Banking Risk Management 2025: Complete PwC Global Study Analysis

Risk Function Transformation: From Guardian to Navigator

PwC’s third Global Banking Risk Study, following editions in 2018 and 2022, arrives at a pivotal moment for the banking industry. The study, based on extensive dialogue with chief risk officers and senior executives across major global financial institutions, reveals a risk function in the midst of its most fundamental transformation in decades. The central thesis is compelling: risk management cannot afford to be static in a world where value is constantly in motion.

Three forces are driving this transformation simultaneously. First, growing complexity in non-financial risk areas — operational resilience, AI governance, cybersecurity, and third-party dependencies — demands new capabilities, different tooling, and more dynamic ways of working. Second, executive management and boards increasingly expect risk to provide actionable insight, not just oversight. This means engaging earlier in the decision process, shaping strategic direction, and enabling innovation. Third, the pace of business has outstripped the cadence of traditional risk models. Risk must now match the tempo of the organization it supports.

The shift is both structural and cultural. Risk functions are being given a more prominent role in shaping strategy and planning, empowering first-line teams through clear boundaries and delegated authority, and building analytics platforms that add business value. Institutions that have emphasized culture and mindset transformation report tangible benefits: lower cost-income ratios, faster speed to market, and more effective innovation cycles. This transformation resonates with trends discussed in our analysis of the DORA regulation and its impact on financial institutions.

Banking Risk Operating Model Re-Architecture

Over the past three years, financial institutions have made notable adjustments to how risk is structured and organized. While the industry still largely maintains separate second-line functions for Risk and Compliance (with approximately 50% of cases having the Chief Compliance Officer reporting to the CRO), operating models are evolving to become more agile, forward-looking, and technology-enabled.

Several key operating model themes emerge from the study. Risk functions are being realigned to business lines, with business-aligned CROs and teams established as single points of contact that provide holistic support. Enterprise Risk Management (ERM) functions are gaining an expanded mandate to serve as forward-looking “think tanks,” while there is increasing convergence between ERM and non-financial risk (NFR) functions. Centers of excellence are emerging in complex areas such as digital risk and AI governance, creating fusion centers that integrate cybersecurity, technology risk, model risk management, and compliance teams.

Centralization is a major theme, with transformation programs emphasizing shared services for high-effort activities including assurance processes, reporting production, and modeling analytics. Some institutions are exploring utilities that provide risk and control assurance services across different lines of defense. Beyond the organization’s perimeter, the growing dependency on a small set of critical third-party providers — especially in cloud and AI — raises systemic resilience concerns and questions about regional technology sovereignty that banks are beginning to address.

The AI Transition: From Tactical Innovation to Organizational Redesign

Generative AI is moving from early experimentation to enterprise adoption, and PwC’s study captures this transition with remarkable granularity. The structural shift underway envisions a hybrid workforce where a smaller number of highly skilled professionals work alongside increasingly capable AI agents. This is not merely automation of repetitive tasks — it represents a deeper transformation of how institutions allocate judgment, oversight, and value creation.

The study reveals that most institutions have actively deployed GenAI in production, though with different adoption strategies. The majority follow either a centralized approach (strong governance bodies approve enterprise-level use cases) or a federated model (small AI teams embedded within functions). A smaller number pursue democratized access, with broad GenAI tool availability and cultural guardrails replacing strict controls. Infrastructure investment, bespoke training data, and scarce skills are ranked as the top three impediments to AI adoption.

Within risk functions specifically, the most successful deployments center on compliance and financial crime (17 success reports), credit processes (9 successes), and general productivity and decisioning (10 successes). Standout achievements include one institution reducing AML hit processing time from one hour to 20 seconds, AI-powered credit memo generation, natural language policy queries, and AI agents digitizing first-line assurance activities. Most institutions currently have 1-5 GenAI models in production within Risk, compared to more advanced deployments in other organizational areas.

Perhaps most intriguing is the exploratory work on using GenAI’s “hallucinations” productively — prompting LLMs to imagine novel threat scenarios for fraud or cyberattack modeling, turning a widely discussed limitation into a creative asset. These AI dynamics connect to broader patterns explored in the AI enterprise adoption landscape.

