Williams is a
partner in the Washington, DC, office.
Designed by McKinsey Global Publishing
Copyright © 2022 McKinsey & Company. All rights reserved.
partnering with fintechs. Those efforts are ongoing
even as risk managers address more immediate
macroeconomic and political disruptions.
Clearly, in this period of economic crisis and change,
risk capabilities are needed more than ever. The
needs grow in the areas of digital processes,
with strong analytics and data control. Equal
attention must be given to the “hard” components
of these changes—analytics engines and data
infrastructure—and to the “soft” ones as well—the
upskilling of people.
The CROs of leading banks are increasingly seeing
the risk function’s role as central to institutional
strategy and resilience building. Progress toward
this shift—to a holistic resilience function with a
strategic role—has accelerated under the stress
of simultaneous crises. Risk is able to anticipate
evolving trends in the economic and regulatory
environment and identify emerging threats.
Foresight in traditional focus areas for banking as
well as in newer topics such as ESG, cyber, and
geopolitical changes creates potential first-mover
advantages. Only by locating risk within institutional
strategy will banking CEOs and CROs be able
to exploit such valuable intelligence. In times of
crisis, resilient organizations find the ways to make
consequential moves early and accelerate into the
new realities. As conditions improve, they can shift
into growth faster than those they left behind.