Skip to content
Brand Logo
In the third quarter of 2023, chief risk officers around the world ranked geopolitical risk as 12th on their list of priorities for the next year, according to the 13th annual global bank risk management survey from EY and the Institute of International Finance (IIF). It occupied the same spot for their boards. By the time the 14th edition of the survey appeared in February 2025, geopolitical risk was third for chief risk officers (CROs) and second for boards, surpassed only by cybersecurity. As long-established assumptions about international relationships and political norms have started to unravel, financial services firms have become much more attuned to the geopolitical risks that flow from their changing environment. The same is true of their supervisors. In January, the European Central Bank identified geopolitical risk as a top priority in its 2025–27 supervisory programme. Risk management specialists interviewed for this article said supervisors are not yet being prescriptive about what firms should be doing, but they are seeking more detail about how firms are addressing this issue and what actions boards are taking. This, in turn, is prompting more urgent questions from boards to executive teams, requiring CROs to become ‘fortune tellers’, as the EY–IIF report puts it. Framing geopolitical risk Banks and other financial firms often frame their risk management in terms of ‘vertical risk stripes’ – specific topics such as various types of credit risk, market risk, liquidity risk, cyber and operational risks, and non-operational risks such as financial crime. Cross-cutting ‘horizontal risk drivers’ such as pandemics, climate and geopolitical risks can have impacts across some, or all, of these verticals. In a paper published in 2023, Oliver Wyman argued that financial institutions have made progress in recent years in understanding the effects of some crosscutting risks – notably climate – on their vertical risk stripes. But less progress has been made on geopolitical risks. If firms do not understand where the pressure points are before they start generating scenarios, they will struggle to prioritise the most serious threats Historically, geopolitical risk has often been addressed via teams focused on country risk as a subset of the credit risk function, says Mark Abrahamson, head of finance and risk for the UK and Ireland at Oliver Wyman. “What we have seen in the past 12 months has elevated this topic to a completely different level. Banks are now thinking about how to professionalise around geopolitical risk, and those models are still evolving.” A key part of the model is to ensure that the organisation has prepared a plan of action for the immediate steps it will take when sudden crises occur. The emergence of Covid was a powerful prompt to ensure these action plans are in place. Tailored scenario planning Beyond the steps to ensure high-level preparedness, the tool that financial services firms are adopting to manage geopolitical risk is scenario planning – positing severe but plausible scenarios and working out what impact they could have on the organisation and how those risks should be managed. Since the global financial crisis of 2008–09, regulation has stress-tested banks to check their ability to deal with specified risk scenarios. These scenarios have usually been relatively narrow and clearly defined, although more banks are starting to introduce geopolitical expertise into the scenarios that their stress-testing teams will run. Addressing geopolitical risk effectively means understanding both the slow and fast-moving elements But effective scenario planning for geopolitical risks, which can take a huge variety of forms, presents a more complex challenge: it is simply impossible to anticipate all eventualities. When boards and executive committees are asking for assessments of new scenarios every week or two, the planning team will struggle to arrive at robust answers. This is where a focus on operational resilience and robust crisis playbooks represents an important line of defence. In using scenario planning, organisations must resist the temptation to start from the scenarios they generate and try to map their effects back onto the business, says Nick Greenstock, CEO of Gatehouse Advisory Partners, a geopolitical risk consultancy. Instead, each firm should start by mapping its specific risk exposures, which will be determined by the scope of its activities and relationships. “Risk exposures are distinct. They’re idiosyncratic to the institution, even if it feels like they should be roughly the same,” he says. Only when a firm understands its individual risk exposures can it usefully overlay scenarios to pinpoint where the biggest potential impacts will be felt and how they should be managed. If firms do not understand where the pressure points are before they start generating scenarios, they will struggle to prioritise the most serious threats. Nick believes the financial sector is among the most advanced in understanding where its risk exposures lie, thanks in part to increased scrutiny from financial regulators over the past 15 years. Drawing on wider expertise In developing scenario planning capability, it is also critical to include experts from beyond the risk management function. Andrew Duff, partner in financial services risk consulting at EY, suggests that scenario planning teams should be made up of a relatively small group of experienced people with close proximity to the business, including those with senior management responsibilities, to capture the likely operational impact of different risk scenarios. This is important in playing through the scenarios effectively from a risk management perspective, but it will also help firms to identify the opportunities that shifting geopolitical risks might present for the business. He also suggests that generative AI could be helpful in accelerating the initial generation of scenarios to feed into the planning process. Tapping into political analysis But is scenario planning enough to allow organisations to manage their geopolitical risks? No, says Derek Leatherdale, senior geopolitical risk adviser at the consultancy Sibylline, who set up the geopolitical risk team at HSBC after joining the bank in 2007 from a career in intelligence. Organisations tend to turn to scenario planning as part of their response to sudden, acute geopolitical crises, Derek says – such as Russia’s invasion of Ukraine or a potential attack on Taiwan by China. But, as well as periodic shocks, geopolitical risk involves slow-moving trends that can transform a business’s prospects, he says. “It’s much longer-term, slower-burn changes to things like regulation, public policy, trade patterns and economic relationships. Scenario analysis doesn’t necessarily help you understand what the impacts of those things might be over time.” Understanding these longer-term trends requires access to expertise in political analysis, for example, from government foreign policy experts, which institutions should be able to access through their government relations teams. However, Derek notes, very few CROs have taken even this basic step to enhance their organisation’s political antennae. A holistic understanding Geopolitical risk is a shapeshifter, presenting itself differently to succeeding generations. In the 1970s, it was connected most strongly with instability in the Middle East, while in the 80s and early 90s, emerging market sovereign default risk came to the fore. More recently, the rise of China and the increasing presence of right-wing groups in global politics have given it a different face. But in each case, the pattern has been one of slow-moving trends that erupt from time to time into acute crises. Addressing geopolitical risk effectively means understanding both the slow and fast-moving elements. It may therefore be encouraging that 56% of respondents to the latest EY–IIF risk survey say they intend to enhance both their political risk assessment and scenario planning capabilities, a figure that reached 82% among those designated Global Systemically Important Banks. However, even if the proportion were to reach 100%, the comment attributed to President Eisenhower would still apply: “Plans are useless, but planning is indispensable.” Or as Louis Pasteur put it, “Chance favours the prepared mind.” Mark Abrahamson leads Oliver Wyman’s European Finance and Risk Practice from our London office. Combining his academic background with practical in-depth client and sector knowledge, he is passionate about supporting firms stay resilient in the face of increased complexity. His areas of focus include financial, non-financial, and compliance risk, relating to the key areas of conduct, culture, and effective governance
