RESEARCH REPORT
Reinventing risk management
5-MINUTE READ
September 9, 2025
In brief
- Leaders must reassess and reinvent the way they manage risk—not only to comply with regulation, but to effectively manage uncertainty.
- Our research highlights three critical dimensions for reinvention: risk management by design; data, analytics, and technology; and talent.
- While every institution will have a different starting point, the path forward is increasingly clear. The time to act is now.
A tipping point for risk leadership
Billions spent over decades, yet risk teams lag behind rising demands. Time for a generational shift in risk management.
>$60B
annual costs in financial crime compliance alone
>1,000
MRAs and MRIAs* issued by federal agencies in 2024
up to 30%
of operational expenditure for some institutions spent on remediation
There is a growing gap between the demands of the environment and the readiness of risk teams. Costs soar, talent is stretched, and old fixes fall short.
The cost of inaction is rising, but so is the opportunity to reinvent.
*Matters Requiring Attention and Matters Requiring Immediate Attention
Off the treadmill: What it takes to lead
Three critical dimensions that financial institutions must focus on to make this reinvention real and lasting:
Risk management by design
Embed risk and compliance into day-to-day operations, product design and decision-making to adhere to regulations and create enterprise value at the same time.
- Risk management by design takes advantage of the intended outcomes of regulation to better manage a financial institution, embedding regulatory obligations directly into their core operational processes, new offerings and data infrastructure.
- Culture is central: tone from the top and clear roles strengthen proactive risk management. Yet only 24% report defined roles between first and second lines, and 39% embed governance at both strategic and operational levels.
- The board has a critical role to play in shaping the tone from the top. By delivering a clear, consistent message, it can help embed risk awareness as a core element of business strategy.
EMBEDDING COMPLIANCE INTO BUSINESS PROCESSES
71%
have compliance and regulatory obligations fully embedded into core business processes
Risk in Design Stage
40%
have risk and compliance already involved in the design stage of new products and offerings
DISTINCT ROLES ACROSS LINES OF DEFENSE
24%
have clearly separated roles across the first and second lines of defense
Governance in Decision Making
39%
strongly agree that governance responsibilities are embedded in strategic and operational decision making
Data, analytics, and technology
Apply high-quality data to emerging technologies like AI and cloud to break free from outdated infrastructure and drive real-time, insight-led risk management.
- Financial institutions face rising pressure to use data, analytics and emerging technologies to strengthen risk capabilities.
- Yet even the best data delivers value only when paired with scalable, efficient workflows. Many also recognize the need to adopt new tools: 42% are prioritizing AI investments for risk and compliance, though intent does not always translate into impact.
- A defining shift is embedding analytics directly into daily operations. Institutions that democratize access under strong governance and foster innovation gain resilience, competitive advantage and better returns.
RISK DATA GOVERNANCE PRIORITIZATION
73%
have fully implemented and consistently applied risk data governance practices
Effective scale rates
32%
believe they are able to scale their technology platforms effectively to support R&C needs
Types of analytics utilized
37%
are using four types of analytics within risk management (descriptive, predictive, diagnostic, prescriptive)
Investment prioritization
42%
prioritize significant investments in advanced AI in risk and compliance management
Talent
Build the right mix of future-ready skills across the organization
- A financial institution’s ability to transform risk management depends on the right talent mix. Awareness of this is growing among senior risk leaders: 90% of respondents say increasing literacy in non-financial risks is a top priority.
- Driving meaningful change requires three critical talent types: data and prompt engineers to automate tasks and analysis, domain specialists to turn intelligence into insight, and risk “athletes” who think across silos and guide strategy.
- But shifting skills means leaders must assess their own readiness and foster a culture of collaboration, innovation and continuous change.
Non-financial risk literacy
90%
highlight that increasing literacy in non-financial risks, such as AI risk, cyber threats and operational resilience, is one of the top priorities
Proactive Risk Talent Strategy
56%
describe their approach to building risk talent as proactive, with an enterprise-wide strategy in place
Risk skills focus
88%
are currently actively strengthening skills within the risk function in three or more areas
MANAGING NEW TECHNOLOGY RISKS
30%
believe their talent is extremely well equipped to understand and manage the threats presented by new technologies
Risk leadership starts now
Financial institutions that have already advanced in the three dimensions of change—risk management by design; data, analytics and technology; and talent—are well-positioned to lead with more effective, future-ready risk management.
For institutions still catching up, closing capability gaps is no longer optional. The cost of being unprepared is simply too high. Those that move decisively now can shape a more resilient, future-ready risk function, built not just to withstand shocks but to lead through them.
