McKinsey on

Risk & Resilience

Strengthening agility to
guide risk and compliance

Number 17, July 2024

The articles in McKinsey on Risk & Editorial Board: McKinsey Global Publications
Resilience are written by risk experts Bob Bartels, Oliver Bevan, Joseba
and practitioners from McKinsey’s Eceiza, Justin Greis, Carina Kofler, Publisher: Raju Narisetti
Risk & Resilience Practice and other Andreas Kremer, Mihir Mysore,
firm practices. This publication offers Thomas Poppensieker, Sebastian Global Editorial Director
readers insights into value-creating Schneider, Lorenzo Serino, Marco and Deputy Publisher:
strategies and the translation of those Vettori, David Weidner Lucia Rahilly
strategies into company performance.
External Relations, Global Publishing Board
This issue, and future issues, Global Risk & Resilience Practice: of Editors: Roberta Fusaro,
are available to registered Bob Bartels Lucia Rahilly, Mark Staples,
users online at McKinsey.com. Rick Tetzeli, Monica Toriello
Comments and requests for copies Editor: David Weidner
or for permissions to republish Copyright © 2024 McKinsey &
an article can be sent via email to Contributing Editor: Company. All rights reserved.
McKinsey_Risk@McKinsey.com. Joanna Pachner
This publication is not intended to be
Cover image: Art Direction and Design: used as the basis for trading
© olaser/Getty Images LEFF in the shares of any company or for
undertaking any other complex
Data Visualization: or significant financial transaction
Richard Johnson, Matt Perry, without consulting appropriate
Jonathon Rivait, Jessica Wang professional advisers.

Managing Editor: No part of this publication may

Heather Byer be copied or redistributed in any
form without the prior written
Editorial Production: consent of McKinsey & Company.
Mark Cajigao, Nancy Cohn, Roger
Draper, Ramya D'Rozario, Mary
Gayen, Drew Holzfeind, LaShon
Malone, Pamela Norton, Katrina
Parker, Kanika Punwani, Charmaine
Rice, Dana Sand, Katie Shearer,
Regina Small, Maegan Smith, Sarah
Thuerk, Sneha Vats, Pooja Yadav
Contents

3 Can your company remain global and if so, how?

Geopolitical uncertainty is forcing global companies
to take a hard look at the decades-long strategy of
13 Europe’s new resilience regime: The race to get
ready for DORA
As the directive for the European Union’s Digital Operational
geographic expansion.
Resilience Act approaches, financial institutions and their
providers of information and communications technology
have significant work ahead, a new McKinsey survey shows.

22 Banking on interest rates: A playbook for the

new era of volatility
Five levers can help banks set themselves on a course to
32 The promise of generative AI for credit
customer assistance
Generative AI can enhance knowledge of the credit
more proactive and effective interest rate risk management. customer journey and lead to improved outcomes.

39 Navigating shifting risks in the insurance industry

How insurance chief risk officers balance today’s
complex demands.
46 The cyber clock is ticking: Derisking emerging
technologies in financial services
As financial institutions actively adopt emerging
technologies, they should act now to future-proof
themselves against growing cyber risks.

1
 Introduction
As we enter the second half of the year, risk leaders continue to face a set of challenges not seen in decades—and some
never seen before.

Sadly, peace and security has resurfaced as a top priority for chief risk officers and their colleagues. Global conflict is
at its highest level since the end of the Cold War, and combined with a geopolitical landscape that will see elections in
60 countries and across 50 percent of the world’s population by year end, the existing and potential shifts in the world
order cannot be ignored.

This geopolitical fragmentation, along with a continuous fight against inflationary pressures and related interest rate
volatility (which increases the cost of debt), comes with rising cybersecurity threats; new technology risks, such as
those from generative AI; climate change; and more. Together, these challenges have complicated—and, in some cases,
made obsolete—strategies planned just a few months ago and show the need for a strategic level of risk and resilience
across industries.

In this issue of McKinsey on Risk & Resilience, we not only examine the tests risk and compliance face today and in
the future but also provide actionable tactics for mitigating these hazards and navigating them in a way that can spur
growth and competitive advantage.

We address the shifting geopolitical space by introducing the concept of structural segmentation, a cluster of moves
that global corporations are considering to help mitigate geopolitical exposure, enable locally informed decision making,
and clear a pathway to safe, stable growth.