Geopolitical Risk
Europe’s Anti-Financial Crime Landscape Poised for Transformational Change in 2026 Europe’s approach to combating financial crime is entering its most significant phase of evolution in decades. Faced with mounting regulatory consolidation, cost pressures, rapid advances in artificial intelligence (AI), and increasingly sophisticated criminal tactics, financial institutions must rethink how they identify and manage risk across borders and business lines At the centre of this transformation are two major developments: the Anti-Money Laundering Authority (AMLA) and the new European AML Rulebook (AMLR). Together, these elements establish a harmonised regulatory and supervisory framework across the EU. AMLA, which launched in July 2025, will bring direct supervision to roughly 40 high-risk institutions by 2027 and become fully operational by 2028, while the AMLR creates consistent standards and methodologies to replace fragmented national rules. For financial crime executives, this shift demands more than compliance checklists—it requires organisational change. Firms are encouraged to harmonise internal policies, streamline transaction monitoring, unify supervisory response functions, and align risk assessments and model governance with the new European standards. Cost and value dynamics are also changing. As volumes of data grow and false positives proliferate, anti-financial crime (AFC) functions must move from cost-centric models to ones that demonstrate measurable value. Leveraging AI to automate routine investigations—while reserving skilled human judgement for nuanced cases—can help improve detection quality and reduce operational drag. Advances in generative AI and machine learning are unlocking further potential, enabling faster triage, improved outcome consistency, and enhanced analytical capabilities. The next frontier lies in agentic AI—systems that can autonomously manage risk workflows within controlled, explainable frameworks, enabling real-time monitoring and dynamic risk scoring. Finally, the insight highlights the growing importance of public-private partnerships (PPPs) and shared utilities. Criminal networks exploit data silos and fragmented defenses; by contrast, collaboration—supported by privacy-enhancing technologies such as federated learning—can improve detection accuracy, reduce false positives, lower costs, and strengthen compliance credibility across the industry. In sum, 2026 represents a pivotal moment for European AFC leaders: a chance to leverage regulatory reform, technological innovation, and collaborative intelligence to build more efficient, resilient, and proactive defences against financial crime. [image: cq5dam.thumbnail.319.319.png] Read more and the report in full here
Regulatory Compliance
Supervisory Priorities - UK & Europe Across the UK and EU, supervisors are sharpening their focus on resilience, data, and disciplined execution amid significant regulatory change. In the UK, both the PRA and FCA are balancing competitiveness and growth objectives with heightened expectations around risk management, operational robustness, capital readiness, and consumer and financial crime outcomes—alongside efforts to modernise supervisory processes and reporting. In the EU, the EBA and ECB are driving rulebook delivery, supervisory convergence, and technology-related oversight, with particular emphasis on geopolitical resilience, ICT and third-party risk, and the governance of emerging digital and AI use cases. Collectively, the agenda signals sustained supervisory intensity, with firms expected to demonstrate strong fundamentals while adapting to evolving frameworks and innovation-led risks. UK Prudential Regulatory Authority (PRA) Strategic risk management (incl. trade finance, private markets, NBFI exposures, CCR, SRT discipline, model risk, new tech) Expect continued supervisory pressure on risk identification/aggregation (especially around NBFI counterparty credit risk and private markets connectivity) and board-level visibility of exposures; also tighter governance expectations around SRT capital relief and model risk remediation Operational resilience (incl. cyber resilience and third‑party dependencies) Banks should anticipate deeper challenge on operational resilience testing, plus more scrutiny of cyber preparedness and outsourcing/third‑party concentration, including expectations for contingency/exit testing and “don’t rely solely on vendor assurance” approaches. Financial resilience (capital & liquidity) with major regime change ahead PRA is explicitly linking 2026 supervisory work to readiness for Basel 3.1 implementation on 1 Jan 2027, alongside the Strong and Simple regime for SDDTs on the same date; banks should expect material focus on capital planning, RWA accuracy, and permissions. The PRA also flags variable Pillar 2 requirement rebasing in 2026 with a 31 March 2026 data submission deadline, which can drive near‑term workload and potentially affect requirements. Data risk (incl. BCBS 239 benchmarking and potential skilled person reviews) Banks should expect continuing pressure to strengthen data governance, architecture and validation; the PRA signals willingness to use specialist/skilled person reviews where weaknesses persist—so data programmes can become a supervisory-critical path item. Competitiveness & growth (see below for secondary objectives) Reporting burden reduction (Future Banking Data programme) Alongside higher data quality expectations, the PRA is explicitly pushing streamlining/modernising reporting via the Future Banking Data programme—this can mean change in reporting processes and architecture (even if intended to reduce burden over time). Supervisory approach / efficiency: shift to a two‑year cycle for PSMs and other streamlining PRA plans to move remaining firms from annual to biennial PSM cycles and accelerate certain approval timelines; banks may see fewer formal cycle-driven engagements but should expect continued cadence on material issues, plus operational changes in PRA interaction models Financial Conduct Authority (FCA) A smarter regulator (more efficient/effective; proportionate and predictable) Banks can expect continuing changes in data collection and regulatory interactions (including FCA efforts to stop some returns, digitise processes, and enable ad‑hoc “flexi collections”), plus an FCA supervision model that aims to focus resources on the highest harm and act faster in higher-risk cases. Supporting growth (competitiveness, productivity, innovation) For banks, this tends to translate into a mix of (i) enabling frameworks (e.g., Open Banking/Open Finance) and (ii) regime-building work (e.g., crypto/stablecoins) that can create opportunities but also new compliance and operating model requirements. The FCA’s work programme explicitly funds major growth-oriented initiatives like Open Finance and crypto regime work. Helping consumers navigate their financial lives Banks (especially retail) should expect continued FCA focus on consumer outcomes—resilience to shocks, saving/investing, and consistently good experiences—often manifesting as supervisory attention to product design, customer journeys and (where relevant) market-wide reviews (e.g., the FCA signals work like a public discussion on the future mortgage market). Fighting financial crime Banks should expect ongoing emphasis on measures that slow fraud growth, protect market integrity and tackle money laundering; that typically drives scrutiny of AML systems/controls, governance, and how firms prevent/identify/respond to fraud typologies EU European Banking Authority (EBA) Priority 1 — Rulebook: efficient, resilient and