1、Advance your world.November 2024Rising to the Risks of a Changed Industry:Seven Themes From the 2025 RMA CRO Outlook SurveyAn RMA research report,prepared in collaboration with Oliver Wyman and published by ProSightAbout RMAFounded in 1914,the Risk Management Association is a not-for-profit,member-d

2、riven professional associ-ation whose sole purpose is to advance the use of sound risk management principles in the financial services industry.RMA promotes an enterprise approach to risk management that focuses on credit risk,market risk,and operational risk.Headquartered in Philadelphia,Pennsylvan

3、ia,RMA has over 900 institutional members that include banks of all sizes as well as nonbank financial institutions.They are represented in the Associ-ation by over 66,000 individuals located throughout North America,Europe,Australia,and Asia/Pacific.In 2024,RMA and BAI merged to form ProSight Finan

4、cial Association to offer an even greater level of support to the financial services industry,leveraging RMAs deep risk expertise and BAIs strong compliance knowledge.About ProSight Financial AssociationProSight Financial Association empowers financial services leaders to strengthen and advance our

5、industry.Formed through the merger of BAI and RMA,trusted organizations with rich histories and deep expertise in risk,compliance,retail and commercial banking,we are here to support you during times of great change,guide you towards new opportunities for growth,and help you act with confidence.As P

6、roSight,weve en-hanced our ability to support you at a time when the industry is challenged to meet changing customer needs,adopt new technologies and manage more complex risk and compliance issues.Our work creates positive ripple effects throughout financial services organizations and our industrya

7、nd ultimately helps consumers,businesses,and communities thrive.Learn more at ProSightFA.org.About Oliver WymanOliver Wyman,a business of Marsh McLennan(NYSE:MMC),is a management consulting firm combining deep industry knowledge with specialized expertise to help clients optimize their business,impr

8、ove opera-tions,and accelerate performance.Marsh McLennan is a global leader in risk,strategy,and people,advising clients in 130 countries across four businesses:Marsh,Guy Carpenter,Mercer,and Oliver Wyman.With an-nual revenue of$23 billion and more than 85,000 colleagues,Marsh McLennan helps build

9、the confidence to thrive through the power of perspective.For more information,visit ,or follow on LinkedIn and X.Rising to the Risks of a Changed Industry:Seven Themes from the 2025 RMA CRO Outlook Survey is published by ProSight Financial Association.Please direct inquiries to Katie Williams at rm

10、axchangermahq.org.RMA and Oliver Wyman developed the research hypotheses and analyzed research results jointly.At RMA,Celina Rogers and Ed DeMarco directed the research and Frank Devlin wrote the report.Design by Christopher Santoro.Thank you to the CROs who participated in this research program,and

11、 to Mike Duane,Jake Ritchken,Christian McNally,Lorelei Vaisse,and a range of Partners at Oliver Wyman for their thoughtful contributions.November 2024 2024 ProSight Financial Association.All rights reserved,including the right to reproduce this report or portions thereof in any form whatsoever.3Risi

12、ng to the Risks of a Changed Industry/2024 ProSight Financial AssociationTable of Contents About This Report.4 Executive Summary.5 Introduction.6 The Continuing Effects of the 2023 Bank Crisis.7 1.Banks Are More Alert to the Speed of Risk.7 2.Regulatory Scrutiny May Be Heightened for the Long Haul.8

13、 3.Risk Management Has a Larger Role in Organizational Strategy.9 Enduring and Emerging Risks.10 4.Financial Risks Have Fallen From the Top of the Risks List,but Are Still Considerable.10 5.Non-Financial Risks Remain Elevated.12 The Road Ahead.13 6.Emerging Risks and Disruption Demand Planning.13 7.

