Operational resilience has become critical. How are banks responding?

In recent years, banks have been under increasing pressure to prioritize nonfinancial-risk management. This shift has been spurred by digital disruption, a greater reliance on third parties, geopolitical risks, and global system outages. Meanwhile, heightened regulatory scrutiny across markets is compelling banks to upgrade their compliance efforts (see sidebar, “Regulators around the world are assessing operational resilience”).

Banks have responded aggressively by investing more in their nonfinancial-risk management capabilities. But are their efforts having the desired impact? In our experience, too many organizations approach governance and compliance as a check-the-box exercise, piling controls onto suboptimal infrastructure and practices. That’s a huge missed opportunity. The goal should not be adding controls to a broken and manual process but making that process leaner and more automated.

To manage nonfinancial risk more effectively, banks would need to move beyond traditional frameworks to operational resilience. This concept refers to an organization’s ability to anticipate, prepare for, and respond and adapt to incremental changes and sudden disruptions. It encompasses various dimensions, including business continuity management, production stability, adherence to quality standards, flexible production and workforce, and robust management of third-party vendors and the supply chain. The good news is that most banks already have the necessary building blocks in place; now, they need to ensure that their governance, frameworks, and operating models work together to achieve operational resilience.

Our research and analysis found that leading banks are addressing the root causes of systemic issues by strengthening their underlying processes, systems, data, and culture. Four actions hold the key: adopting impact-driven management of nonfinancial risk, upgrading governance to manage operational resilience, building out capabilities, and investing in data, analytics, and tooling.

Interconnected risks and increasing complexity

Over the past decade, the nonfinancial-risk landscape has evolved from compliance-related risks to operational and technology-related risks. According to ORX’s annual Operational risk horizon report, digital resilience risks—cybercrime, technology, business disruption, third parties, and data—are the top five operational risks.¹ORX Blog, “Top operational risk threats from Horizon 2025,” blog entry by Natasha Smith-Craig, March 3, 2025.

Our latest operational-resilience survey of top banks confirms these trends.²The survey included 11 of the largest banks headquartered in Australia, Singapore, and Asia more broadly. These institutions have combined annual revenues of about $13 billion and an average of approximately 40,000 employees. Nearly three-quarters of respondents cite cybersecurity as their top nonfinancial risk (Exhibit 1). By 2025, the cybersecurity market is projected to reach $196.5 billion worldwide.³“Cybersecurity - worldwide,” Statista, accessed September 17, 2025. Forty-five percent of respondents see rising financial crime as a top priority. Its greater prevalence over the past decade has caused regulators around the world to levy billions in fines related to anti–money laundering. For instance, one high-profile financial institution had to pay hundreds of millions of dollars in regulatory fines—and another had to pay billions.

Image description:

Two horizontal bar charts show the top nonfinancial risks today and in 3 years’ time in percent of respondents. Arrows for each risk show its change in rank from today, whether it stayed the same, went up in rank, or went down in rank. Today, the top five risks are cybersecurity at 73%, financial-crime risk at 45%, external fraud at 36%, technology risk at 36%, and third-party risk at 27%. In three years, cybersecurity is expected to still be the top nonfinancial risk at 82%, followed by technology risk at 45%, up two spots; internal fraud at 27%, up three spots; external fraud at 27%, down one spot; and financial-crime risk at 27%, down three spots. Note: The respondent pool, though small, represents 11 banks with combined annual revenues of about $13 billion and an average of approximately 40,000 employees and may be considered directionally important. Source: McKinsey Operational Resilience Survey, 2024, n = 11 banks with headquarters in Australia, Singapore, and Asia more broadly.

End image description.

Technology risk and external fraud tied for third place. One high-profile example of the former is the 2024 CrowdStrike incident, which caused 8.5 million Windows workstations and servers to crash, causing an estimated $5.4 billion in damage and costs for Fortune 500 companies.⁴Brian Fung, “We finally know what caused the global tech outage - and how much it cost,” CNN Business, July 24, 2024. According to the US Federal Trade Commission, consumers reported losing more than $12.5 billion to fraud in 2024, a 25 percent jump over the prior year.⁵“New FTC data show a big jump in reported losses to fraud to $12.5 billion in 2024,” US Federal Trade Commission, March 10, 2025. Authorized push payment fraud, which involves tricking individuals into initiating payments to fraudsters, is one of the most common types of fraud facing banks.