sustainable single market Banks should expect sustained EBA focus on single-rulebook delivery and consistent implementation, with major workload tied to CRR/CRD mandates (the SPD references a large pipeline of mandates through 2028 and explicitly flags prioritisation of Basel III implementation and issues like third‑country branch access/consolidation topics). Priority 2 — Risk assessment: tools, data and methodologies for effective analysis/supervision/oversight Expect continued evolution in EU supervisory analytics and benchmarking—i.e., more structured use of data and methodologies to support supervisory convergence and risk monitoring, which can translate into data/reporting expectations and more comparable supervisory scrutiny across Member States. Priority 3 — Innovation: enhancing technological capacity This priority explicitly connects to the EBA’s expanding perimeter and tech-related supervisory roles, including new responsibilities tied to DORA and MiCA; for banks, this typically elevates expectations on ICT/third-party risk and on how firms interact with crypto-asset ecosystems (directly or via clients/counterparties). Cross-cutting: simplifying/streamlining the regulatory and supervisory framework The EBA states it is pursuing efficiency and simplification, including actions aimed at reporting burden and the production of Level 2/3 products. If executed, this could reduce duplicative requirements over time, but it can also trigger transition costs (systems/process change) as the reporting stack is redesigned. European Central Bank (ECB) Priority 1 — Resilience to geopolitical risks and macro‑financial uncertainties The ECB signals planned work that includes thematic review(s) of credit underwriting standards, follow-on reviews (e.g., loan pricing where relevant), and continued attention to capitalisation and CRR III implementation—all of which can affect supervisory findings, remediation programmes, and (indirectly) capital planning and RWA governance. Climate and nature-related risk management and transition planning also sit within Priority 1’s vulnerabilities/work programme. Priority 2 — Operational resilience and robust ICT capabilities Expect supervisory intensity around DORA implementation (especially ICT third‑party and incident response), plus OSI campaigns, targeted reviews (e.g., ICT change management), and threat-led testing. ECB also highlights the need to remediate longstanding RDARR (risk data aggregation/risk reporting) issues and sets out a system-wide strategy with escalation if remediation is slow. Medium-to-longer term focus — digital and AI strategies, governance and risk management The ECB is explicitly moving toward more structured engagement on banks’ AI (incl. generative AI) use cases, governance and controls—this can drive enhanced model risk management practices, data controls, and tech risk governance expectations over the 2026–28 horizon.
General Discussion
As announced as part of the government’s Financial Services Growth and Competitiveness Strategy, the Prudential Regulation Authority (PRA) has introduced a more responsive approach for receiving, reviewing, and approving Internal Ratings Based (IRB) model applications . This new approach is designed to enhance the model approval process for banks with existing internal models. Key elements of the PRA’s updated approach include: Enhanced Pre-Application Engagement: PRA will work more closely with firms before formal submissions to assess readiness and flag complex issues early. Dedicated Submission Slots: Firms will have designated slots for application submission, increasing procedural clarity and predictability on both sides. Accelerated Documentation Quality Checks: The PRA aims to complete thorough checks on application documentation within 4 weeks. Defined Review Timelines: Complete submissions will undergo review within 6 months if no additional information is needed. Final Decision Targets: PRA targets concluding decisions on applications within 18 months. Implications for Banks This transparent and disciplined approach is welcomed by firms. However, it makes banks’ committed model submission dates more important than ever. Firms need to be confident that they will be able to deliver the model in a certain month (with a foresight of a year in advance), having gone through a robust governance and validation process. They will also need to ensure all parts of the submission are complete and of good quality. Failure to deliver on time or to the expected standard will risk putting them ‘at the back of the queue’, resulting in more costly re-developments and potentially supervisory add-ons. We see leading banks taking the opportunity to enhance their IRB model delivery and submission strategies. Conduct a Comprehensive End-to-End Stock-Take of IRB Submissions Across the board, we have observed the following best practices to fully review the current IRB model submission plans. This stock-take includes: Evaluate the feasibility and readiness of each submission relative to the PRA’s timelines and quality expectations. This is done in the light of both previous supervisory feedback and modelling challenges, to come to an honest assessment of whether a model can be delivered in a certain month. Integrate business and strategic priorities—focus should be placed on portfolios that align with the bank’s risk strategy and have the highest business impact. Evaluate levers to shorten delivery timelines – most banks now have elements of parallelization of different model development activities rather than a sequential ‘waterfall’ type approach Incorporate implementation readiness: given the PRA's more certain and shortened review timelines, banks should rigorously assess their ability to implement approved models within the required timeframe. Implementation timelines should be a critical dimension in deciding which models are "ready" for submission, ensuring that operational systems and infrastructures are aligned to support timely deployment post-approval. Enhance planning and regulatory engagement Our experience shows that the following three pillars are critical to ensuring a smooth, timely, and successful approval: Rigorous project management: the more formally and firmly committed timelines demand rigorous project management and discipline to meet deadlines. Late or rushed submissions significantly increase the risk of extensions and requests for additional information Avoid pitfalls from weak or incomplete documentation: all components of the submission package and in particular model documentation need to be planned from the outset to avoid gaps or quality issues that can jeopardise the model review proceeding as planned by ‘stopping the clock’ and having to re-submit Maximize the impact of pre-engagement meetings: the new pre-engagement meetings are an opportunity to present key elements of the model to the PRA end-to-end and provide specialists with the answers to key questions early on. In order to use this valuable time in the most impactful way, banks should prepare materials that directly address the PRA’s key areas of focus, including: Quality and depth of data and historical information used Key judgments and modelling assumptions Evidence of senior management involvement and ownership Thoroughness of internal model validation and challenge processes By preparing high-quality, thoughtful presentations, banks can avoid surprises during the review phase. How We Can Help We recognise that the evolving supervisory approach poses new challenges and have worked with our clients to address these: Ensuring high-quality, complete submissions that meet PRA expectations and pass documentation quality checks first time Providing targeted project support to help banks meet the PRA’s accelerated regulatory timelines without sacrificing rigor Assisting clients in strategically prioritizing IRB submissions to align with both regulatory readiness and broader business goals, maximizing impact and resource efficiency By partnering closely with our clients on these fronts, we help them transform regulatory requirements into competitive advantages and successfully navigate this evolving regulatory landscape.
Internal Ratings Based (IRB) Discussion

