Global risk productivity survey: Four themes shaping risk management

Banks’ second lines of defense (2LOD) have never had so much on their plates. From overseeing financial exposures to monitoring third-party risks, climate change, and cyberthreats, the list of responsibilities continues to increase. What’s more, supervisory expectations are evolving, demanding constant monitoring in individual jurisdictions. In this complex situation, banks are keeping their risk function staff and budgets while changing resources internally to reflect market changes and the effects of automation. This is evident in McKinsey’s latest Global Risk Productivity Benchmark.

How should chief risk officers (CROs) tackle these challenges and prepare for an AI-driven future? According to our benchmark, the answer lies in a multipronged approach: fostering productivity, rolling out technology, and smartly reallocating costs between skills and activities. Through these steps, CROs can both gain a better grip on risk and build a strategic risk function that is fit for the future.

Risk resources and risk leadership

Four key insights emerge from our biennial survey of more than 40 global and regional banks, with an average balance sheet size of $1.1 trillion, including 15 global systemically important banks (G-SIBs):

• The median full-time equivalent (FTE) intensity, calculated as a proportion of total bank head count, is 0.1 percentage points below that reported in previous surveys (exhibit). This points to broad stability in risk resources, confirming the trend already observed in the previous iteration of the survey, particularly among large banks. In parallel, risk function costs have also remained stable.¹Resilience pulse check: Harnessing collaboration to navigate a volatile world, World Economic Forum and McKinsey, January 21, 2025.
• FTE intensity²Resilience pulse check: Harnessing collaboration to navigate a volatile world, World Economic Forum and McKinsey, January 21, 2025. variability between the first and third quartiles is falling as banks converge toward the median. Banks that previously reported FTE numbers below the median have tended to add FTEs, whereas those that had FTE numbers above the median have streamlined their resources.
• Risk leaders are shifting resources away from credit risk and toward operational and market risk. Between 2020 and 2023, credit risk saw an average annual decline of 7 percent in FTEs, confirming the tendency observed in our previous survey. This reduction reflects rising levels of automation and greater involvement of the first line of defense (1LOD), driven by changes in the scope of responsibilities. At the same time, a renewed focus on market and operational risks has increased head counts in those areas by 3 percent and 11 percent per annum, respectively. While the market risk average FTE increase continues, the trend has completely changed for operational risk, which was previously streamlined by allocating more responsibility to the 1LOD.
• Risk leaders want to be ahead of the curve in AI and automation in their companies. They want to lead the transition by improving their oversight role while helping businesses, and by focusing on productivity.

As they oversee these dynamics, CROs will need to walk a line between boosting efficiency and retaining or even rebuilding their core capabilities. They will need to extract the benefits of technology without losing the advantages of human insight, while implementing the organizational changes necessary.

Refining the risk operating model

In a fast-changing risk and technology landscape, CROs are embracing new, tech-driven risk management and compliance approaches. However, they often must do so with limited resources. These four themes, supported by the survey’s insights, are likely to shape their thinking as they juggle priorities and refine operating models to free up resources:

1. CROs are responding to a heavier burden by working more closely with 1LOD and reinforcing their capabilities in nonfinancial risk management.

