Risk Strategy in a Deregulated World

The regulatory pendulum is swinging again—and this time, it’s toward deregulation. As Liming Brotcke writes in The RMA Journal, federal cutbacks, hiring freezes, and policy reversals are reshaping the compliance landscape, prompting new questions for bank leadership. What should risk management look like when the rules start loosening? 

Adapt Risk Practices, Not Just Policies: Regulatory expectations may be shifting, but smart banks won’t gut their risk frameworks. Instead, Brotcke encourages adopting a measured approach. “Modifying risk management practices to accommodate a changing regulatory environment is inevitable and necessary,” she writes. That means revisiting the roles of your three lines of defense. In a less regulated environment, consolidating responsibilities—particularly in credit risk—can reduce duplication and boost responsiveness without sacrificing governance. 

Clarify Financial vs. Nonfinancial Risk: Now is the time to separate the must-haves from the nice-to-haves. Financial risks (like credit or liquidity risk) are always quantifiable—and always relevant. Nonfinancial risks (like ESG, reputational, or compliance risk) may draw less regulatory scrutiny now, but Brotcke notes this creates an opening to reassess which investments still make business sense. 

Reinforce the First Line—Strategically: Brotcke explains that business line risk teams (sometimes called the “1.5 line”) can be a smart way to preserve effectiveness while cutting costs. Positioned close to operations, they can spot issues early and issue self-identified findings—strengthening oversight without relying solely on the second line. In turn, the second line can focus on strategic risk guidance and reporting up to the board. 

Reframe AI Risk Management: AI innovation isn’t slowing down, so risk leaders need a smarter way to keep up. With fewer regulatory mandates, banks can centralize oversight and shift the focus from black-box validation to process validation. According to Brotcke, that means coordinating IT, vendor, cyber, privacy, legal, and model risk under a single team. The goal: to enable innovation, not block it. 

Bottom line: Lighter regulation may offer relief—but not immunity. Brotcke urges banks to “act boldly—but also sensibly.” That means using this moment to retool risk management for speed, efficiency, and long-term strength.