14、CROs Look to the Future.15 Closing Thoughts.164Rising to the Risks of a Changed Industry/2024 ProSight Financial AssociationAbout This ReportIn July 2024,RMA surveyed chief risk officers and equivalents at financial institutions primarily in the United States and Canada for its annual CRO Outlook Su

15、rvey.This years survey was prepared in collaboration with Oliver Wyman.The survey explores the top trends in bank risk management and CROs most urgent plans and priorities as they seek to address them.For this years CRO Outlook Survey,we received 177 survey responses.Survey respondents institutions

16、represent a broad spectrum of sizes:%Respondents by Asset Size,USD Less than$25 billon 53%$25 billion-$50 billion 14%$50 billion-$100 billion 11%$100 billion-$250 billion 10%$250 billion-$500 billion 3%$500 billion-$1 trillion 4%More than$1 trillion 5%5Rising to the Risks of a Changed Industry/2024

17、ProSight Financial AssociationExecutive SummaryIn summer 2024,RMA surveyed 177 CROs and risk leaders from primarily North America-based banks on their top challenges.They described an industry transformed by the 2023 regional bank crisis:Regulators and exams are more demanding,risk teams have a larg

18、er strategy role,and there is greater appreciation for the speed of risk.Meanwhile,non-financial risks including cyber and fraud remain urgent.And while financial risks have fallen from the very top of CRO concerns,they are formidable.Key FindingsBanks Are More Alert to the Speed of Risk.Almost all

19、respondents now have a path for managing the speed of risk that caught the industry flat-footed in 2023.In their responses,they noted steps including investments in early warning indicator programs.Regulatory Scrutiny May Be Heightened for the Long Haul.Respondents report that,in the aftermath of th

20、e crisis,regulators are seeking more rapid responses to regulatory questions and findings.Over the next 12 months,respondents expect enhanced scrutiny regarding credit risk,liquidity,and capital.Risk Management Has a Larger Role in Organizational Strategy.Many risk teams have become more involved in

21、 bank strategy.They are defining and managing the appetite for strategic risk,participating in non-risk committees,and challenging strategic plans.Financial Risks Have Fallen From the Top of the Risks List,but Are Still Considerable.While financial risks ranked lower than in previous surveys,CROs wa

22、rn that trou-ble continues to brew in commercial real estate and consumer credit,and that lower interest rates may not allay deposit-funding pressures.At the same time,evidence is mounting that years of inflation and the spending down of stimulus cash is taking a toll on many consumers ability to ma

23、ke credit card and loan payments.Non-Financial Risks Remain Elevated.The top three risks the survey identified were non-financial:cybersecurity,fraud/financial crime,and technology.CROs say fraud and cyber threats are driving risk-function budgets higher,and that regulators are joining them in a foc

24、us on non-financial risks.They expect third-party risk,cybersecurity,and governance and controls related to AI to draw increasing regulatory pressure.Emerging Risks and Disruption Demand Planning.Digital disruption,including generative AIs impact,ranked as the top emerging risk.CROs are addressing t

25、his and other emerging risks by launching new reportingincluding KRIs and KPIsand incor-porating new formalized approaches and board-level oversight.CROs Invest for the Future.With challenges related to the regional bank crisis lay-ered atop perennial risks,bank risk management is not getting easier

26、.Risk leaders are responding with projects to help institutions mitigate risks and optimize opportunities.The most common initiatives center on analytics and modeling,cyber/technology risks,risk data and infrastructure,AI,and risk governance and reporting.6Rising to the Risks of a Changed Industry/2

27、024 ProSight Financial AssociationIntroductionRMAs fourth annual CRO Outlook Survey reveals a financial services industry that is still managing the fallout from the 2023 regional banking crisis.Some of the effects of the crisis have been temporary.Others,according to the 177 primarily North America

28、n bank CROs and other senior risk leaders who responded to the survey,have funda-mentally changed the business of banking.At the same time,perennial challenges that were top of mind prior to the crisisincluding cybersecurity,fraud,and third-party risk managementshow no sign of abating.CROs and their

29、 teamswhose agendas were already full before the crisisare facing added challenges flowing from the crisis.And the future holds still more uncertainty,as risks and opportunities emerge from the rise of generative AI and other technology,geopolitical events,market behavior,and as-yet unknown sources.

