PwC Global Banking Risk Study 2025: AI, Resilience, and Operating Model Transformation

Banking Risk Functions at a Crossroads: The PwC 2025 Landscape

PwC’s 2025 Global Banking Risk Study arrives at a pivotal moment for the financial services industry. Risk functions are being reshaped by forces that are “not merely episodic or one-off disruptions but the manifestation of deeper shifts in how value is created, sustained, and contested.” This third edition of the study, following reports in 2018 and 2022, documents the most significant transformation in risk management since the global financial crisis.

The study identifies three converging forces driving this transformation. First, growing complexity in non-financial risk areas — operational resilience, AI governance, cybersecurity, and third-party dependencies — requires new capabilities, different tooling, and more dynamic ways of working. Second, executive management and boards increasingly expect risk functions to provide actionable insight, not just oversight, engaging earlier in the decision process, shaping strategic direction, and enabling innovation. Third, the pace of business has outstripped the cadence of traditional risk models, requiring risk functions to match the tempo of the organizations they support.

PwC frames this evolution through its “Value in Motion” concept — the recognition that value is never fixed but constantly moving across boundaries, geographies, and systems. In this context, risk management must evolve from being a static guardian of stability to a dynamic navigator of movement, from a controller of loss to an enabler of resilience and growth. This conceptual shift has profound implications for how risk functions are organized, staffed, and empowered within financial institutions.

The study draws on extensive dialogue with risk executives across the global banking industry, providing a comprehensive view of how institutions are responding to these pressures. For risk professionals, compliance officers navigating DORA requirements, and financial services leaders, the findings offer both a benchmark for current progress and a roadmap for capability development.

Banking Risk Operating Model Transformation

At the heart of the transformation documented by PwC is the re-architecture of risk operating models, data structures, and technology platforms. Risk functions are moving beyond legacy systems and manual, human-dependent processes to deploy modern platforms that can automate routine tasks, generate dynamic intelligence, and interact with business users in real time.

The study reveals a clear increase in emphasis across three areas that define the trajectory of risk transformation. First, risk brand and mandate — there is consensus among executives on the need for Risk to deliver greater strategic and commercial value, extending beyond oversight into helping shape business choices and enabling growth. Second, operating model redesign — institutions are rethinking how Risk is organized, integrated, and scaled, with new structures, utilities, and cross-functional alignment designed to improve agility and intelligence. Third, culture and mindset — increasingly recognized as critical enablers of transformation, embedding the new mandate through behaviors, leadership tone, and interaction models.

Risk utilities are emerging as shared services for activities such as control testing, reporting, and model development. These centralized capabilities reduce duplication, improve consistency, and free up specialist resources for higher-value activities. Delegated authority and materiality thresholds are being formalized to allow business users to operate within clear risk parameters, reducing bottlenecks while maintaining oversight.

The operating model transformation extends to how risk functions interact with the first line of defense. The emphasis is shifting toward empowering business units through clear boundaries and minimal bureaucracy. In credit, for example, Risk’s role is evolving toward portfolio management, with more automation and delegated authority accelerating decision-making. Similar patterns are emerging in new product approvals and third-party onboarding, where materiality-based decision-making frameworks allow faster execution while preserving essential risk oversight.

AI Reshaping Banking Risk Management in 2025

PwC’s study provides compelling evidence that AI is fundamentally changing the shape and rhythm of risk management in banking. Tasks that were once repetitive and manual — reviewing remediation plans, scripting control tests, drafting credit memos — are now being delegated to intelligent agents and smart tooling. These AI-powered tools augment human decision-making, streamline execution, and unlock new possibilities for pattern detection and predictive analytics.

Productivity remains the dominant use case for AI in risk management. Financial institutions are deploying generative AI to reduce friction in document-heavy processes, increase the speed of insights, and improve consistency in decision-making. The early wins are tangible and measurable: risk functions are seeing real benefits in credit analysis, fraud detection, compliance monitoring, and non-financial risk assessment.

Specific use cases highlighted in the study include real-time AML flag resolution, where AI systems can triage and investigate suspicious transaction alerts far faster than manual processes; policy simplification through natural language processing, enabling risk teams to navigate complex regulatory requirements more efficiently; and agent-driven assurance models that monitor operations autonomously, escalating issues to human reviewers only when predefined thresholds are breached.

However, the transition from tactical AI innovation to organizational redesign remains incomplete. While most institutions have identified and piloted AI use cases, few have achieved the level of integration needed to realize AI’s full potential in risk management. The barriers include data quality challenges, legacy technology infrastructure, talent shortages in both AI and risk domains, and the governance complexities of deploying AI in a heavily regulated environment. Institutions that can overcome these barriers stand to gain significant competitive advantages in risk management effectiveness and efficiency, drawing on insights from the EU’s evolving AI governance framework.

Non-Financial Risk 2.0 and Operational Resilience in Banking

Rethinking non-financial risk and resilience has become a defining theme in the 2025 risk agenda for banking. PwC’s study documents a paradigm shift driven by geopolitical uncertainty, climate-related events, supply chain disruptions, and an increasing reliance on a concentrated set of technology providers. The traditional approach to non-financial risk — reactive, siloed, and compliance-focused — is giving way to a more integrated, forward-looking framework that the study terms “NFR 2.0.”