Non-Financial Risk 2.0: The Digital Twin Blueprint

Non-financial risk management is undergoing its most significant evolution since it first rose to prominence on bank agendas. PwC’s study reveals that NFR remains the area with the widest maturity spectrum across the industry — some institutions are still addressing foundational issues while others are already experimenting with digital twins, AI assistants, and integrated resilience platforms.

The study identifies fragmented and manual-intensive processes as the number one challenge in NFR management, followed by poorly designed GRC systems, lack of first-line engagement, and the burden of regulatory remediation. This last factor is particularly pernicious: it consumes extensive resources while driving a backward-looking mindset and a perception that non-financial risk is a burden rather than a critical capability.

Leading institutions are now designing next-generation architectures centered around digital twins of the organization — comprehensive digitized representations of how processes and controls actually operate. These architectures feature consistent process and product taxonomies deployed across all lines of defense, automated data ingestion with quality assurance, cloud tooling with AI integration, GRC platforms with embedded intelligent agents, and customizable dashboards providing trigger-based assurance. The benefits are tangible: risks, controls, incidents, and resilience scenarios can be coherently mapped across the enterprise, and GRC platforms shift from data collection to insight generation.

The augmentation of NFR and resilience managers through AI represents the cutting edge. Firms are deploying AI to review remediation plans, monitor control effectiveness, and script automated tests. Digital risk assistants interpret policy and guide users through GRC systems. Smart planners help frontline staff prioritize high-risk actions. And some institutions are redesigning their end-to-end RCSA (Risk and Control Self Assessment) processes to embed regular intra-month interactions using AI agents, replacing traditional annual review cycles.

Navigating Geopolitical and Technological Uncertainty

The PwC study devotes significant attention to the accelerating pace of change driven by structural shifts across geopolitical, environmental, and technological dimensions. A fracturing of global alliances, rising protectionism, and technological disruption have begun challenging fundamental assumptions about how value is created and sustained in banking.

Five major disruptors dominate the discussion for the next decade. Quantum computing could break current encryption, compromising secure data exchange and potentially exposing sensitive information retroactively. The spectre of general artificial intelligence may fundamentally alter how global society functions. Synthetic media and fake information are making manipulated content indistinguishable from reality, escalating fraud risks. Digital asset tokenization is creating new asset classes with novel risk profiles. And geopolitical shifts are undermining multilateral institutions and fragmenting policy responses.

In response, ERM functions are expanding into “think tank” roles, working through the implications of these trends and establishing frameworks to assess complex disruptors. Stress testing and scenario analysis capabilities are being modernized, with firms investing in faster production cycles (reducing from 4-6 weeks to near real-time), modular architecture, and hybrid approaches combining quantitative stress testing with qualitative war-gaming and system simulation.

Operational Resilience: Thinking the Unthinkable

Resilience remains firmly at the top of the banking risk management agenda. The realization that many systemic risks lie outside any single institution’s control has prompted leaders to ask previously unthinkable questions: What happens if access to major cloud platforms is restricted due to geopolitical sanctions? Could we function if a major cloud provider suffered a systemic failure? How would an escalation of current conflicts affect our operating model? What would a coordinated attack on undersea telecommunications cables mean?

These scenarios no longer feel implausible. Banks are responding by defining essential services and designing “minimum viable institution” fallback protocols — identifying the core capabilities (payment processing, balance access) that must be preserved even during severe outages. Digital simulation using twin technology allows firms to model value chains and run scenario tests, following practices from aerospace and energy sectors.

The concentration risk around technology providers is particularly acute. Recent outages have demonstrated that regulation alone is not a safeguard, and there is recognition that the limits of what individual institutions can control must be acknowledged transparently. Some banks are advocating for regional technology “champions” and diversification away from concentrated global tech ecosystems, though consensus exists that strengthening third-party assurance mechanisms is more immediately actionable. This resilience imperative connects to the broader regulatory landscape explored in our analysis of the ECB’s 2024 Annual Report.

The Regulatory Relationship Reset

Perhaps the most provocative section of PwC’s banking risk study addresses the relationship between financial institutions and regulators. After fifteen years of expanding regulatory oversight, there is strong industry consensus that while foundational principles remain valid, frameworks and supervisory models need strategic reflection.