30、The CRO Outlook Survey reveals that banks are in a new environment compared to the years prior to the crisis:The speed of risk is faster,regulators are more demanding,and,as a result,the risk functions role in strategy is larger.Informed by post-survey interviews with respondents as well as an analy

31、sis of the survey results,this report explores seven key themes that emerged from the research to illuminate how banks are responding to a changed industry,even as they address additional challenges.7Rising to the Risks of a Changed Industry/2024 ProSight Financial AssociationThe Continuing Effects

32、of the 2023 Bank Crisis1.Banks Are More Alert to the Speed of RiskWell over a year after the regional bank crisis,many developments remain relevant,while others remain remarkable.In a post-survey interview,one CRO said the lightning speed of deposit drawdowns at Silicon Valley Bank$42 billion over t

33、he course of one daystill stands out,especially when compared to the previous record:$16.7 billion over 10 days at Washington Mutual Bank in 2008.SVB was clearly an extreme case.But it was part of a fast-moving,massive outflow of deposits that brought home to bankers just how quickly risk can develo

34、p in an environ-ment of real-time transactionsand one where information,and misinformation,about a banks soundness can spread on social media and online forums.For some,it took the crisis to truly appreciate the phenomenon:Eighty-two percent of respondents agreed with the statement,“The banking indu

35、stry was caught flatfooted by the speed of risk in the 2023 regional banking crisis.”But lessons were learned.Nearly all respondents(93%)said it is imperative that the banking industry address the increased speed of risk.And the vast majority(89%)also said they have a clear path forward for doing so

36、.Along that path,40%of respondents said they are investing in early warning indicator programs.One CRO said in an open-ended survey response that,considering“the events in 2023,we began closely monitoring social media on a daily basis regarding our bank as well as our competitors in the marketplace.

37、The data helps us understand the temperature with our customers and the community and is a data point that we use in consideration of various decisions we make.”8Rising to the Risks of a Changed Industry/2024 ProSight Financial Association2.Regulatory Scrutiny May Be Heightened for the Long Haul In

38、post-survey interviews,CROs said that the liquidity crunch that reached a peak in 2023marked by deposit flight,bank borrowing from the Federal Home Loan Banks,investment sales to raise cash,and a trio of high-profile bank failureshas long since receded.But this temporary storm has left in its wake a

39、 heightened regulatory focus on liquidity risk and asset/liability management.Typical responses to an open-ended question on the nature of supervisory comments included several related to liquidity,including“heightened stringency”and a“higher bar”for liquidity risk management in the eyes of regulato

40、rs.CROs also noted height-ened regulatory scrutiny across the board,including related to governance/oversight,enterprise risk management,credit risk,fair lending,and concentration risk.One CRO noted a“significant increase in the depth and intensity of regulatory exams and height-ened expectations.”A

41、nd,at a time when banks are challenged to respond to the speed of risk,some CROs said they are being urged to respond more quickly to regulatory questions and findings too.“Regulators expect faster progress on open issues,”one said.The“tone is one of not moving fast enough to implement an effective

42、ERM framework and more threats of MRBAs as a result,”said another.In all,84%of respondents said that,compared to before the crisis,their institutions are being held to a higher standard by their supervisory teams.CROs largely expect that trend to continue.Two-thirds expect regulatory scrutiny to inc

43、rease somewhat or substantially over the next 12 months.In particular,respondents expect more over-sight regarding credit risk(named by 51%of respondents),liquidity(43%)and capital(32%).(See Figure 1.)Credit riskLiquidityThird party riskCapitalCyber riskData/IT and resiliencyConsumer complianceGover

44、nance and controls related to artificial intelligence51%43%32%32%28%27%18%10%Figure 1.CROs expect more intense regulatory pressure in a range of areas,especially credit risk,liquidity,and capital.Where do you expect regulatory pressure to intensify the most over the next 12 months?Note:Respondents w