  • Welcome to RiskbOWl – the first closed community of Risk professionals to share ideas, best practices and get a sense of peer practice, with the ability to anonymously ask questions, share perspectives, run targeted polls, and discuss recent regulatory developments. Find out the latest developments in the RiskbOWl community, including user guidelines, community rules, and latest functionality

    3 3
    3 Topics
    3 Posts
    Oliver Wyman is conducting a Risk Modelling Technology Benchmarking Survey to gather insights into risk modelling technology stacks, challenges, cost drivers, and migration plans within the banking sector across the UK and EU. The survey mainly consists of multiple-choice questions and is targeted at the risk modelling technology users (including regulatory change programs leaders, regulatory model owners and model developers). RiskBowl users are invited to participate – your input will help generate valuable benchmarking data, which will be shared exclusively with participants. We kindly request that the survey be completed by 21st November, with a view to share results by the end of November Access the survey here Should you have any questions, please feel free to reach out to Angelina Egorova, who is leading this initiative within our London F&R team. Thank you for your time and cooperation.

  • Discover our latest thinking across hot topics in risk management, drawn from serving the world's leading financial institutions and deep, industry-renowned expertise across risk and finance topics, including surveys, primers and points-of-view

    2 2
    2 Topics
    2 Posts
    Conversations with our clients reveal the imperative of realizing the benefits from the promise of digitally transforming credit decisioning and lending journeys, driven by the need to control bank costs and retain customer loyalty in the face of competition from more nimble, digitally-native banks To better understand current trajectories in the lending transformation space, Oliver Wyman conducted a survey of banks across several markets, looking at the overarching burning platform, budgets, barriers to transformation, data, analytics, underlying technology, customer management, and organisational setup. In summary, our high-level, selected findings indicate Lending transformation is a high priority topic, with participants sequencing Retail and SME first in their lending transformation programs Respondents see the traditional incumbent breakthrough as the biggest competitive threat over the new fintech challenger looming on the horizon Decisioning time, revenue growth and cost reduction cited as top 3 benefits, whilst expected uplift is highest for customer experience Budget for lending allocation is approached on program level or on individual level, with very few respondents approaching it as a strategic objective Most budget is spent on customer journeys, internal workflows and underlying IT infrastructure rather than analytics capabilities [image: 1732202451766-lending-transformation-survey-infographic.png] Reach out for more insight, but we’d be keen to hear from the RiskbOWl community how this stacks up against your lending transformation program – post your thoughts below !

  • Use this space for questions or broader topics pertaining to risk management, from the latest industry trends and regulatory developments, to the latest news and risk headlines potentially impacting the sector