• The CRO remit is expanding. McKinsey’s January 2025 Resilience Pulse Check³Resilience pulse check: Harnessing collaboration to navigate a volatile world, World Economic Forum and McKinsey, January 21, 2025. shows that technology-related threats are a top priority, and not just for banks. Indeed, 55 percent of all organizations say that tech will create a major or severe disruption in the future. Banking risk leaders are strengthening teams responsible for IT risk, third-party risk, data risk, and cyber risk, as well as anti-money-laundering (AML) and compliance risks (for CROs who own these). The additions ranged from over 40 percent to more than 130 percent over three years. New priorities also include geopolitical and climate risk, which around 40 percent and 30 percent of benchmark respondents cited, respectively.
• CROs increasingly hold 1LOD accountable. As banks use new ways to manage risk and the 1LOD becomes more sophisticated in using risk management principles, CROs are giving more responsibility to the 1LOD. This is to make sure that responsibility lies closer to where risk comes from. For example, many banks require the business to strengthen risk and control assessments, as well as monitor key risk indicators and data quality more systematically. The 1LOD makes decisions in areas like credit underwriting or collections more often. They use new systems and get support from automated decision engines. The 2LOD is responsible for monitoring and controlling the portfolios at the portfolio level.
• Banks are working harder to find connections among risks and focus on overall bank resilience. The survey reveals that enterprise risk management (ERM) has had an approximate 10 percent increase in the amount of money that is spent on it, and other risks have had an increase slightly higher than 5 percent. These other risks include nonfinancial risk controls monitoring and oversight; climate; environmental, social, and governance; and strategic risk. Together, these increases reflect more investment in ERM and CROs’ broader remit to manage risks holistically. Also relevant is an enhanced focus on the risk management life cycle (for example, a more exhaustive risk taxonomy and deeper cascading and articulation of risk appetite), as well as on scenario analysis and stress testing.
• Retail credit risk has become more automated. In the past three years, the amount of time spent on credit risk has decreased by an average of more than 5 percent each year. This decline is mostly caused by automation in areas like retail credit approvals, reviews, and loan extensions. It is also caused by less credit risk in the system. At the same time, the 1LOD is taking more responsibility for decisions and actions at the transaction level, like credit workouts. This means that the risk function needs fewer resources. As a result, around 75 percent of banks surveyed report fewer FTEs in the 2LOD assigned to those areas compared with three years before. As banks have automated the retail business, they have reassigned human resources toward activities such as wholesale credit decisioning. Since 2020, wholesale credit decisioning has seen an average annual rise of roughly 5 percent in FTE intensity. Over the same period, credit modeling and analytics teams have expanded even faster, growing by 10 percent annually.
• Market risk teams are growing. The survey reveals a slightly less than 5 percent annual rise in FTE intensity in market risk management. This growth is driven mainly by data collection and exploitation, which have increased by more than 10 percent annually. In contrast, market risk modeling and profit and loss (P&L) calculations have declined by a little less than 10 percent. The numbers illustrate how determined CROs have become to promote automation of market risk oversight (0.15 percent median intensity).

2. Shifts in supervisory expectations, with nuances by region, are prompting CROs to reassess their capabilities and adopt new solutions.

• There have been heightened regulatory expectations, particularly in Europe. This has led to more stringent regulatory oversight across bank risk functions’ operations. Examples include a higher bar on climate risk management (the European Central Bank has begun to impose fines for noncompliance) and a renewed focus on the Basel Committee on Banking Supervision (BCBS) 239 principles for effective risk data aggregation and risk reporting. New rules, such as the European Union’s Digital Operational Resilience Act (DORA) or the BCBS’s Fundamental Review of the Trading Book are increasingly shaping operational decisions.

  European G-SIBs have faced a supervisory campaign to increase risk FTEs in their setup, based on supervisors’ own benchmarks of risk resources. In response to regulatory guidance, many banks are aiming to ramp up adoption of regulatory technology and AI-driven solutions, for example, in functions such as AML, fraud detection, and compliance monitoring.

• In the United States, there has been a focus on closing existing remediation during the period covered by the benchmark. This challenge has been accelerated more recently, as supervisors⁴“Defining ‘safe or unsound practice’ and revising the framework for issuing matters requiring attention and other supervisory communications: Interagency notice of proposed rulemaking,” OCC Bulletin 2025–29, US Office of the Comptroller of the Currency, October 7, 2025. signaled in October 2025 that the existing remediation book of work would be revisited, potentially freeing up resources, as the Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Federal Reserve Board indicated findings that are not tied to material financial risk or violation of law; a request for validation and closure of findings that are substantially compliant; and a narrowing of the scope of MRA⁵Matter requiring attention. issuance eligibility.

  If finalized, many US banks could see a reduced scope of their remediation book of work, potentially freeing up 2LOD FTE capacity that would otherwise be used to manage remediation efforts (for example, developing gap assessments, drafting action plans, managing remediation milestones).