45、ere allowed to choose up to three risk/compliance areas.9Rising to the Risks of a Changed Industry/2024 ProSight Financial Association3.Risk Management Has a Larger Role in Organizational StrategySoul searching regarding the regional bank crisis has led to a renewed focus on robust risk management i

46、n the industryand a more prominent role in strategy and other matters for CROs and their teams.Following a crisis in which one institution had gone without a chief risk officer for an extended period of time prior to its failure,46%of respondents said they have become more involved in defining bank

47、strategy as a result of the regional banking crisis.Eighty-four percent said they are now somewhat or highly involved in shaping their organizations business strategy.In their survey responses,CROs shared ways their influence on strategy has been expanding,including prior to the crisis.“Risk engagem

48、ent and efforts are much more deliberate on explicitly evaluating and demonstrating linkages across strategic plan-ning,capital planning,and risk management,”one respondent said.Another said,“risk culture has evolved to the point where the CRO has a seat at every executive table.”This“came about by

49、wins in the risk assessment process,”the commenter said,including preventing“an initiative from being launched without a real-time fraud system.”Once invested with a voice in their organizations strategic decision-making,CROs say they contribute to the process by defining and managing the appetite f

50、or strategic risk(71%),participating in non-risk management committees(55%),reviewing and challenging strategic plans(55%),and discussing business strategy in management risk committees(53%).Still,barriers to an enhanced strategy role remain.Fifty-six percent of respondents cit-ed competing prioriti

51、es(e.g.,responding to regulatory scrutiny).Other barriers includ-ed resource constraints(55%),resistance to change within the risk organization(25%),and a lack of necessary talent/skills(24%).(See Figure 2.)Competing priorities(e.g.,responding to regulatory scrutiny)Resource constraintsResistance to

52、 change within the risk organizationLack the necessary talent/skillsResistance to change outside the risk organizationFigure 2.Competing priorities and resource constraints pose barriers to increasing the risk functions strategic influence.Which of the following present barriers or obstacles to incr

53、easing your teams strategic influence?(Top responses)Note:Respondents were allowed to choose all that apply.10Rising to the Risks of a Changed Industry/2024 ProSight Financial AssociationEnduring and Emerging Risks4.Financial Risks Have Fallen From the Top of the Risks List,but Are Still Considerabl

54、e CROs are more optimistic than they were a year ago about the economy and the credit environment.This represents improvement(although it should be noted that last years outlook was notably bleak).Thirty-five percent of respondents expect the macro environment to improve in 2025an improvement of 28

55、percentage points compared to last years survey.(See Figure 3.)A fifth of respondents expect the overall credit environment to improvean increase of 20 percentage points over last years survey,when no respondents were willing to say they expected improvement.Figure 3.CROs outlook on the macroeconomi

56、c and credit environments improved compared with last year.2024 Outlook survey2025 Outlook surveyDifferencePercentage of respondents who expect the macroeconomic environment to improve7%35%+28%ptsPercentage of respondents who expect the credit environment to improve0%20%+20%pts11Rising to the Risks

57、of a Changed Industry/2024 ProSight Financial AssociationLingering uncertainty regarding the macroeconomic and credit outlook is one reason that a CRO in a post-survey interview said that the coming year might feel like a recession for some banks,even if the economy achieves a soft landing.CROs note

58、 that trouble continues to brew for banks with exposure to commercial real estate,particularly office CRE lending.At the same time,evidence is mounting that years of inflation and the spending down of stimulus cash is taking a toll on many consumers ability to make credit card and loan payments.On t

59、he other side of the balance sheet,while some banks may benefit from the relief falling interest rates will provide in the area of deposit-funding costs,one CRO said that rates will likely remain high compared to recent years,dampening that effect.And competition for funding may persist,CROs noted i

60、n interviews,because depositorsconditioned by the rising-rate environment to seek out higher returns(and enabled by increasingly transparent digital transactions)are likely to continue to rate shop as deposit interest heads lower.Even as financial risks recede from the very top of respondents lists

