Risk Management and Compliance

The banking business is full of risks, large and small. The greatest risks demand the most attention:

  • Credit risk generated by lending activities
  • Market and counterparty risk from trading activities (especially derivatives trading)
  • Liquidity risk arising from mismatched assets and liabilities
  • Operational risk caused by error and omission in core systems and processes
  • Risk associated with writing insurance contracts

Three of the principal issues facing banks and other financial institutions today are regulatory compliance, adapting risk management models to a shifting environment, and minimizing risk in a cost-effective way. Above all, financial institutions must take a proactive approach to managing risk.

Creating a More Digital, Resilient Bank

It’s safe to say that in banking, disruption is now here. Innovations that were bleeding edge just a decade ago—such as robotic process automation, machine learning, artificial intelligence, and cloud computing—are joining the mainstream. Likewise, fintechs, bigtechs, and digital leaders that emerged during the past decade have already begun to form strategic banking partnerships and to carve out specialized niches. As transformation accelerates, open banking, instant payments, and other advances will create enormous value for fast-moving institutions—while disintermediating those that move too slowly.

Yet as the banking value chain breaks up, banks will get the opportunity to reposition themselves. They will likely pursue a mix of strategies, such as becoming platform leaders, being specialist providers, and promoting infrastructure-as-a-service offerings. The cost basis will also change, and banks will need to be leaner and more efficient if they are to compete effectively against digitally mature peers and fintechs. Overall, banks are reaching an inflection point. While outside forces may have dictated the path in the post-recessionary period, banks now have an opportunity to lead the way.

Enhancing Cyber Resilience

Every day the financial sector is subject to cyber-attacks. The European Central Bank in May 2018 published new guidance aimed at helping financial infrastructures and institutions create simulations of cyber-attacks that closely resemble those in the real world. Threat Intelligence-Based Ethical Red Teaming (TIBER-EU) supports European and national authorities in conducting the tests, which should be applied to investment and commercial banks, payment systems, central counterparties, exchanges, and other entities. TIBER-EU is currently advisory. But given the rising menace of cyber-attacks, it makes sense for financial institutions to start testing now.

Getting Ahead of the New Curve in Reference Rates

EONIA and EURIBOR, the reference rates for financial contracts with a nominal value of more than €150 trillion, are about to be replaced. Because these rates are ubiquitous in contracts between banks and their counterparties, and commonly used in valuation modeling and internal transfer pricing within banks, nearly every part of the balance sheet and nearly all front-to-back processes are affected.

The shifting to new reference rates presents banks not only with one-off transition costs but with significant risk. If the old rates are no longer published, existing contracts referencing them will need to be renegotiated, presenting not only direct financial risk, but also legal, conduct, and reputational risks that attend such a sensitive process. Redesigning products, hedges, and valuation models for use from 2020 presents the same risks. Get things wrong, and a bank’s balance sheet, legal position, and reputation with customers could all be damaged. A new BCG White Paper explains how banks can manage the transition.

Banking On the Digital CRO

Imagine a virtual boardroom in which powerful, user-friendly dashboards allow risk leaders to simulate and stress-test potential strategies on the spot, a function in which steering is integrated and predictive modeling tools provide early notice of financial, operational, compliance, and cyber risks. That’s the future, and it is not a distant one. Indeed, within ten years, leading chief risk officers (CROs) will have these capabilities. Given the unique skills and data that are present within the risk function, a digital CRO could become both a nucleus and a force multiplier for bank-wide digital transformation. Achieving these benefits, however, will require a clear digital strategy, well-aligned use cases, and the right enablers.

BCG’s Global Regulatory Database

In 2012, with the aim of capturing and tracking all upcoming regulations influencing major banking hubs worldwide, BCG established its Global Regulatory Database. Today, having been continuously upgraded and improved, the database has developed into an interactive, web-based solution that includes numerous filter possibilities and export functions. The database not only provides a window for viewing original regulatory documents, but offers value-adding information that helps banks’ senior management facilitate implementation, prioritize and reduce compliance costs, and make strategic decisions — all based on a comprehensive, holistic view of the ever-evolving regulatory climate.

The BCG Regulatory Database provides:

  • Summaries of regulations and regulatory proposals
  • Maturity assessments (regarding the likelihood of significant change to evolving regulations)
  • Updates on regulations’ legal status (such as already implemented, under discussion, and on hold)
  • Identification of banking entities and products most affected by pending regulations
  • Analysis of both the domestic and cross-border (where applicable) scope and implications of regulations
  • Tracking of proposed and/or expected compliance dates
  • Web links to original, official regulatory documents

Four Key Questions for Financial Institutions

Q: How can an institution efficiently manage its financial resources?


As financial institutions employ capital and maintain liquidity, they must adhere to strict regulatory requirements. At the same time, they need to find the best opportunities to earn a return and satisfy shareholders.

Q: How can the effectiveness of risk management be improved?


Companies should continually evaluate whether their risk management procedures are adequate. As requirements change, financial institutions have to consider the implications for governance, systems, and infrastructure.

Q: What is the impact of new regulatory requirements?


Regulations such as Basel III in banking, Solvency II in insurance, and International Financial Reporting Standard 9 are forcing companies to create new systems to ensure compliance. Companies must also manage costs associated with the increasingly strict regulatory climate.

Q: How can an institution manage its biggest risks?


Financial institutions first need to identify their biggest risks. Once identified, those risks must be understood and managed at every level.

Lessons from Risk Management in Other Industries

Banks face many sources of risk. Regulatory and competitive pressures are forcing institutions to confront them and manage them rigorously. But how can banks know where to begin? Sometimes, it’s useful to explore how risk is managed in other industries.

FAA’s Peggy Gilligan on Risk Management in Aviation

In this video, Gilligan shares her thoughts on risk management with Duncan Martin, a senior partner and managing director in BCG’s London office and coauthor of Rethinking Risk Management in Financial Services: Practices from Other Domains.

Marc Castellnou on Risk Management in Firefighting

In this video, Castellnou, Head of Fire Analysis and Strategy, Fire Service of Catalunya, discusses how risk is perceived and managed in the firefighting industry.

Learn More About Risk Management


Trimming the Sails

BCG’s 2018 Treasury Benchmarking Survey, the fifth in a biennial series, continues the story of how treasuries have responded to one of the most challenging periods in banking history. For most, it has been a journey of significant and, in some cases, profound change.

Why Aren’t Banks Getting More from Digital?

Banks understand that digitalization will drive the successful delivery models of the future. Few, however, have managed to make it pay, suggesting that a fresh approach to digital is needed.