On the issue of interest rates, we offer a playbook for banks and other institutions to help them meet today’s uncertainty
and answer a critical question: can risk managers retain the benefit of higher rates while preparing for cuts and
managing the potential for macroeconomic surprises?

Similarly for insurers, our team offers strategies for mitigating interest rate volatility and other risks, with a special
emphasis on climate risk—another modern threat that already has had a significant impact on the industry.
In our work with the Institute of International Finance, we identify emerging technologies’ potential to enhance and
transform institutions and how to manage these technologies safely, decreasing the potential for bad actors to take
advantage of new systems.

Our team in Europe examines new European Union regulations aimed at curtailing digital risk for financial institutions.
While this suite of new regulations comes as no surprise, most financial institutions must address a gap in compliance.
We suggest ways institutions can bridge those gaps effectively and cost-efficiently.

Last, in our ongoing and comprehensive examination of generative AI, we explore how this technology can have an
outsize impact on improving outcomes in credit customer assistance—a function that has emerged as a top focus of
regulators and institutions post pandemic.

Together, these analyses underscore the extreme and, in many ways, unprecedented variability besieging the risk
office and its institutions. The good news is that agile organizations, guided by risk and compliance, can thrive in this
environment by remaining resilient.

We hope you enjoy these articles and find in them ideas worthy of application. Let us know what you think at
McKinsey_Risk@McKinsey.com and on the McKinsey Insights app.

Thomas Poppensieker
Senior partner and chair,
Global Risk & Resilience Editorial Board
Copyright © 2024 McKinsey & Company. All rights reserved.

2 McKinsey on Risk & Resilience Number 17, July 2024

Can your company remain
global and if so, how?
Geopolitical uncertainty is forcing global companies to take a hard
look at the decades-long strategy of geographic expansion.
by Andrew Grant, Michael Birshan, Olivia White, and Ziad Haider

© Getty Images

3
 Rising geopolitical tensions are testing the McKinsey in January (Exhibit 1). The intensity
resilience of global organizations and challenging and duration of conflicts worldwide are at their
existing growth strategies. Wars in Europe and highest levels since before the end of the Cold War1:
the Middle East and escalating US–China 183 active conflicts in 2023, with violent events
competition have the attention of the executive last year increasing by 28 percent and fatalities by
suite and the boardroom. Global business leaders 14 percent.2
are asking, “What is the future of the global
corporation? Do we need to fundamentally shift Moreover, 2024 is the year of national elections,
strategies and structure?” with more than 60 countries and nearly 50 percent
of the global population heading to the polls. 3 Even
These questions are being asked amid a if only a subset of these elections lead to shifts in
measurable decline in global cooperation on peace leadership and policy, business leaders cannot
and security and slowing cooperation in other areas, ignore political uncertainty against the backdrop of
as reflected in a new global cooperation barometer an evolving global order.
released by the World Economic Forum and

1
Emma Beals and Peter Salisbury, “A world at war: What is behind the global explosion of violent conflict?,” Foreign Affairs, October 30, 2023.
2
The Armed Conflict Survey 2023, first edition, Abingdon, United Kingdom: Routledge, 2023.
3
Koh Ewe, “The ultimate election year: All the elections around the world in 2024,” Time, December 28, 2023.

Exhibit 1

Peace and security among nations have eroded sharply since 2020.

Average index of cooperation metrics, 2020 = 1

1.1
Trade and capital
Climate and nature

Innovation and technology

1.0
Health and wellness

0.9

Peace and security

0.8

0.7

Cooperation
since 2020

0.6
2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022

McKinsey & Company

4 McKinsey on Risk & Resilience Number 17, July 2024

Unsurprisingly, business leaders view geopolitics importantly, people may be at risk. At the same
as the top risk to global growth and view time, there is a real advantage to getting it
political transitions as the leading emergent risk, right. In a changing geopolitical landscape,
according to our latest global economic survey organizations can differentiate themselves through
(Exhibit 2). Business leaders tell us diverging the strategic courage with which they navigate this
regulatory requirements, increased in-market risk era of volatility.
in multiple geographies, and the need to establish
local bona fide units without generating undue Our analysis shows that business leaders can
risk to the parent are the reasons that now, as one take a systematic approach to building what we
executive we spoke to put it, “Geopolitics trumps call geopolitical resilience. One element of that
capital markets.” approach is conducting geopolitical-scenario
planning, thinking through a set of “black swans,
Given this environment, one of the biggest gray rhinos, and silver linings”—unpredictable and
strategic questions confronting global business probable high-impact events, as well as potential
leaders today is, “How global can my organization opportunities amid the storm clouds. A second
remain?” The cost of getting this question wrong element involves upgrading board capabilities on
is high; assets, growth, value creation, and, most geopolitical risk.

