At our recent Banking CRO Forum, we brought together regulatory leaders, technology innovators, and AI specialists - alongside insights from the Prudential Regulation Authority (PRA) - to explore what this means for firms preparing for critical regulatory milestones amid accelerating technological disruption. This discussion builds on themes explored in our recent report, “Risk management for CROs in the banking sector: an everchanging landscape”.
The industry is seeing a trend of growing divergence in global regulatory strategies, especially within the key jurisdictions of the United States, European Union and the United Kingdom.
In the United States we are seeing the rapid implementation of its “modernisation” agenda for lighter-touch regulation and supervision, moving away from “gold-plating”, with higher risk tolerance, more market and innovation friendly.
In contrast the European Union is pursuing a prescriptive approach embedding resilience through frameworks like the AI Act[1] and DORA [2], while grappling with structural complexity that slows simplification.
The United Kingdom’s principle-based approach can be pragmatic yet demanding, but aims to balance flexibility with accountability, with its secondary regulatory mandate of competitiveness and growth balanced between the US and EU approaches.
Eric Cloutier, Global Head of Banking Regulations at Forvis Mazars, notes that this fragmentation matters. “CROs must navigate competing expectations while safeguarding resilience and competitiveness. The universal theme? Regulators expect resilience and technology risk to be embedded in governance - not as a compliance checkbox, but as a strategic capability.”
Post-March 2025[3], the PRA’s lens will shift from implementation to cultural embedding. Financial services firms must demonstrate they can remain within impact tolerances during severe disruptions - not just in recovery time, but across metrics such as transaction volumes and minimum service levels[4].
This has a significant impact for CROs, in particular for scenario testing, third-party oversight and board accountability.
When undergoing scenario testing CROs will need to ensure the process moves beyond generic exercises to targeted, high-impact scenarios that challenge assumptions. It is critical when working with third parties that resilience is hardwired into vendor arrangements and exit strategies identified to ensure that CROs have sufficient oversight to mitigate risks[5].
With the importance of identifying operational risks increasing in a complex world, communication with the Board is essential to overall organisational accountability. Delivering clear metrics, as well as having early warning indicators and robust remediation plans, underpins resilience.
"Resilience must permeate decision-making - from outsourcing and technology choices to risk appetite. Firms that elevate resilience as a strategic differentiator will outperform those treating it as a regulatory obligation." - Sarah Ouarbya
AI is reshaping financial services, but it introduces risks that traditional frameworks cannot fully address. Continuous learning models, systemic reliance on a few providers, and cyber exploitation risks demand a new governance paradigm. Moreover, AI does not operate in isolation - its interdependencies with cyber risk and operational resilience amplify complexity. AI can expand attack surfaces, enable sophisticated fraud, and introduce cascading failure risks into resilience planning.
“Well-governed AI is not a brake on innovation, it is an accelerator. Firms embedding AI into resilience frameworks and scenario testing can innovate confidently while maintaining control.” – Sofia Ishan.
Leading firms are responding through integrated governance and cross-functional collaboration, ensuring governance structures remain agile and adaptive.
The CRO’s role is undergoing a profound transformation. Once seen primarily as the guardian of compliance, today’s CRO is stepping into a far more strategic position—one that balances innovation with resilience and security. As technology reshapes the business landscape, CROs are expected not only to manage risk but to guide organisations through change with confidence.
Future-ready CROs will need to master new capabilities. This means upskilling teams to build fluency in AI and strengthen cyber awareness across risk functions. It also requires driving a culture of collaboration, bringing risk, technology, and business units together to make informed decisions. And with regulatory landscapes shifting rapidly, horizon scanning—anticipating emerging threats and compliance changes - will be critical.
Boards are becoming increasingly tech-savvy and expect real-time insights and constructive challenge from their CROs. Those who embrace this expanded mandate will not just protect their organisations - they will position them to thrive in an era of rapid technological change.
The convergence of operational resilience, cyber risk, and AI is not a future challenge - it is a present reality. Success will hinge on integrating these disciplines into a cohesive strategy underpinned by strong governance and a culture of resilience.
Get in touch with our FS expertsAt Forvis Mazars, we combine regulatory insight, technology assurance, and AI expertise to help firms navigate this complexity. To explore how we can support your organisation in building resilience and managing emerging risks, get in touch with our team. |
[1] AI Act enters into force - European Commission
[2] Digital Operational Resilience Act (DORA) - European Insurance and Occupational Pensions Authority
[3] SS1/21 Operational resilience: Impact tolerances for important business services | Bank of England
[4] PS21/3: Building operational resilience: Feedback to CP19/32 and final rules
We have identified the key risk areas for financial services business leaders in 2025. These risks have been prioritised based on their severity and the urgency of mitigation, informed by comprehensive market research, regulatory insights, and our assessment of the current challenges faced by these firms. We also highlight the changes in risk rankings compared to last year.
Chief Risk Officers (CROs) need to grapple with an increasingly complex risk universe, both in terms of the number and interrelated nature of risks. This results in a myriad of challenges, opportunities, and shifting priorities.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.