Chief risk officers (CROs) in the financial services industry are taking a hard look at their resourcing levels. After years of adding personnel to improve controls of global, multidimensional, and emerging risks, CROs are now also being asked to help improve their institutions’ overall efficiency. This is a reasonable request and a tough one—especially in the context of recent inflationary pressures. On the other hand, CROs feel pressured by supervisors to increase their resources, both on the organizational and regulatory fronts. In any case, CROs must maintain the correct level of resources for proper risk management oversight in line with their fiduciary duties, but it can be difficult to determine the correct resource allocation across many types of risks, fragmented activities, and geographies.
To help CROs benchmark their resourcing levels against peers and learn where efficiencies might be found in their own organizations, McKinsey surveyed CROs at more than 30 large banks in Europe, North America, and Australia—more than half of them global, systemically important banks. We asked them about the resources for their second line of defense (LOD2) risk function at a granular level (based on approximately 80 risk and compliance management activities to ensure comparability and explainability) and the main drivers of their risk function’s evolution over the past few years (for example, organizational structure, offshoring, functional maturity, and the bank’s business model).
An analysis on a limited data sample indicates that adding more people does not necessarily lead to better risk management. Based on our research, risk efficiency and effectiveness are generally positively correlated. Moreover, in our experience, it is possible to reduce costs by 15 to 25 percent on a gross basis (with a portion being reinvested) while increasing risk effectiveness through a well-structured risk transformation program.
Rightsizing the risk function
To rightsize the risk function, many CROs are mapping their risk resources by activity. But comparing risk functions with peers and identifying possible gaps is a difficult exercise. There is significant variation among banks about how they divide responsibilities between LOD1 and LOD2 (for example, in the credit underwriting, financial crime, or fraud processes), as well as between the different LOD2s (for instance, between risk, compliance, legal, and finance). To be relevant, comparisons need to be made at the activity level, as granularly as possible.
In our survey conducted in 2021, we focused on a metric known as risk full-time-employee (FTE) intensity, which is simply the number of FTEs in the risk function divided by the total number of FTEs at the bank. For more than 90 percent of the banks in our sample, risk FTE intensity was between 1.6 and 3.5 percent with a median of 2.6 percent, for a common standardized scope of core risk activities (excluding financial crime and compliance activities). Compared with a similar survey two years earlier, banks below the median tended to still build up their risk resources slightly, while banks above the median tended to streamline, thus converging toward the median. Looking forward, half of CROs expect to grow the number of risk FTEs over the next three years, while 20 percent anticipate a decrease of more than 10 percent.
The largest banks skew lower due to a slight downward correlation between scale and FTE intensity. These scale benefits helped reduce risk FTE intensity by 0.2 to 0.3 percent for a bank with 150,000 employees versus a bank with 50,000 employees. We found no obvious relation between FTE intensity and geographical footprint or business model at the bank level (for example, primarily wholesale versus primarily retail banking), although we observed a higher intensity of wholesale activities within universal banks (approximately 2 times higher).
Among the banks in our survey, substantial variations exist in risk FTE intensity across all risk functions due to factors such as LOD1 maturity, the maturity of the bank’s data management, systems and processes, the degree of supervisory scrutiny, and the history of risk events. Even so, the averages are helpful guideposts.
On the cost side, risk costs among the banks surveyed accounted for approximately 2.5 percent of operating expenditures. Large universal banks, especially with sizable corporate and investment banking, tend to have lower-cost-intensity ratios versus FTE ratios, driven by their higher use of near- and off-shoring for risk FTEs as well as a lower ratio of average risk FTE cost versus front office average FTE cost.
Allotting resources for individual risks
Within the LOD2 risk function, credit risk management represents the bulk of the FTEs, with a median FTE intensity of 1.25 percent. We saw an average decrease of 4 to 5 percent of credit risk FTEs in the past two years, primarily in the credit underwriting area. That was largely due to continued automation of the underwriting process and reallocating more of these responsibilities to LOD1 (Exhibit 1).
We also found that market risk has an FTE intensity of, on average, 0.25 percent. This rose slightly from two years ago, particularly among banks that had the lowest FTE intensity in market risk. Regulatory activity, particularly the Fundamental Review of the Trading Book, helped lift this average. Likewise, operational risk (excluding compliance) also has an FTE intensity of 0.25 percent, which has decreased over the past two years. Several banks have drastically streamlined their operational-risk functions by reallocating more responsibilities to the LOD1 (for example, monitoring and testing). Today fewer “generalist” operational-risk staff support the businesses, with more resources being allocated to building stronger LOD2 expertise on new nonfinancial risks (such as cyber, data, and IT risks).
The remaining risk FTEs are almost evenly split between model risk management, enterprise risk management, and other activities. Model risk management resources have been trending upward as many banks continue to build this function to implement regulations (for example, SR 11-7 in the United States) and expand the types of models being overseen, from regulatory capital models to underwriting models, market pricing models, compliance models, and climate risk models, among others.
This upward trend in risk management resources is set to continue as the types of models requiring validation continue to grow with the introduction of the Prudential Regulatory Authority CP6/22 in the United Kingdom in June 2022. While many banks have built climate risk teams, by and large these are small (less than 15 FTEs in most cases) and serve mostly as a coordinating function. Other established teams conduct climate stress tests and incorporate climate risk into existing risk frameworks, processes, and models.
Three organizational levers to reshape risk for better efficiency and effectiveness
CROs can use these survey results to benchmark against peers as they consider different ways to reshape their risk functions. We learned in our survey work that three organizational levers are of particular interest: refocusing LOD2 responsibilities, balancing resources between individual businesses and geographies versus cross-business and global teams, and near- and off-shoring.