Third-party risk and internal fraud share fifth place. Third-party risk is often related to cyber events. One prominent example was the Accellion data breach (2020–21), which affected several financial institutions that used the company’s file transfer service. The fallout included $8.1 million in settlements as well as legal fees borne by Accellion,⁶“Accellion agrees to $8.1 million breach settlement,” BankInfoSecurity, January 13, 2022. while the affected financial institutions and other organizations absorbed business disruption costs as well as settlement costs. For example, one of the largest US grocery retailers spent millions to compensate customers.

One of the largest recent cases of internal fraud involved employees of a large US financial institution, who were found to have created millions of unauthorized accounts in an effort to hit their sales targets. The fallout included fines, reputational issues, and an erosion of customer trust.

According to our survey, the outlook for the top nonfinancial risks in three years indicates an even greater focus on cybersecurity and technology risk (82 and 45 percent, respectively). Internal and external fraud and financial crime share third place (27 percent).

The evolving business environment and interdependencies among risks create additional challenges. Nonfinancial risks tend to occur in clusters rather than isolation, making them even more dangerous: One single event can have a domino effect with follow-on incidents. For example, both cyber and technology risks are intricately linked to third-party risk due to the increasing reliance of financial institutions on external vendors, suppliers, and service providers across various business functions.

Risk can materialize in several ways: First, many third-party vendors have access to sensitive organizational data. If a vendor’s security measures are inadequate, this vulnerability can lead to data breaches, unauthorized access, and the theft of sensitive information.

Second, cyberattacks on third-party systems and suppliers can cause significant disruptions to an organization’s operations if critical components become unavailable. Third, cyberincidents and the failure of third parties to comply with regulations can lead to both direct and indirect financial losses, such as fines, penalties, and loss of business; this may be particularly the case for noncompliance with data protection standards. Last, negative publicity resulting from third-party cyberincidents can cause reputational harm. Digital resilience and trust are essential to customers. If their personal information is compromised because of third-party failures, they may lose confidence in an organization.

The strong links among risks require institutions to further evolve their approach to monitoring and controls.

Best practices from leading financial institutions

Managing nonfinancial risk has evolved significantly over the past several decades (Exhibit 2). A focus on operational losses, the favored approach in the 1990s and early 2000s, has been replaced by the need to build operational-risk and compliance foundations in the wake of the global financial crisis.

Image description:

A timeline shows the evolution of operational-risk management from the late 1990s to now in four stages. The first stage was a focus on operational-loss counting from the late 1990s to 2008, characterized by a low number of operational incidents, model-driven operational-risk management, compliance function focused on oversight and regulatory engagement, and limited risk accountability in the business and “delegation” to risk. The second stage was building operational-risk and compliance foundations from 2008 to 2020, characterized by financial crisis losses; litigations, major incidents, and regulatory focus; remediation of incidents and issues; and a focus on strengthening control environment.

The third stage is nonfinancial-risk integration and simplification from 2015 to the present in which the biggest fires have been put out, characterized by an integration of operational risk and compliance into nonfinancial risk and a focus on effectiveness and efficiency of risk management along end-to-end value chains. The fourth and final stage is moving beyond risk to operational resilience from 2020 to the present, characterized by an increasing number of external shocks, requiring focus on operational resilience; building resilience capabilities; a focus on critical operations, third parties, business continuity, technology, and cyber risks; and leveraging AI to enable continuous real-time monitoring.

End image description.

Since 2015, banks have concentrated their efforts on firefighting and integrating operational risk and compliance into nonfinancial risk. Priorities have included implementing appropriate governance and accountability—for example, governance at the board, executive, and divisional levels to support the three-lines-of-defense model. In addition, financial institutions have sought to define key elements of nonfinancial-risk management (risk management framework, risk appetite statement, risk taxonomy, and risk and control self-assessment) and ensure the organization has the right culture, capabilities, remuneration, and performance management in place.

Institutions have taken a more defensive approach during this period in response to major incidents, litigation, and regulatory focus. Many organizations made significant investments to remediate incidents and issues and strengthen the control environment. With major incidents remediated and controls improved, banks have been placing greater emphasis on nonfinancial-risk integration and the simplification of risk frameworks and practices.

More recently, banks have focused increasingly on operational resilience, which is a natural evolution of a robust nonfinancial-risk framework characterized by a more proactive and forward-looking approach. One obstacle in this pursuit is the legacy of previous strategies. Many institutions implemented robust second-line oversight, overemphasizing basic policies and generic frameworks instead of adopting an approach to first-line risk management focused on business impact. Advancing operational resilience requires not only a sufficient budget but also a shift in mindset. Managing nonfinancial risk is too often seen as a path to achieve regulatory compliance rather than an opportunity to generate value through more effective operations.

