Agile Risk Management Roadmap

PwC study 2021: Risk Management 2025 and beyond – Industry priorities and transformation agenda

Banks have an eye on climate risks

Global climate change, advances in digitization, the ongoing low-interest environment and increasing regulatory requirements represent new factors shaping risk management in the banking sector. Not only is the risk landscape constantly changing, but rising cost pressures require the efficient reorientation of all processes and the prompt development of an agile and forward-looking risk function.

The global PwC study “Risk Management 2025 – Industry priorities and transformation agenda” outlines the transformative steps that are required for the risk function in the next five years and the new role of the Chief Risk Officer (CRO).

“Banks require agile and resilient risk management systems in order to meet growing requirements as cost and efficiency pressures increase. New technologies are adding an additional pace to the required transformation.”

Study overview

Embed the risk strategy

The importance of the risk function within the overall organization is growing: An agile and consistent risk function can make a significant contribution to the long-term growth in banks’ competitiveness and resilience.

At the beginning of a transformation an overarching risk strategy should be defined and this should be firmly integrated into the overall strategy. This includes dissolving existing silos within the risk function and redirecting processes along new value chains.

Most chief risk officers have recognized that in future the risk function will have to achieve much more for the same budget, or for a lower budget, and are therefore already relying on more efficient processes. Savings tend not yet to be on the agenda.

Roadmap for the next five years:

1. Define overarching costs and transformation goals for process chains instead of for functional silos.

2. Refine and develop the ‘three lines of defense’ model (TLoD) for addressing risks in a systematic way.

3. In the first and second line, develop new competence centers for cyber risks, outsourcing, resilience and sustainability.

4. Create and expand an overarching enterprise risk management (ERM) with respect to non-financial or thematic risks.

5. Reorient and scale risk controls, models and analyses.

Infographic: Risk function perspectives on the relative importance of emerging technologies

Focus on non-financial risks

Banks face enormous challenges to identify, measure and monitor non-financial risks. Cyber risks, sustainability risks and third-party risks with their specific impacts on the individual financial institutions require new valuation approaches and organizational structures.

Many financial institutions already place a heavy emphasis on their operational resilience and on their handling of non-financial risks. This also includes the closer integration of the risk and compliance function.

Transformation steps:

1. Comprehensively take non-financial risks into account in the risk strategy and in processes in order to be able to manage them effectively and in an overarching manner.

2. Define significant forward-looking key risk indicators (KRIs) and transfer them to risk profiles.

3. Replace conventional governance, risk and control (GRC) systems and data analyses with innovative tools that have effective control mechanisms.

4. Automation of processes in order to provide employees with new free space for other activities.

Infographic: Risk function perspectives on the largest threats to the banking industry

Prepare for climate change

Climate change is increasingly developing from a strategic or reputational risk into a financial risk for banks. Many financial institutions are only beginning to assess and manage the physical and transitory risks from climate changes. In order to strengthen their competitive position in the long term, banks should fully integrate sustainability criteria (environmental, social, governance – ESG) into their strategies, business models and risk management.

In our study, most of those surveyed indicate that an ESG strategy has already been implemented in their own organizations. Nevertheless, there are substantial differences in the assignment of responsibilities.


1. The issue of sustainability to be more strongly embedded into the framework for enterprise risk management and the risk appetite.

2. Use of new tools and expertise in order to identify, measure and control physical and transitory risks.

3. Addition of ESG risks to stress tests and scenario analyses.

Learn from crises

As a result of the financial crisis and climate change there are growing demands placed on stakeholders, management and supervisory authorities with respect to banks’ handling of risks. The risk function plays a key role with respect to the transparency that is required and the provision of data and analyses.

As a result of the Covid-19 pandemic, numerous financial institutions should once again adjust their risk scenarios and data-driven decision-making. The restrictions imposed by the lockdown and the change to working from home were a test of financial institutions’ operational resilience.

Action areas:

1. Examination and adjustment of the risk framework and appetite for the effective monitoring and management of risks arising from people working from home.

2. Drafting of new business continuity and other crisis contingency plans.

3. Drafting of new risk scenarios and their use.

4. Build on lessons learned from previous crises in future risk reports and analyses.

5. Invest in efficient and dynamic company-wide stress test functions.

Strengthen operational resilience

Since a growing number of risks are proving to be difficult to predict, it is becoming increasingly important to strengthen the long-term operational resilience of the entire organization being demanded by the supervisory authorities to protect the stability of the financial system.

Often the frameworks for strengthening and systematically managing operational resilience are still at an early stage, for instance when it comes to integrating these aspects into scenario analyses.

Transformation steps:

1. Strengthen the risk culture in the overall organization and define a resilience strategy for the overall organization.

2. When assessing resilience, incorporate the bank’s entire environment.

3. Pinpoint calibration and definition of risk appetite and measurable tolerance limits.

4. Check “move to cloud” initiatives for operational reliability.

Infographic: Cost reduction targets for the Risk function over the next five years

Process automation creates free space

In order to increase the efficiency and reduce costs, numerous financial institutions have already made considerable investments in the development of self-service analysis platforms that all employees throughout the entire organization can access.

The increasing use of modern data analyses (advanced analytics) in the risk function is giving rise to new challenges in relation to the legacy infrastructure, data quality and data governance, for instance.

Transformation steps:

1. Data governance and demand management are regulated by an overarching IT strategy.

2. New capacity by providing innovative toolkits and analyses.

3. Definition of consistent guidelines for handling and protecting data.

Develop new skillsets

Tomorrow’s risk function employees need not only risk management expertise but increasingly also technological skills to deal with data and new technologies as well as the associated risks.

Transformation steps:

1. Win new talent.

2. Long-term development of a well-balanced team with the required expertise.

3. Use a data-driven, strategic workforce management.

The methodology

The analysis is based on interviews with 80 senior risk professionals from 60 international and regional banks worldwide. Comprehensive questionnaires are distributed to the participants following the interviews. These are quantitatively and qualitatively evaluated in detail. Debriefing meetings are organized with all participants and the general findings, as well as the individual classifications, are discussed. Participants who have completed the questionnaires were supplied with an interactive dashboard in PowerBI. This is equipped with a benchmarking system that allows comparisons with all institutions or with comparable institutions. Qualitative questions, best practices, etc. can also be reviewed in anonymized form. To provide further follow-up, the institutions can administer workshops focusing on various different topics.

Follow us