61、of concerns,depos-it concentration riskwhich was a factor in the 2023 bank failures,as customers with similar industry profiles,motivations,and pressures withdrew funds en massemain-tains a foothold among the most pressing challenges.Nearly a quarter of respondents(24%)listed deposit risks/concentra

62、tion risk as among their top five risks.In inter-views,CROs said that institutions that have long been accustomed to managing the risk of concentration by industry,geography,and many other factors on the lending side of the banking equation are now coming to terms with the need for robust concentrat

63、ion risk management around deposits too.Efforts abound:One CRO described a new heat map that helps the bank identify areas of deposit concentration risk in real time.Nearly a quarter of respondents(24%)listed deposit risks/concentration risk as among their top five risks.12Rising to the Risks of a C

64、hanged Industry/2024 ProSight Financial AssociationCROs report that regulators are joining them in a focus on persistent,non-financial risks.5.Non-Financial Risks Remain Elevated Four of the top five risks identified by the survey were non-financial.In addition to cybersecurity at No.1(named as a to

65、p risk by 63%of respondents)and fraud at No.2(44%),the top five was rounded out by technology risk(38%),wholesale credit(32%),and third-party risk(32%).(See Figure 4.)Despite the attention and spending it receives,there is still no magic bullet to solve cyber risk,CROs say.“Its just changing so rapi

66、dly.If you can even stay a step and a half behind youre lucky,”one said in a post-survey interview.“Every time we shut the win-dow and bar the door,theyre going to come in sideways.Its a constant fight that takes time,talent,and money.”CROs report that regulators are joining them in a focus on persi

67、stent non-finan-cial risks.Thirty-two percent expect more pressure over the next 12 months around third-party risk,with pressure also expected to increase regarding cyber(28%)and governance and controls related to AI(10%).In interviews,CROs said fraud and cyber threats are a big factor driving risk-

68、function budgets higher.Cyber risk Fraud/financial crime(including sanctions risk)Technology risk(including modernization of infrastructure,excluding AI)Wholesale(C&I and CRE)credit risk Third-party risk Issues around operating model(including cost eficiencies,talent)Deposit risks/Deposit concentrat

69、ion Treasury/ALM riskStrategic risk/disruptionRe-emerging/heightened capital and liquidity regulationChange management Potential for a recessionary environmentOperational resilienceData privacy/data riskConsumer compliance and ethicsRisk cultureConsumer credit risk Figure 4.CROs identify their insti

70、tutions top risks for 2025.What are your organizations top five risks(i.e.,risks that are currently your organizations major areas of focus and resource allocation)?(Top responses)63%44%38%32%32%28%24%22%22%22%22%19%15%15%15%10%10%Note:Respondents chose five risks from the list provided.13Rising to

71、the Risks of a Changed Industry/2024 ProSight Financial Association34%32%30%30%27%26%24%23%23%22%21%Digital disruption to business model(including potential impact of AI)Cyber risk Technology risk(including modernization of infrastructure,excluding AI)Strategic risk/disruptionPotential for a recessi

72、onary environment Data privacy/data riskGovernance and control issues related to implementation of AI tools Fraud/financial crime(including sanctions risk)Issues around operating model(including cost eficiencies,talent)Geopolitical/political riskSpeed of risk in a digital world(including social medi

73、a)Note:Respondents were allowed to choose up to five.Figure 5.Digital disruption to the business model,cyber risk,and strategic risk top CROs list of emerging risk for 2025.What are your top five emerging risks(i.e.,risks that have high potential to become one of your top risks a year or two from to

74、day)?6.Emerging Risks and Disruption Demand PlanningThe regional bank crisis was a reminder that risks can emerge in unexpected ways and to an unanticipated degree.It also brought home once more the need to be ready for a wide range of possible circumstances.To that end,respondents to this years sur

75、vey identified digital disruption as the most common top emerging risk,defined as a risk with a high potential to be among an institutions top risks in a year or two.Thirty-four percent of respondents cited digital disruption as a top emerging risk,followed by cyber risk(32%)and strategic risk/disru