Another challenge is an insufficient understanding of operational resilience, which can lead experts in the second line of the organization to make decisions that increasingly widen the gap between the business and impact-oriented decision-making.

Four actions to achieve operational resilience

The increasing number and pace of external shocks heighten the urgency to embed operational resilience into governance, frameworks, and operating models. Leading banks are implementing four major shifts in their nonfinancial-risk management.

1. Linking operational-risk management and resilience to business impact

Successful institutions have moved from fragmented, conceptual frameworks to those reflecting an impact-driven perspective, with operational-risk reporting linked directly to risk mitigation initiatives. In addition, beyond policies, standards, and reporting, these institutions have well-defined and consistent risk strategies between the first and second lines of defense that analyze specific risks and their potential impact on the organization and its customers. This lens helps institutions identify where risks need to be minimized and concentrates input for critical decisions at the strategic level—for example, outsourcing (such as to cloud providers), growth priorities, and acquisitions.

These institutions also integrate a business-centric risk agenda into first-line business reporting to improve risk management through targeted investments. Last, they seek to ensure that their operational-risk function possesses sufficient business understanding, not just conceptual risk expertise. The most successful operational-risk leaders often have a background in business, IT, or operations coupled with a deep understanding of business processes.

2. Upgrading governance to manage nonfinancial risk and operational resilience

Over the past few years, many organizations have continued to build on their existing operational-risk and compliance efforts. For example, leading institutions have established dedicated board- and executive-level nonfinancial-risk committees. Many banks have also aligned their operational-risk and compliance frameworks to serve as an umbrella for their array of policies on managing operational risk, business continuity, information and communications technology risk, and third-party risk. The typical nonfinancial-risk tool kit encompasses a range of taxonomies and libraries that enable consistency, aggregation, and tracking over time (Exhibit 3).

Leading institutions appoint dedicated risk stewards for each nonfinancial risk. These stewards are subject matter experts on different types of risk, and their responsibilities include setting the policy and, in some instances, taking on assurance. To inform the risk appetite, banks are increasingly using a suite of nonfinancial-risk metrics beyond the outdated total operational losses. Examples include the high number of issues that take more than 24 months to resolve and the percentage of total cases that were failed “know your customer” incidents. Our survey indicates that institutions select one to three metrics for each type of nonfinancial risk. Institutions are also elevating practices and capabilities in nonfinancial-risk management, such as specific risk expertise, process design, data and analytics, and risk identification and assessment.

3. Building out operational-resilience capabilities

The growing number of external shocks and internal systemic issues necessitates a stronger focus on operational resilience, both in preventing and absorbing these disruptions. Institutions are building operational resilience in five areas: business continuity management, third-party risk management, scenario planning, technology resilience and recovery, and incident management.

First, banks are increasingly aligning their business continuity management activities with the organization’s vision and strategic goals. This step involves clarifying the roles and responsibilities of business continuity management in relation to other risk management frameworks and mapping resilience assets. Banks are also establishing comprehensive reporting mechanisms to inform the board and senior management, coordinating resilience actions, and developing tools and infrastructure to measure, monitor, and manage resilience effectively. Our survey found that more than 90 percent of banks have fully or partially identified their critical business services, and about 65 percent have developed business continuity and recovery plans for all of these essential services.

Second, organizations are broadening the categories of third parties they monitor and evaluating supply chain risks with increased scrutiny and frequency. According to our survey, banks engage with an average of about 260 third parties, with a range of 40 to 400. Measures include enhancing the level of due diligence and information required from third parties (and even subproviders) and developing risk-sensitive approaches to tailor risk management for the most critical partners and activities. The risks of interconnectedness and concentration of third-party providers are particularly significant, especially given the current geopolitical tensions and the increasing reliance on, for example, cloud service providers and AI suppliers that are predominantly based in the United States. Addressing these aspects is imperative for comprehensive operational resilience.

Third, organizations are increasingly concentrating on creating dynamic yet plausible scenarios to uncover potential vulnerabilities. They are also developing playbooks for rapid response and mitigation and building an inventory of interventions such as manual workarounds and alternative technologies. Approximately 82 percent of banks participating in our survey conduct full or partial scenario testing for critical business services, modeling an average of eight scenarios to assess the specific impact on operations.

Fourth, banks are prioritizing technology infrastructure, resilience, and recovery capabilities by establishing clear ownership and accountability. They are enhancing governance for technology resilience from the top down, strengthening hosting setups (whether on-premises or in the cloud) and collaborating with third parties to bolster the resilience of platforms critical to business processes and services. Further, they are implementing regular testing with a focus on automatic failover capabilities for large-scale environments and conducting selective exercises to test recovery from backup systems.