    18 21
    18 Topics
    21 Posts
    Supervisory Priorities - UK & Europe Across the UK and EU, supervisors are sharpening their focus on resilience, data, and disciplined execution amid significant regulatory change. In the UK, both the PRA and FCA are balancing competitiveness and growth objectives with heightened expectations around risk management, operational robustness, capital readiness, and consumer and financial crime outcomes—alongside efforts to modernise supervisory processes and reporting. In the EU, the EBA and ECB are driving rulebook delivery, supervisory convergence, and technology-related oversight, with particular emphasis on geopolitical resilience, ICT and third-party risk, and the governance of emerging digital and AI use cases. Collectively, the agenda signals sustained supervisory intensity, with firms expected to demonstrate strong fundamentals while adapting to evolving frameworks and innovation-led risks. UK Prudential Regulatory Authority (PRA) Strategic risk management (incl. trade finance, private markets, NBFI exposures, CCR, SRT discipline, model risk, new tech) Expect continued supervisory pressure on risk identification/aggregation (especially around NBFI counterparty credit risk and private markets connectivity) and board-level visibility of exposures; also tighter governance expectations around SRT capital relief and model risk remediation Operational resilience (incl. cyber resilience and third‑party dependencies) Banks should anticipate deeper challenge on operational resilience testing, plus more scrutiny of cyber preparedness and outsourcing/third‑party concentration, including expectations for contingency/exit testing and “don’t rely solely on vendor assurance” approaches. Financial resilience (capital & liquidity) with major regime change ahead PRA is explicitly linking 2026 supervisory work to readiness for Basel 3.1 implementation on 1 Jan 2027, alongside the Strong and Simple regime for SDDTs on the same date; banks should expect material focus on capital planning, RWA accuracy, and permissions. The PRA also flags variable Pillar 2 requirement rebasing in 2026 with a 31 March 2026 data submission deadline, which can drive near‑term workload and potentially affect requirements. Data risk (incl. BCBS 239 benchmarking and potential skilled person reviews) Banks should expect continuing pressure to strengthen data governance, architecture and validation; the PRA signals willingness to use specialist/skilled person reviews where weaknesses persist—so data programmes can become a supervisory-critical path item. Competitiveness & growth (see below for secondary objectives) Reporting burden reduction (Future Banking Data programme) Alongside higher data quality expectations, the PRA is explicitly pushing streamlining/modernising reporting via the Future Banking Data programme—this can mean change in reporting processes and architecture (even if intended to reduce burden over time). Supervisory approach / efficiency: shift to a two‑year cycle for PSMs and other streamlining PRA plans to move remaining firms from annual to biennial PSM cycles and accelerate certain approval timelines; banks may see fewer formal cycle-driven engagements but should expect continued cadence on material issues, plus operational changes in PRA interaction models Financial Conduct Authority (FCA) A smarter regulator (more efficient/effective; proportionate and predictable) Banks can expect continuing changes in data collection and regulatory interactions (including FCA efforts to stop some returns, digitise processes, and enable ad‑hoc “flexi collections”), plus an FCA supervision model that aims to focus resources on the highest harm and act faster in higher-risk cases. Supporting growth (competitiveness, productivity, innovation) For banks, this tends to translate into a mix of (i) enabling frameworks (e.g., Open Banking/Open Finance) and (ii) regime-building work (e.g., crypto/stablecoins) that can create opportunities but also new compliance and operating model requirements. The FCA’s work programme explicitly funds major growth-oriented initiatives like Open Finance and crypto regime work. Helping consumers navigate their financial lives Banks (especially retail) should expect continued FCA focus on consumer outcomes—resilience to shocks, saving/investing, and consistently good experiences—often manifesting as supervisory attention to product design, customer journeys and (where relevant) market-wide reviews (e.g., the FCA signals work like a public discussion on the future mortgage market). Fighting financial crime Banks should expect ongoing emphasis on measures that slow fraud growth, protect market integrity and tackle money laundering; that typically drives scrutiny of AML systems/controls, governance, and how firms prevent/identify/respond to fraud typologies EU European Banking Authority (EBA) Priority 1 — Rulebook: efficient, resilient and sustainable single market Banks should expect sustained EBA focus on single-rulebook delivery and consistent implementation, with major workload tied to CRR/CRD mandates (the SPD references a large pipeline of mandates through 2028 and explicitly flags prioritisation of Basel III implementation and issues like third‑country branch access/consolidation topics). Priority 2 — Risk assessment: tools, data and methodologies for effective analysis/supervision/oversight Expect continued evolution in EU supervisory analytics and benchmarking—i.e., more structured use of data and methodologies to support supervisory convergence and risk monitoring, which can translate into data/reporting expectations and more comparable supervisory scrutiny across Member States. Priority 3 — Innovation: enhancing technological capacity This priority explicitly connects to the EBA’s expanding perimeter and tech-related supervisory roles, including new responsibilities tied to DORA and MiCA; for banks, this typically elevates expectations on ICT/third-party risk and on how firms interact with crypto-asset ecosystems (directly or via clients/counterparties). Cross-cutting: simplifying/streamlining the regulatory and supervisory framework The EBA states it is pursuing efficiency and simplification, including actions aimed at reporting burden and the production of Level 2/3 products. If executed, this could reduce duplicative requirements over time, but it can also trigger transition costs (systems/process change) as the reporting stack is redesigned. European Central Bank (ECB) Priority 1 — Resilience to geopolitical risks and macro‑financial uncertainties The ECB signals planned work that includes thematic review(s) of credit underwriting standards, follow-on reviews (e.g., loan pricing where relevant), and continued attention to capitalisation and CRR III implementation—all of which can affect supervisory findings, remediation programmes, and (indirectly) capital planning and RWA governance. Climate and nature-related risk management and transition planning also sit within Priority 1’s vulnerabilities/work programme. Priority 2 — Operational resilience and robust ICT capabilities Expect supervisory intensity around DORA implementation (especially ICT third‑party and incident response), plus OSI campaigns, targeted reviews (e.g., ICT change management), and threat-led testing. ECB also highlights the need to remediate longstanding RDARR (risk data aggregation/risk reporting) issues and sets out a system-wide strategy with escalation if remediation is slow. Medium-to-longer term focus — digital and AI strategies, governance and risk management The ECB is explicitly moving toward more structured engagement on banks’ AI (incl. generative AI) use cases, governance and controls—this can drive enhanced model risk management practices, data controls, and tech risk governance expectations over the 2026–28 horizon.

  • With the global economy entering what can only be described as a critical inflection point, particularly in terms of trade, institutions are mobilising to better understand how the recent upending of trading relations will impact either lending portfolios or operations in the short term, and impacts of the shifting geopolitical landscape in the longer term. Join the discussion and compare notes on how your peers are managing these novel risks

    12 13
    12 Topics
    13 Posts
    Thank you for sharing this perspective, in particular relevant to the renewed escalation risks in the Middle East. One aspect I’ve observed in political environments is the tension between slow-moving shifts (regulatory alignment, trade realignment, political rhetoric) and sudden escalation events. Scenario planning often captures acute shocks well, but it can be harder to incorporate cumulative geopolitical events that shift operating conditions before a crisis fully materialises. I would be interested to hear how institutions are balancing these two dynamics in practice. For example, when boards are seeking frequent updates during periods of heightened uncertainty. In the context of Mr Duff's proposal, I would support another idea involving a broader set of voices, including those closer to geopolitical analysis or public policy. Externals can help to stress-test hypotheses and internal assumptions, and ultimately reduce blind spots in scenario design. You can use the so-called trend radar approach.