The study identifies digital banking startups as the number one competitive threat to traditional banks (average ranking 1.8), followed by large technology companies (2.3) and internationally active banks (2.4). This competitive landscape has shifted dramatically, yet regulatory design still reflects a world where banking was defined by high infrastructure costs and strong barriers to entry. Technology companies that now sit at the heart of modern banking — delivering infrastructure, software, and AI — remain largely outside the regulatory perimeter.

Institutions are advocating for co-development of standards, greater clarity in supervisory expectations, and more iterative engagement models. Specific proposals include structured review cycles with industry and legislative feedback, CRO-led roundtables with regulators, and independent third-party bodies to balance ambition with practicality. There are also calls for greater senior-level mobility within regulators, bringing in fresh thinking from the private sector, and for supervisors to develop deeper expertise in non-financial risks, AI, and ESG. This is not a call for deregulation but for recalibrating engagement to match a fast-evolving landscape — consistent with challenges discussed in our coverage of cybersecurity governance.

ESG and Sustainability: Navigating the Political Divide

ESG remains one of the most complex challenges in banking risk management. PwC’s study reveals that while most institutions remain committed to sustainability targets, geopolitical and regulatory divergence are creating formidable navigation challenges. The change in U.S. administration highlighted the fragility of assumptions underpinning global transition planning, and institutions must now consider implications of a world transitioning into geopolitical blocs.

The top climate and environmental risks ranked by study participants are the impact of physical events, policy divergence, and sharp transition risk — all three ranking closely together, indicating that banks face a multi-dimensional ESG challenge with no single dominant risk. Legal risks, stranded assets, and loss of insurability complete the picture.

A key finding is the call for a “reset” before additional nature-related requirements add further complexity. This includes establishing common foundations via shared taxonomies and data models, strengthening common protocols for data capture and exchange across society, and sharpening focus on climate and environmental risk while reviewing the broader perimeter of ESG. The study suggests that ESG regulation, while well-intentioned, has in some cases diverted resources without delivering proportionate value — and that a more phased, evidence-based approach would serve both institutions and society better.

The Risk Efficiency Imperative

Risk functions are under increasing pressure to demonstrate efficiency and value creation. PwC’s study shows that institutions are pursuing efficiency through multiple levers: automation of routine tasks, centralization of shared services, simplification of interaction models, and deployment of AI for process optimization. The combination of these approaches is expected to deliver material improvements in cost-income ratios over the medium term.

Centralization strategies are closely linked to standardization and digitization initiatives. Emerging risk utilities provide assurance services across different lines of defense, while delegated authority and materiality thresholds are being formalized to allow business users to operate within clear risk parameters. This reduces bottlenecks while maintaining appropriate oversight. The outlook for centralized activities is to provide a platform for targeted GenAI deployment, driving at-scale automation of processing and production activities that retain significant manual components.

At the same time, efficiency cannot come at the expense of capability. Institutions are investing heavily in forward-looking analytics, early warning systems, and predictive capabilities that require sophisticated data infrastructure and skilled personnel. The challenge is balancing cost reduction with capability building — a tension that every CRO must navigate. Firms that achieve this balance will not only reduce costs but fundamentally reshape how risk is experienced and valued within the organization, as explored in the broader context of Basel Committee banking standards.

The Future of the Banking Risk Workforce

The PwC study concludes with a forward-looking assessment of talent and leadership in banking risk management. The workforce model is evolving from narrow, siloed career paths toward broader, rotational journeys that build what the study calls “T-shaped profiles” — professionals with deep technical expertise in one domain combined with broad understanding across risk, technology, business, and leadership.

Leadership programs now emphasize not just technical mastery but collaboration, storytelling, and digital fluency. The CRO mandate has evolved into a leadership role that requires the ability to communicate risk insights in business-relevant terms, partner with technology teams on AI deployment, navigate regulatory relationships, and drive cultural transformation. Succession planning is gaining prominence, with institutions investing in developing the next generation of risk leaders who can operate effectively in a hybrid human-AI environment.

Skills priorities include entrepreneurship, problem-solving, and holistic thinking — for example, credit experts who also understand data science, fraud patterns, and process design. Continuous learning and adaptability are being embedded into organizational culture to prepare for an AI-driven future. As the study makes clear, the transformation of banking risk management is not primarily a technology story — it is fundamentally about people, culture, and the willingness to reimagine what a risk function can be. The institutions that succeed will be those that invest equally in their technology infrastructure, their people capabilities, and the cultural conditions that allow both to thrive.