How to Right-Size Your Risk Function

In a recent article entitled “The Next Frontier in Risk Efficiency,” McKinsey explores ways the financial services industry can evolve, from a risk resources perspective, as times change.

The article’s data comes from a 2021 survey of CROs from large banks in Europe, North America, and Australia, so it does not reflect recent U.S. banking pressures. But for CROs looking to benchmark their staffing levels and allocations—or, as the authors put it, “right-size the risk function”—some findings could prove enlightening.

The authors say that “adding more people does not necessarily lead to better risk management.” But, they add, “risk efficiency and effectiveness are generally positively correlated.”

What banks spend on risk. McKinsey notes a standard they call “risk full-time-employee intensity”—the percentage of a bank’s full-time employees engaged in risk management. For more than 90% of the banks surveyed, this figure (not including financial crime or compliance) landed between 1.6% and 3.5%, with a median of 2.6%. Risk-related expenditures at the banks were in-line with their staffing allocations, averaging around 2.5% of operating costs.

An “organizational lever” to boost efficiency, the piece says, is rethinking responsibilities for both first- and second-line-of-defense roles. The second line can increase its focus on emerging risks such as cyber, technology, and climate change. At the same time, the first line can become “more proficient in risk management and handling more risk-taking decisions.” Decision areas, the paper says, could include “underwriting, exceptions management, remediation, collections, know-your-customer and anti–money laundering and sanctions transaction monitoring, fraud management, and, in some cases, developing regulatory models.”

The piece points out traits that are common to effective, efficient risk functions. Here are a few that jumped out:

• A strong risk culture with clearly defined and actionable responsibilities.
• Improved financial-crime processes, streamlined KYC tools, and advanced analytics for AML and fraud systems.
• A risk infrastructure designed for agile decision making and rationalized risk policies.

See the entire list and article here.