  • The dedicated space to converse with peers and our experts on all aspects of credit risk, from the technicalities of modelling using internal approaches, credit decisioning and underwriting, credit risk appetite, governance and monitoring, provisioning, and regulatory requirements

    40 104
    40 Topics
    104 Posts
    As announced as part of the government’s Financial Services Growth and Competitiveness Strategy, the Prudential Regulation Authority (PRA) has introduced a more responsive approach for receiving, reviewing, and approving Internal Ratings Based (IRB) model applications . This new approach is designed to enhance the model approval process for banks with existing internal models. Key elements of the PRA’s updated approach include: Enhanced Pre-Application Engagement: PRA will work more closely with firms before formal submissions to assess readiness and flag complex issues early. Dedicated Submission Slots: Firms will have designated slots for application submission, increasing procedural clarity and predictability on both sides. Accelerated Documentation Quality Checks: The PRA aims to complete thorough checks on application documentation within 4 weeks. Defined Review Timelines: Complete submissions will undergo review within 6 months if no additional information is needed. Final Decision Targets: PRA targets concluding decisions on applications within 18 months. Implications for Banks This transparent and disciplined approach is welcomed by firms. However, it makes banks’ committed model submission dates more important than ever. Firms need to be confident that they will be able to deliver the model in a certain month (with a foresight of a year in advance), having gone through a robust governance and validation process. They will also need to ensure all parts of the submission are complete and of good quality. Failure to deliver on time or to the expected standard will risk putting them ‘at the back of the queue’, resulting in more costly re-developments and potentially supervisory add-ons. We see leading banks taking the opportunity to enhance their IRB model delivery and submission strategies. Conduct a Comprehensive End-to-End Stock-Take of IRB Submissions Across the board, we have observed the following best practices to fully review the current IRB model submission plans. This stock-take includes: Evaluate the feasibility and readiness of each submission relative to the PRA’s timelines and quality expectations. This is done in the light of both previous supervisory feedback and modelling challenges, to come to an honest assessment of whether a model can be delivered in a certain month. Integrate business and strategic priorities—focus should be placed on portfolios that align with the bank’s risk strategy and have the highest business impact. Evaluate levers to shorten delivery timelines – most banks now have elements of parallelization of different model development activities rather than a sequential ‘waterfall’ type approach Incorporate implementation readiness: given the PRA's more certain and shortened review timelines, banks should rigorously assess their ability to implement approved models within the required timeframe. Implementation timelines should be a critical dimension in deciding which models are "ready" for submission, ensuring that operational systems and infrastructures are aligned to support timely deployment post-approval. Enhance planning and regulatory engagement Our experience shows that the following three pillars are critical to ensuring a smooth, timely, and successful approval: Rigorous project management: the more formally and firmly committed timelines demand rigorous project management and discipline to meet deadlines. Late or rushed submissions significantly increase the risk of extensions and requests for additional information Avoid pitfalls from weak or incomplete documentation: all components of the submission package and in particular model documentation need to be planned from the outset to avoid gaps or quality issues that can jeopardise the model review proceeding as planned by ‘stopping the clock’ and having to re-submit Maximize the impact of pre-engagement meetings: the new pre-engagement meetings are an opportunity to present key elements of the model to the PRA end-to-end and provide specialists with the answers to key questions early on. In order to use this valuable time in the most impactful way, banks should prepare materials that directly address the PRA’s key areas of focus, including: Quality and depth of data and historical information used Key judgments and modelling assumptions Evidence of senior management involvement and ownership Thoroughness of internal model validation and challenge processes By preparing high-quality, thoughtful presentations, banks can avoid surprises during the review phase. How We Can Help We recognise that the evolving supervisory approach poses new challenges and have worked with our clients to address these: Ensuring high-quality, complete submissions that meet PRA expectations and pass documentation quality checks first time Providing targeted project support to help banks meet the PRA’s accelerated regulatory timelines without sacrificing rigor Assisting clients in strategically prioritizing IRB submissions to align with both regulatory readiness and broader business goals, maximizing impact and resource efficiency By partnering closely with our clients on these fronts, we help them transform regulatory requirements into competitive advantages and successfully navigate this evolving regulatory landscape.

  • Recent years has seen the Treasury shoot up the agenda given the length of time the sector had operated in much more benign interest rate conditions. Sector turmoil in 2023 prompted supervisors and banks alike to ensure their ALM, liquidity, and interest rate risk capabilities were adequate for new rate realities. Discover the latest in our dedicated Treasury channel

    7 7
    7 Topics
    7 Posts
    CFO functions across institutions (and indeed, across industries) share common pain points (data, regulatory overload, change fatigue, etc.) at a time when they face significant cost challenges – especially as the CFO is expected to lead by example within the organisation How do you choose between the effectiveness and efficiency of the Finance function? We believe this is the wrong question, a false trade-off. The best-in-class Finance functions can achieve greater effectiveness and efficiency in tandem In our latest OW Treasures, we explore how to tackle this challenge and drive the Finance of the Future - we’d love to hear your thoughts [image: 1759315911785-c6888084-1e94-4277-8961-fe7ddb7a07a0-image-resized.png]

  • The channel for all areas pertaining to the ability of institutions to deliver critical operations through disruption, comprising of prudential risk frameworks, internal governance, outsourcing, business continuity and crisis response. Recent years has seen much more scrutiny on the reliance of institutions on technology and third parties, with the former very much on the supervisory agenda, perhaps most explicitly embodied with the advent of the Digital Operational Resilience Act (DORA) in Europe

    0 0
    0 Topics
    0 Posts
    No new posts.