Fifth, organizations are establishing incident management processes to swiftly respond to disruptions, minimize their impact, and ensure compliance with regulatory reporting deadlines, including those for cross-border incidents. This effort involves building the capability to quickly react to issues (as well as to events at other institutions) and understand where and how these issues can affect the business broadly. Addressing underlying issues quickly and effectively is crucial. Incident management is also a regulatory priority, necessitating actions such as the development of backup plans for critical processes. In addition, war-gaming and stress-testing exercises are essential to simulate and enhance incident management capabilities.

Building resilience goes beyond mere compliance; it is an opportunity to radically simplify and concentrate on the foundational elements that matter most. For instance, while some organizations have identified up to 400 third parties, the true value lies in maintaining a streamlined list of partners for active monitoring and collaboration by senior management. Adopting a strategic approach to operational resilience can not only deliver direct business value and support higher operational velocity but also enable the organization to respond swiftly to disruptions.

4. Investing in data, analytics, and tooling

Organizations are implementing tools and advanced capabilities to enhance their operational resilience. As a start, banks are adopting technological solutions, such as cloud computing and data backup systems, to strengthen their infrastructure and enhance operational and technological resilience. These solutions also include data platforms that integrate risk and compliance data (and, ideally, operational data), allowing all three lines of defense to perform cross-cutting analyses.

Banks are consistently developing analytics capabilities to actively monitor and assess potential operational disruptions. Examples include early-warning systems; transaction monitoring; customer, employee, and third-party screening; predictive modeling; and behavioral analytics. Such tools require banks to upgrade their capabilities in AI, machine learning, natural-language processing, and robotics. Leading institutions are also experimenting with and implementing agentic AI and gen AI, including agent-driven risk and control self-assessments (RCSAs) and gen AI–enabled regulatory radars that track updates, alerts, and compliance recommendations, among other elements.

Banks are more often deploying analytics, including using AI and machine-learning controls across various risk types to identify potential threats. Connecting the dots among silos is critical to create a holistic risk profile of customers (including financial crime, external fraud, and credit risk), employees (including conduct risk, internal fraud, and compliance), and third parties (including cybersecurity and data privacy).

Last, institutions are establishing comprehensive dashboards with a combination of leading and lagging key risk indicators and KPIs. In the past, they focused on performing RCSAs, but these assessments are primarily a system of record to understand problem areas rather than a tool to anticipate risks. Thus, in the target future state, dashboards could evolve to receive a continuous feed of real-time data, enabling banking risk management to operate similarly to a NASA mission control room or nuclear power plant control tower.

Overall, these advancements in data, analytics, and tooling will allow banks to shift the way they manage and oversee risk from periodic, process-based control assurance to continuous, analytics-driven risk monitoring.

How banks can manage nonfinancial risk sustainably

While adequate frameworks and tools are important in managing nonfinancial risk effectively, institutions that have excelled at operational resilience have integrated many complex, cross-functional programs. For example, successful organizations implement a simple, intuitive service and process taxonomy mirroring the most important business units and product categories. This approach directs executive attention on less obvious vulnerabilities (such as when the company is the biggest customer of a third-party vendor providing a mission-critical service) and breaks down organizational silos by aligning business and process owners with supporting capabilities, such as technology or application providers.

In addition, an operational-resilience program that functions well not only meets regulatory expectations but also supports business decisions by focusing on outcomes. That requires both executive leadership and cross-functional, strategic coordination. To make such approaches sustainable, organizations would also need to build on their workforce and lived culture. Even if the frameworks and tooling are designed in line with best practices, it is the business practices in day-to-day operations that matter.

Operational resilience is at its best when risk mitigation and control mechanisms are part of an organization’s operational DNA. Examples include disciplined health and safety practices in the mining industry, a deeply rooted learning mindset in the airline industry, and an obsession with customer experience in the retail industry.

Business units are now embracing discussions about risk. A culture that promotes awareness and curiosity, a sense of urgency, a proactive posture, innovative thinking, and collaboration could make nonfinancial-risk management effective, but a mindset of simplicity and practicality, learning, and continuous improvement would make it sustainable. The task of managing nonfinancial risk is never done.

While frameworks and tools provide the foundation for managing nonfinancial risk, it is an organization’s culture—rooted in risk awareness, collaboration, and continuous improvement—that ensures its sustainability and resilience in the face of evolving challenges. Banks that can weave all of these elements into a coherent, coordinated plan will be best positioned to adapt and respond.