• Operational risks are under scrutiny. Under the Basel framework, banks have always been required to find, measure, watch, and reduce nonfinancial risks. However, attention in this area has increased in recent years. For example, capital requirements for operational risk rose 15 percent in Europe between December 2022 and December 2024.⁶“Capital and risk-weighted assets,” Risk Assessment Report, European Banking Authority, November 2024. This is similar to the changes to operational risk in Basel IV. These changes increased risk-weighted assets (RWAs) on average. Banks replaced many model-based operational risk methods with a simple, standard approach that connects capital requirements to a bank’s size, income, and loss history. This approach reduces modeling flexibility but still requires clean data and strong governance for accurate computation. In addition, individual regulators are acting on sanction shortfalls. In 2023, for example, the Monetary Authority of Singapore (MAS) responded to digital disruption at one bank by imposing a 1.8 times multiplier on operational RWAs. Meanwhile, with regulation mandating closer monitoring of third-party relationships, cyberthreats, and technology-related incidents, many CROs say data security is at the forefront of their planning. In areas such as credit modeling and stress testing, they sometimes partner with fintechs to support these exercises.

  Taken together, these initiatives have led to close to 10 percent annual growth in operational risk FTE intensity over the past three years.

• Supervisors demand more transparency and reporting agility. Supervisors are moving toward on-demand insights. They increasingly request banks to produce point-in-time, ad hoc stress tests, with traceable data and explainable models. Banks should be able to quickly create scenarios, look into each obligor, product, and country, reconcile with finance, and give specific data and analysis. This requires agile data pipelines, reusable scenario libraries, and modular extract, transform, and load (ETL) and reporting tools that support rapid reruns with full audit trails. Regulators could, in the future, directly access individual bank data, which could lead to more tailored supervision. Banks are creating shared reporting centers (sometimes partly offshore) to improve their skills, build, and use more advanced reporting tools.

3. Technology is moving from hype to reality. CROs are moving toward AI and automation and focusing on credit risk, data management, and reporting.

An equivocal finding from our benchmarking is that many risk functions aim to be leaders in tech adoption. One-third of functions want to be first in digital innovation. They want to make more money and make risk management more important.⁷Global Risk Benchmark 2024: Digital, data analytics, and gen AI survey. Approximately 70 percent of institutions, for example, have implemented AI in credit decisioning and pricing proofs of concept. Similarly, many banks have found applications in financial crime and fraud risk management, portfolio monitoring, and model risk management. Here are some examples:

• In mid-2024, many banks were still in the initial stages of AI. Only 15 percent had developed at least one AI use for risk, and 70 percent had already started using data analytics and traditional AI. The majority started with use cases in reporting and data management, as well as credit decisioning and pricing. Not surprisingly, banks with the biggest ambitions—about a third of the benchmarked organizations—are testing AI on more risk dimensions and more use cases than those taking a wait-and-see approach. Leadership aspirants are more focused on data analytics use cases, working first to build strong foundations. Followers favor generative AI, trying to gain quick wins through early adoption.

  Looking ahead, CROs say a priority will be to roll out AI applications in credit risk. Despite the head count decline in recent years, FTE intensity remains high (accounting for around 1.2 percent of total bank FTEs,⁸Median value. or about 45 percent of overall risk FTEs on average). For that reason, applications such as AI-driven credit modeling are expected to be a priority, supported by automated credit workflows.

  CROs are allocating resources to technology. Seventeen percent of the survey group is spending 100 to 200 hours a year on digital technology and data analytics, along with using AI. Another fifth employs 50 to 100 FTEs in this area. And technology is also replacing FTEs in some cases.

  Finally, three commonly cited roadblocks are slowing the deployment of AI. These are bad data, privacy and security concerns, and wrong use. This is because banks are still understanding how gen AI and other modern technologies (such as AI and stablecoins, for example) will affect operations, customer service, and the competitive environment.

• CROs are clear about how their goals for digital, tech, and AI affect their overall strategy. They want to improve their ability to handle risks and manage risks better, which is the main reason for their focus. The next most important thing, according to one-third of respondents, is improving productivity and cutting costs. This is followed by improving customer satisfaction, which is a top priority for 81 percent of institutions. Revenue generation comes fourth, followed by employee satisfaction.