  • With an increasingly complex and interlinked risk landscape, comes an equally complex, corresponding regulatory framework, and it's no surprise how high up regulatory compliance now features on the bank agenda. Check in with your peers on the issues driving this key risk management capability, including compliance operating model, regulatory horizon scanning, and financial crime compliance

    7 17
    7 Topics
    17 Posts
    Europe’s Anti-Financial Crime Landscape Poised for Transformational Change in 2026 Europe’s approach to combating financial crime is entering its most significant phase of evolution in decades. Faced with mounting regulatory consolidation, cost pressures, rapid advances in artificial intelligence (AI), and increasingly sophisticated criminal tactics, financial institutions must rethink how they identify and manage risk across borders and business lines At the centre of this transformation are two major developments: the Anti-Money Laundering Authority (AMLA) and the new European AML Rulebook (AMLR). Together, these elements establish a harmonised regulatory and supervisory framework across the EU. AMLA, which launched in July 2025, will bring direct supervision to roughly 40 high-risk institutions by 2027 and become fully operational by 2028, while the AMLR creates consistent standards and methodologies to replace fragmented national rules. For financial crime executives, this shift demands more than compliance checklists—it requires organisational change. Firms are encouraged to harmonise internal policies, streamline transaction monitoring, unify supervisory response functions, and align risk assessments and model governance with the new European standards. Cost and value dynamics are also changing. As volumes of data grow and false positives proliferate, anti-financial crime (AFC) functions must move from cost-centric models to ones that demonstrate measurable value. Leveraging AI to automate routine investigations—while reserving skilled human judgement for nuanced cases—can help improve detection quality and reduce operational drag. Advances in generative AI and machine learning are unlocking further potential, enabling faster triage, improved outcome consistency, and enhanced analytical capabilities. The next frontier lies in agentic AI—systems that can autonomously manage risk workflows within controlled, explainable frameworks, enabling real-time monitoring and dynamic risk scoring. Finally, the insight highlights the growing importance of public-private partnerships (PPPs) and shared utilities. Criminal networks exploit data silos and fragmented defenses; by contrast, collaboration—supported by privacy-enhancing technologies such as federated learning—can improve detection accuracy, reduce false positives, lower costs, and strengthen compliance credibility across the industry. In sum, 2026 represents a pivotal moment for European AFC leaders: a chance to leverage regulatory reform, technological innovation, and collaborative intelligence to build more efficient, resilient, and proactive defences against financial crime. [image: cq5dam.thumbnail.319.319.png] Read more and the report in full here

  • Channel dedicated to discussion on the supervisory and societal expectations driving banks to meet their sustainability goals, by embedding ESG criteria into enterprise risk management frameworks to address climate-related and social risks, as well as financial institution's climate risk stress testing capabilities, and disclosure requirements

    2 4
    2 Topics
    4 Posts
    @OP In my experience, it typically depends on the bank's approach to the override: Pre-calibration would typically be included if they are trying to include is as an statistical predictor of risk: i.e. you have some historical information that help you calibrate the specific weight and you only include the override if it increases the predictive ability of the model Post-calibration if they want it to be a “penalization” mechanism for management (however this will not be fully compliant with EBA calibration guidelines for the use of overrides in IRB models)

  • From supervisory exercises, to internal scenario-planning, crisis simulation and war gaming, stress testing has become an established, post-GFC, risk management tool that institutions are expected to have in place in order to demonstrate the sustainability of their business model and ensure ongoing confidence in the bank. Discover the latest on stress testing in our dedicated channel

    2 2
    2 Topics
    2 Posts
    In the context of the 2025 EBA Stress Testing exercise we’ve convened our sixth EBA Stress Test industry roundtable, involving representatives from 25 of the largest European banking institutions across ten countries. While each bank is looking to approach the stress testing exercise from its own unique perspective, we’ve found that two common trends seemed to emerge: Banks expect the anticipated depletion of the Common Equity Tier 1 (CET1) ratio under adverse scenarios to align closely with the outcomes seen in 2023. Banks see the operational complexity of the exercise as their main challenge. Participants were concerned about potential CRR3 re-statements (particularly the difficulty in accurately projecting a CRR3 Fully Loaded framework that incorporates all CRR3 phase-ins expected by 2032) as well as the need for top-down calculations to estimate CRR3 compliant RWAs, which could complicate reconciliation efforts and impact result accuracy. Other concerns raised by participants included the new timeline and significant changes to Quality Assurance processes - especially regarding potential on-site visits and inspections by the European Central Bank (ECB) - and the unpredictability of the new Net Interest Income (NII) platform and Quality Assurance machinery, which banks believe leaves them with less control over projections and adds to the uncertainty of the exercise. Overall, it was insightful to see how given the inherent complexity of the exercise participants agreed on the need for thorough upfront preparation and a robust end-to-end stress testing infrastructure as conditions to success. What are the main concerns at your organisation? How do you feel your competitors will react to EBA’s requirements for this year’s stress testing? Graphics: How Oliver Wyman supports Financial Institutions carry out stress testing: [image: 1742826199933-cc0303ff-d517-49f9-b22c-e6d2071f1964-image.png]

  • Whilst dedicated risk management for the development, monitoring and validation of risk models has been long established, the advances in technology, analytics and data driving the banking industry has promoted such model risk frameworks to be updated and enhanced accordingly. Discover the latest impacting your peers across the model lifecycle - model definition, model vs non-model scope, validation, monitoring, periodic review, model risk reporting and governance