76、ption and technology risk(excluding AI)(30%each).Data privacy/data risk(26%)and governance and control issues related to the imple-mentation of AI tools(24%)were also notable entries.(See Figure 5.)The Road Ahead14Rising to the Risks of a Changed Industry/2024 ProSight Financial AssociationCROs outl

77、ined several ways institutions are readying for a wider range of threats that could throw them off course.In their responses,several mentioned an enhanced focus on emerging risks,including introducing emerging risk reporting,“building out KRIs and KPIs for ERM with a focus on emerging risks,”launchi

78、ng an emerging risk pro-gram,and“a more formal and board-level approach to emerging risks.”Other approaches included:“Integration of cross-functional ERM teams and enhanced modeling capabilities.”“Expanded capabilities in stress testing and scenario analysis to cover a broader spectrum of risks and

79、evaluate mitigating strategies through a range of conditions.”“More frequent engagement,discussion,and planning at leadership team level.”“Established an executive enterprise risk management committee which meets at least monthly to review risks across the organization and develop strategic plans to

80、 address and communicate with employees.”The regional bank crisis was a reminder that risks can emerge in unexpected ways and to an unanticipated degree.15Rising to the Risks of a Changed Industry/2024 ProSight Financial AssociationFigure 6.Major risk-function initiatives for 2025 center on technolo

81、gy,including analytics and modeling,projects to address cyber/technology risk,risk data and infrastructure,and AI.Please choose up to three areas where your risk organization is planning major initiatives in the next 12 months.(Top responses)Cyber/technology risksAnalytics(including advanced analyti

82、cs)and modeling Risk data and infrastructure Risk governance and reporting Artificial intelligence Roles/responsibilities and operating modelCompliance programs(including AML,consumer compliance)Risk identification,including emerging risks Treasury capabilities(including ALM,liquidity management)Pro

83、gram and change management Limit-seting and portfolio management(including concentrations)Risk appetite 25%25%23%22%22%18%14%14%12%12%12%12%7.CROs Look to the FutureWith perennial risks rising and another layer of challenges related to the regional bank crisis added to already full agendas,risk mana

84、gement at financial institutions is not likely to get easieror cheaper.“If Im not increasing my budget by 10%next year,that would be a surprise,”one CRO said.“And my budget doesnt count cyber.”At the same time,there are ever-increasing demands to boost technology spending,and strains on the banking

85、business model caused by market conditions and other factorsstrains that some CROs called“existential”in post-survey interviews.Its no surprise,then,that CROs think there could be an uptick in banks either seeking to exit or expand through M&A.One CRO,for example,envisioned a scenario in which some

86、banks search for deposit-rich merger partners with sticky accounts to boost the funding needed for the loan side of operations.Nearly three-quarters of respondents(74%)said they expected consolidation in the industry.But another survey response pointed up a caveat:Seventy-two percent expect regulato

87、ry scrutiny to have a chilling effect on merger activity.Post-survey interviews also revealed great concern about the uncertainty in the regula-tory environment,considering the overturning of the Chevron doctrine,the presidential and congressional elections,and the growing trend of industry legal ac

88、tion against pro-posed rules and regulations.While compliance can be challenging,they said,uncertain-ty about the impact and onset of regulatory expectations is also problematic.Meanwhile,risk organizations are looking ahead by green-lighting projects to help their institutions mitigate risks and op

89、timize opportunities.The most common major initia-tives center on analytics and modeling,cyber/technology risks,risk data and infrastruc-ture,AI,and risk governance and reporting.(See Figure 6.)16Rising to the Risks of a Changed Industry/2024 ProSight Financial AssociationClosing ThoughtsAs they pre

90、pare for 2025,CROs do so with the knowledge that the disruption of the regional bank crisis has prompted a new layer of challenges.An industry of diverse bank sizes and strategies demands a multitude of approaches to the universe of risk.But whatever path they take,CROs will be focused on rising to the risks that face their institutions.