The resilience agenda extends beyond the firm’s perimeter. Concentration risks related to cloud and AI vendors are prompting fresh dialogue on strategic dependence, vendor assurance, and regional technology sovereignty. With a small number of cloud providers supporting a large proportion of the financial services industry’s infrastructure, a major outage or security breach at a single provider could have systemic implications. Some firms are revisiting third-party governance models, while others are collaborating with regulators and industry groups to stress test shared vulnerabilities and contingency plans.

Critically, resilience is being embedded into broader transformation initiatives rather than treated as a standalone compliance requirement. Digital twins, scenario analysis platforms rooted in process intelligence, and cross-functional resilience squads are helping firms design for complexity and unpredictability — not merely recover from disruption. This proactive approach to resilience represents a significant evolution from the traditional business continuity planning paradigm.

The Enterprise Risk Management (ERM) function mandate is evolving, converging with NFR functions while uplift of top-and-emerging risk practices to anticipate required capabilities for major upcoming shifts such as quantum computing and general artificial intelligence. Significant investment is flowing into scenario analysis tooling, enhancing traditional stress testing with modern simulation capabilities required for operational resilience while acknowledging the importance of qualitative expert assessments.

Navigating Geopolitical and Technological Uncertainty in Banking

PwC’s study highlights the unprecedented convergence of geopolitical, social, and technological uncertainties facing banking risk functions. From trade policy disruptions and tariff regimes to social media-driven bank runs and quantum computing threats, risk teams must contend with a broader and more dynamic threat landscape than at any point in recent history.

The interconnection of these risks creates compound scenarios that traditional risk models struggle to capture. A geopolitical event can trigger technology supply chain disruptions, which in turn create operational resilience challenges, which may then lead to reputational damage amplified through social media channels. Risk functions that operate in silos — with separate teams addressing market, operational, and reputational risks — are ill-equipped to manage these cascading risk scenarios.

Quantum computing represents an emerging risk that forward-thinking institutions are already addressing. While practical quantum computers capable of breaking current encryption standards are likely several years away, the threat window is approaching rapidly enough that banks must begin planning their cryptographic transitions now. The study notes that risk functions are beginning to incorporate quantum risk into their emerging risk frameworks, though most institutions are still in the early stages of understanding the implications.

Social media’s role in amplifying financial contagion is another area of growing concern. The speed at which negative narratives can spread — as demonstrated by the Silicon Valley Bank collapse — has fundamentally changed the dynamics of bank liquidity risk management and financial stability. Risk functions are developing new monitoring capabilities that track social media sentiment in real time, enabling faster response to emerging reputational threats.

The Evolving Banking Regulatory Relationship

A cornerstone of the evolving risk landscape documented by PwC is the ambition to fundamentally adjust the relationship between financial institutions and regulators. The current regulatory model — prescriptive, static, and often fragmented — is increasingly viewed as struggling to keep pace with innovation in AI, ESG, operational resilience, and third-party dependency management.

Financial institutions are advocating for a new approach based on co-development of standards, greater clarity in supervisory expectations, and more iterative engagement. This vision includes formal feedback cycles where institutions can contribute practical insights to regulatory development, joint sandboxes where innovative approaches to compliance can be tested in a controlled environment, and international alignment on critical issues like digital identity, data provenance, and AI liability.

The regulatory push-back against AI adoption in financial services illustrates the tension inherent in the current relationship. Regulators appropriately demand explainability, fairness, and accountability in AI-driven decisions, but prescriptive rules designed for traditional model risk management may not be well-suited for the rapid iteration cycles characteristic of modern AI development. Finding a regulatory approach that enables innovation while protecting consumers and financial stability requires closer collaboration between regulators and the institutions they supervise.

PwC’s study suggests that the most productive path forward involves acknowledging that both regulators and institutions share a common interest in a stable, innovative financial system. The institutions that engage constructively in the regulatory dialogue — sharing practical experience, proposing workable standards, and demonstrating responsible innovation — will be better positioned to influence the regulatory environment in ways that support both compliance and competitive advantage, building on frameworks established by the NIST AI Risk Management Framework.

ESG and Sustainability Banking Risk Under Pressure

While most financial institutions remain committed to sustainability targets, PwC’s study reveals that geopolitical and regulatory divergence are creating formidable challenges that are increasingly difficult to navigate. The ESG landscape has become significantly more complex since PwC’s previous study, with different jurisdictions pursuing divergent approaches to climate disclosure, carbon pricing, and sustainable finance regulation.

The study identifies a critical need to step back and establish common foundations through shared taxonomies and data models. Without consistent definitions of what constitutes “green” or “sustainable” finance, institutions operating across multiple jurisdictions face significant compliance complexity and risk of greenwashing allegations. Common protocols for data capture and exchange across society would significantly reduce the burden on financial institutions while improving the quality and comparability of sustainability reporting.