First, there is an ongoing trend to refocus the risk function on traditional LOD2 responsibilities, including appetite setting and monitoring, policy setting, the challenge role, and second-line controls and reporting. Generally, LOD2 also needs to step up competence in new risk types, such as those arising in the domains of cyber and tech security as well as climate change. Meanwhile, LOD1, the owners of particular processes and operations, needs to become more proficient in risk management and handling more risk-taking decisions, such as those entailed in underwriting, exceptions management, remediation, collections, know-your-customer (KYC) and anti–money laundering (AML) and sanctions transaction monitoring, fraud management, and, in some cases, developing regulatory models.
Another choice CROs face with potentially important implications for their function’s efficiency is how much to dedicate resources to support and supervise individual businesses and geographies versus teams with a global or cross-business mission (for example, in transversal risk teams or in shared services centers). This creates opportunities to mutualize tools and expertise, standardize processes and practices across the banks, facilitating risk management (for example, through consolidation of data at the bank level). The approaches to this issue are wide ranging. Some banks in our survey devote less than 10 percent of their risk resources to transversal risk teams and shared service centers, while others allocate more than 50 percent (Exhibit 2).
Among the activities typically managed globally are model risk management and model validation, liquidity risk management, enterprise risk management (ERM) activities such as stress testing and regulatory management, and risk modeling/analytics. Market risk is usually managed globally since it is primarily related to capital markets and Treasury services. Meanwhile, data management, reporting, and LOD2 controls are all good candidates for shared service centers.
On the other hand, credit risk management, and in particular underwriting and portfolio management, is typically managed through specific businesses or geographies. In these cases, being close to originators, clients, and products is unmistakably valuable.
Last, there is the question of near- and off-shoring, though in reality most banks don’t make much use of either. Less than one-third of the banks in our sample reported having more than 10 percent of their risk FTEs near- or off-shored. These are typically the largest, most international banks with top corporate and institutional banking operations and a significant share of staff in high-cost locations (for example, Hong Kong, London, New York, Paris, Singapore, and Zurich). Only a limited number of other banks are considering ramping up near- and off-shoring capacity.
Among the group of banks with 10 percent or more of their risk FTEs near- and off-shored, the median allocation is 33 percent. Two strategies dominate. One is to offshore only the parts of processes that require the most manual work (for instance, data collection for modeling, back testing of models, and reporting), with FTEs reporting to onshore managers. This approach typically limits the maximum off-shoring level to around 30 percent of risk FTEs. Alternatively, some banks choose to near- and offshore full processes (for example, full-modeling life cycle, counterparty rating, or the onboarding process), with managers sitting alongside those operations. This approach permits a higher level of off-shoring.
The risk functions with the highest share of near- and offshore FTEs are operational risk (up to 58 percent) and ERM (up to 41 percent). The remaining functions (for example, credit risk and market risk) allocate, on average, 20 percent of their FTEs to near- and offshore locations. No obvious relation exists between the proportion of risk FTEs in near- and offshore locations and FTE risk intensity—although near- and off-shoring obviously help mitigate costs for banks in major financial hubs.
Building an efficient and effective risk function
Based on our research, risk efficiency and effectiveness are positively correlated. Once the organizational-design choices are made, the best-performing banks share several traits:
- A strong risk culture where LOD1 responsibilities are clearly defined and both LOD1 and LOD2 have the capabilities to execute on their responsibilities. This allows the risk function to focus on its LOD2 role instead of compensating for LOD1 shortcomings.
- A best-in-class credit underwriting process, with front-to-back workflow and digital straight-through processing for private individuals and small and medium-size enterprises. For corporate-credit underwriting, the process should incorporate credit risk scoring models that are streamlined, standardized, and digitally enabled.
- Enhanced digital-monitoring capabilities using counterparty-level credit monitoring tools (for example, anticipatory action early-warning system), automated counterparty ratings, and automated portfolio stress testing.
- Risk reporting that is automated and managed across business units using demand management and modern data architecture. General risk users are supported by self-service risk reporting that is relevant, automated, and based on timely, trusted data. For more advanced information users, flexible query capabilities and what-if forecasting capabilities are available.
- Improved financial-crime processes, such as streamlined KYC tools that use dynamic checklists of standards and requirements, and advanced analytics to AML and fraud systems to reduce false-positive rates to as low as 50 to 60 percent.
- A front-to-back market, counterparty credit risk, and liquidity risk-aligned architecture and models that support data quality (such as risk systems and front-office systems using the same data or even integrated data) and that also reduce discrepancies and manual adjustments and checks required in LOD2.
- Risk organization and governance designed for agile decision making (such as reduced organizational complexity, consolidated teams with similar activities, and zero-based governance meetings) and rationalized risk policies.
- A performance management in place, with dashboards of metrics for risk efficiency and effectiveness monitored over time and compared across sites and regions, which facilitates the sharing of tools and best practices.
- End-to-end strategy for model development and validation, supported by a common model inventory and streamlined process, automation tools, and document repositories across LOD1 and LOD2.
Many CROs are moving to a phase more focused on improving efficiency now that their risk functions have been established. The good news is that once a bank’s risk function reaches a certain level of maturity, adding more FTEs doesn’t necessarily lead to better risk management. While the risk appetite and circumstances of each institution vary, many CROs are struggling to control costs due to the increasing complexity of risks and regulations, compounded by sky-high inflation. In our experience, it is possible to reduce costs by 15 to 25 percent on a gross basis, while increasing risk effectiveness through a well-structured risk transformation program. Leading firms typically reinvest part of these savings to continue to build and reinforce their risk functions.
An understanding of the suite of tools available to CROs, including benchmarks, modeling, and advanced analytics, allows for increased efficiency and effectiveness within their risk organizations.