4. CROs are examining their companies to prepare them for higher regulatory and efficiency expectations. They are using improved mutualization and location models, as well as using agentic AI more deeply in risk operations.

• Strategic mutualization is progressing. Shared-service centers and centers of excellence are becoming more common. These centers help standardize risk function approaches, as well as scale and industrialize digital solutions, which contribute to efficiency and effectiveness. Focus areas include model risk management, analytics/modeling/data hubs for ERM, reporting functions, and change/IT functions. For example, we have seen several banks utilize shared centers for AML activities and model risk management (such as expanding model inventories and having dedicated validation teams), sometimes with a center of excellence for AI/machine learning model development or oversight.
• Offshoring is growing slowly. About a third of banks in the survey have large international hubs for risk activities. They use offshoring and nearshoring to make their operations more efficient, cut costs, and access skilled workers when they need them. Among the third of banks that use offshoring for risk activities, offshored and nearshored resources account for one-fifth of total risk FTEs on average. Within this group, roughly 40 percent of banks have an offshoring level between 30 and 50 percent, primarily among institutions located in major financial hubs. The highest offshoring levels are observed in model risk management, change management, and IT-related risk services, where, on average, more than one-third of FTEs are offshored. In contrast, credit risk and regulatory relations remain more local, with approximately 10 percent of FTEs offshored on average. These developments show banks’ efforts to combine cost efficiency and flexibility while maintaining enough closeness and control in sensitive areas. While it is still at the discussion stage, the steep progress of AI in recent years is pushing banks that are less mature in terms of geographical optimization to consider the possibility of bypassing the steps of mutualization, outsourcing, or offshoring and going directly to agentic AI workflows to improve productivity, switching from a location-driven to a technology-driven efficiency paradigm.
• Banks are focusing on organizational streamlining along with mutualization and offshoring. This streamlining addresses the fragmentation of risk teams, with the average span of control (that is, the number of direct reports) decreasing from the latest benchmark for G-SIBs. The coexistence of steps by risk type, business line, or geography often results in complex spans of control and challenges in aligning with business objectives. While risk functions are primarily aligned by risk type, with about 60 percent of CRO-1 roles across banks with this archetype (for example, credit, market, operational risks) or by business domains (one-fifth of CRO-1 with this archetype), all banks use a combination of archetypes to fit their unique model, adding geography and enterprise roles (for example, analytics, reporting) into the mix, requiring a regular revisit to remove nodes of excessive complexity. Finding the right balance among seniority levels, depth of expertise, and managerial layers remains important to ensure agility and effective coordination.

Productivity: A differentiator in the risk function

Head counts in the risk function overall are stabilizing, even converging to the median, but major shifts are happening within, with a reallocation of resources among subfunctions. This shows that for risk functions, productivity and effectiveness, rather than size, are becoming the differentiators.

From a productivity perspective, best-in-class risk organizations are differentiating themselves in consistent, measurable ways: They have clarified their mandate, perimeter, and underlying three-lines-of-defense model; created granular transparency on cost and capacity; have started simplifying and automating high-volume work; initiated anchoring AI and automation in a clear, risk-owned plan with fit-for-purpose monitoring; redesigned structures to incorporate logical centers of excellence as well as shared-service centers; and defined clear road maps for resource reallocation and talent planning.

The move from risk to resilience will keep making companies more competitive. This will require CROs to balance improving efficiency with keeping human insight very much in the loop. Success demands decisive action: implementing AI at scale rather than experimenting endlessly; building cross-risk analytical capabilities and standardized, scalable infrastructure for responsible AI governance to satisfy divergent global regulators; and developing talent that blends traditional wisdom with digital-native skills.

The key to unlocking these abilities is technology. Risk functions were among of the first to use AI in banks and financial institutions. Looking ahead, their task will be to implement these changes effectively while maintaining a grip on an increasingly complex and demanding risk landscape. The question is whether CROs will proactively drive this transformation and become the organization’s biggest enabler or reactively respond to pressures.