Significant differences in interpretations and practices across jurisdictions highlight the opportunity to review the perimeter of ESG itself. PwC suggests sharpening the focus on climate and environmental risk — where scientific consensus provides a clearer basis for measurement and management — while ensuring that lessons learned from early ESG implementation are reflected in the political and regulatory approach to emerging areas like nature risk and biodiversity.

For risk functions, the ESG challenge is both substantive and methodological. Substantively, climate risk modeling requires capabilities that most risk functions are still developing — including physical risk assessment, transition scenario analysis, and counterparty-level carbon exposure estimation. Methodologically, integrating ESG factors into existing risk frameworks without creating a parallel bureaucracy requires creative thinking about governance structures, data architecture, and reporting processes.

Driving Risk Efficiency in Banking Operations

The pursuit of risk efficiency is a persistent theme across PwC’s study, reflecting the tension between expanding risk mandates and constrained budgets. Risk functions are being asked to do more — covering broader risk categories, providing deeper insights, and engaging more extensively with business strategy — while simultaneously delivering efficiency improvements that contribute to the institution’s overall cost management objectives.

Technology is the primary enabler of this efficiency agenda. Automation of routine tasks — data collection, report generation, control testing, and regulatory filing — frees up human resources for higher-value activities like strategic risk assessment, scenario planning, and business advisory. Cloud migration enables more flexible and scalable technology infrastructure, while API-driven architectures improve data flow between risk systems and business applications.

Process simplification is another important lever. PwC notes that many risk functions have accumulated layers of processes, controls, and governance mechanisms over decades of regulatory change and organizational evolution. Streamlining these processes — eliminating redundant controls, simplifying governance forums, and standardizing reporting templates — can deliver significant efficiency gains without compromising risk management effectiveness.

The measurement of risk efficiency is evolving beyond simple cost metrics. Leading institutions are developing balanced scorecards that track not just the cost of risk management but also its speed, quality, and strategic impact. Metrics like time-to-decision, false positive rates in monitoring systems, and the proportion of risk function activities dedicated to forward-looking analysis versus backward-looking reporting provide a more comprehensive view of risk function performance and alignment with broader supervisory expectations.

The Banking Risk Workforce Transformation

PwC’s study documents a significant transformation in the leadership model and talent strategy for risk functions. The CRO’s mandate has evolved into a leadership role that emphasizes collaboration, storytelling, and digital fluency alongside traditional risk expertise. This broadened mandate reflects the risk function’s expanding scope and the need to communicate complex risk insights to diverse audiences — from board members to business unit leaders to regulators.

Succession planning and talent development are gaining strategic focus. Institutions are moving away from narrow, siloed career paths toward broader, rotational journeys that build holistic, T-shaped profiles — professionals with deep expertise in one risk domain combined with broad understanding across multiple areas. These rotation programs build versatility, improve cross-functional collaboration, and develop the next generation of risk leaders who can navigate the expanding scope of the CRO role.

The talent challenges in risk management are particularly acute at the intersection of technology and risk expertise. Professionals who combine understanding of AI, data science, and advanced analytics with knowledge of banking regulation, risk methodology, and business context are in extremely short supply. Institutions are addressing this through targeted hiring programs, internal upskilling initiatives, and partnerships with universities and training providers that develop combined tech-risk skill sets.

Cultural transformation is recognized as critical to the success of risk function transformation. PwC notes that investment in technology and processes will fail to deliver expected results unless accompanied by changes in mindset and behavior. Risk functions that successfully embed a culture of innovation, collaboration, and continuous learning — alongside the traditional risk management values of rigor, integrity, and independence — will be best positioned to deliver on their expanding mandates.

Strategic Roadmap for Banking Risk Leaders

PwC’s 2025 Global Banking Risk Study offers a comprehensive strategic roadmap for risk leaders navigating this period of accelerating change. The study’s findings converge on a central theme: risk functions must be configured for motion, not just preservation. This means building capabilities that enable continuous adaptation rather than periodic restructuring.

The immediate priorities for risk leaders are clear. First, accelerate the deployment of AI across risk processes, moving from pilot programs to production deployments that deliver measurable productivity gains. Second, redesign operating models to create the structural agility needed to respond to new risk categories and changing business dynamics. Third, invest in talent development that builds the combined technology-risk expertise needed for the evolving risk mandate.

Medium-term, risk leaders must address the strategic positioning of their functions within the broader organization. This means securing a seat at the strategy table, not just the governance table — contributing to business decisions rather than merely reviewing them. It means developing the communication capabilities to translate complex risk insights into compelling narratives that influence executive and board decision-making. And it means building the partnerships — with technology functions, business units, and regulators — that enable risk to operate as a connected, influential function rather than an isolated control tower.

For the financial services industry as a whole, PwC’s study signals that the era of incremental risk management improvement is ending. The scale and pace of change in the operating environment — driven by AI, geopolitics, climate, and technology concentration — demand a more fundamental transformation of risk capabilities. The institutions that recognize this imperative and act decisively will build more resilient, more efficient, and more strategically valuable risk functions — creating competitive advantages that compound over time.