    10 27
    10 Topics
    27 Posts
    [image: 1760030643277-picutre.jpg.png] On 9th October 2025 we held our latest RiskBowl Live roundtable with participants from 10 banks and building societies, alongside two of our senior advisors: Colin Jennings (ex-PRA and ex-CRO) and Lukasz Szpruch (The Alan Turing Institute). This roundtable brought together senior heads of Model Risk Management to take stock of where banks are on managing the model risk of AI and discuss their convergence towards full compliance with SS1/23. The discussion confirmed a common trajectory: an early phase of AI modelling experimentation has exposed structural gaps — in taxonomy, inventory management, model monitoring and validation — that now require a coordinated effort to make bank-wide AI use safe, auditable and scalable across firms. Firms have welcomed the clarity and the heightened stature of Model Risk in the firm’s risk taxonomy, and are using its guiding principles to coordinate said effort. Key takeaways from the discussion are presented below: Managing the model risk of AI • Experimentation to consolidation: participants described an early period of numerous disjointed pilots and recommend grouping similar use cases to scale efficiently rather than proliferate ad hoc AI projects • Use case specific governance: high risk algorithmic/decisioning use cases require materially different controls from low risk productivity tools; a one size governance model is insufficient • New tech stack & MRM implications: generative AI brings dependencies that must be formally approved and governed. These create integration and approval work that traditional MRM processes were not designed to cover. • Skills and vendor risk gaps: many teams or vendors originate outside banking and lack knowledge of bank’s processes, compliance expectations, and model lifecycle controls; stronger third party standards and onboarding are needed • Model classification ambiguity: simple assistive tools (e.g., grammar correction) may fall outside current model definitions, while some AI systems sit partially within model risk remit—creating uncertainty about monitoring and ownership • Committee and oversight design: avoid duplication of oversight bodies — firms must clarify roles between existing model risk committees and any AI monitoring forums • Quantitative monitoring and human AI controls: firms want monitoring frameworks capturing model and human performance, with defined escalation triggers and the ability to switch to automated testing based on scale and level of risk Convergence towards compliance with SS1/23 • Raised standards and visibility: SS1/23 has driven broader Model Risk visibility within firms and heightened board awareness • Material operational uplift: documenting and managing additional models and DQMs in scope is increasing resourcing and cost materially — firms reported significant headcount increase and process redevelopment • Definition and scope tensions: debate continues on what counts as a model (quantitative, deterministic, qualitative outputs, agentic behaviours) and on incentives to classify or de classify to manage control and operational burden • Validation and ownership challenges: validating qualitative and AI enabled outputs is resource intensive; teams need clarity on who conducts testing (first line, MRM, or specialist validation units) and on practical monitoring cadences • Ongoing dialogue required: participants agreed continued cross firm engagement and proactive regulatory conversations are necessary to align interpretations and reduce operational fragmentation between firms and subsidiaries Cem Dedeaga Partner, Head of Risk Modelling UK&I cem.dedeaga@oliverwyman.com Matias Coggiola Senior Manager, MRM lead matias.coggiola@oliverwyman.com Download the above as PDF by clicking on the link here: 20251009_MRM_Roundtable_Summary_vF.pdf

  • Organisational culture has long been recognized as a key component of risk-taking and risk-adverse behaviours, making it an important dimension underpinning the overall effectiveness of risk management more broadly within an organisation. Use this dedicated space for more discussion on methodologies, values, and behaviours within an organization that shape its approach to risk management and overall awareness and understanding of risk

    2 6
    2 Topics
    6 Posts
    Hi RisbOWl community. I have been thinking lately about the dynamics of the working relationship with 2nd and 3 LOD from a 1LoD perspective. While there is much talk about these dynamics from a high-level, ERM or governance perspective, those of us who are in involved more on the day to day interactions need to make sure we 'walk the talk'. While clear, continued communication is key, I have found the use of shared resources (such as evidence repositories, plans, collaborative query logs, etc) have really made a difference in the relationship we have built with our validators in the second line of defence. What does the community think about common techniques for increasing cross-line of defence productivity. Thank you in advance.

  • With as much change in the risk landscape and operating environment, discover insights and discussion on how developments in data and analytics are impacting risk functions, including deployment of AI, regulatory pressures such as BCBS239

    3 6
    3 Topics
    6 Posts
    Lights, Camera, Compliance! Imagine you’re in a high-stakes thriller, much like Inception. Just as Cobb and his team navigate complex dream layers, banks and financial institutions today are navigating the intricate layers of BCBS 239. But instead of dreams, they’re dealing with data and the regulation that aims to enhance risk data aggregation and reporting capabilities. What is BCBS 239? At its core, BCBS 239, introduced by the Basel Committee on Banking Supervision, is a set of principles designed to ensure that banks can effectively manage risk through accurate and timely data reporting. Think of it as the ultimate guide for navigating the labyrinth of financial data, ensuring that institutions can make informed decisions and respond swiftly to crises. The Challenges: A Real-Life Drama However, just like in a good movie, the path to compliance is fraught with challenges. Here are a few key hurdles that institutions face: Data Silos: Many banks operate with fragmented data systems, akin to a band struggling to harmonize. Each department has its own version of the truth, making it difficult to achieve a cohesive view of risk exposure Legacy Systems: Picture a classic car that’s seen better days. Many institutions rely on outdated technology that hampers their ability to aggregate and report data efficiently, making compliance feel like an uphill battle Cultural Resistance: Change is hard, much like a character in a romantic comedy who refuses to acknowledge their feelings. Employees may resist new processes and technologies, fearing disruption to their routine Regulatory Complexity: The regulatory landscape is constantly evolving, much like the plot twists in a suspense thriller. Keeping up with these changes requires agility and foresight, which can be a daunting task for many organizations. The Road Ahead So, how can institutions turn this potential drama into a success story? Here are a few actionable steps Invest in Technology: Embrace modern data management solutions that break down silos and streamline reporting processes. Foster a Culture of Compliance: Engage employees at all levels, emphasizing the importance of accurate data for decision-making and risk management. Stay Agile: Regularly review and adapt to regulatory changes, ensuring that your compliance strategies remain robust and effective. While BCBS 239 presents its challenges, it also offers an opportunity for banks to enhance their risk management frameworks. By embracing the journey with the right tools and mindset, institutions can transform compliance from a burden into a strategic advantage. Let’s continue this conversation! What challenges have you faced in navigating BCBS 239? How have you overcome them? Share your thoughts below!

  • Got a question? Ask away!

    0 0
    0 Topics
    0 Posts
    No new posts.
Terms of Use Privacy Notice Cookie Notice Manage Cookies