Exhibit 2

Geopolitical instability tops the list of concerns for global business leaders.

Biggest potential 80
risks to global
economic growth,
next 12 months,1 Geopolitical instability and/or conflicts
% of respondents
60

40
Transitions of political leadership

Slowdown in China’s economic activity2

20 Inflation
Supply chain disruptions

0
Mar June Sept Dec Mar
2023 2023 2023 2023 2024

1
Out of 15 potential risks that were presented as answer choices. Respondents were able to select up to 3 answer choices. Mar 27–31, 2023, n = 871;
June 5–9, 2023, n = 1,044; Aug 31–Sept 8, 2023, n = 997; Nov 27–Dec 1, 2023, n = 942; Mar 4–8, 2024, n = 957.
2
Not included in the list of potential risks in the Mar 2023 and June 2023 surveys.
Source: McKinsey Global Surveys on economic conditions, 2023–24

McKinsey & Company

Can your company remain global and if so, how? 5

 There is another emerging aspect of geopolitical Structural segmentation can take several forms
resilience that increasingly arises in our across a continuum. Full structural segmentation
conversations with business leaders—one that involves localizing parallel activities in multiple
we refer to as “structural segmentation.” Structural locations across the world. Factories, for example,
segmentation describes a cluster of moves that may produce only for the regions in which they
global corporations are considering to mitigate are located (often in a region or regions that have
geopolitical exposure, to enable locally informed higher “geopolitical distance”4 from the company’s
decision making, and to clear a pathway to safe, home market).
stable growth.
As an alternative, some companies are relocating
In what follows, we define structural segmentation, toward home or geopolitically aligned countries,
identify questions for global companies to at least in select domains. In general, this involves
consider as they calibrate their operating models, preserving global connections—for example,
and outline specific examples of how firms are housing most technologies in a home country, while
implementing a segmentation approach. The creating a minimal viable footprint in geopolitically
findings are based on our and our colleagues’ distant countries. In its most extreme form, however,
conversations with business leaders across this might include a major move, such as housing all
the world, as well as on analysis of more than R&D in the home market.
100 global organizations’ strategic moves.
The intent is to respond to geopolitical realities
while preserving the benefits of global reach and
Structural segmentation for seizing opportunities for resilient growth. Just as
geopolitical resilience scenario planning is not a crystal ball, so structural
During the past 25 years, geographic boundaries segmentation is not a magic wand. It is, however, a
have faded for companies. Many built complex strategic and operational choice that companies
supply chains that shipped components and may contemplate to survive and thrive in a new era.
products across the world, often crisscrossing Although there is a range of ways multinationals can
it multiple times. Wisely, they established global employ segmentation, there are six main areas:
R&D hubs, forged enterprise-wide technology
stacks, democratized access to data, consolidated Reshaping production and supply chains
legal entities, and fostered one-firm cultures. for resilience
Escalating geopolitical competition and disruptions
The premise of a fully globalized world, which induced by COVID-19, weather, and conflict have
underpinned these moves, is now in question, and made supply chains a top priority issue for C-suites
companies should respond. Legal, regulatory, and boardrooms. Organizations are deploying
economic, political, and social contexts are shifting. or exploring a variety of segmentation strategies,
Companies are increasingly seeking an integrated considering both geopolitical exposures and
approach to taking coordinated action across six concentrated production or supply chain footprints.
domains: operations (that includes production and
supply chains), R&D, technology and data, legal Some companies have responded by recommitting
entity structure, capital, and people. Across each of to a global approach. This typically does not mean
these domains, we find that organizations typically ignoring a changing world order but rather moving
contemplate either (re)committing to globality toward greater strategic diversification, whereby a
or structurally segmenting activities across company moves away from a concentrated global
geopolitically distant markets. supply chain to a model that sources from and

4
Geopolitical distance between countries can be measured by examining the countries’ observable behavior on foreign policy issues, such as
through their voting behavior in the United Nations General Assembly.

6 McKinsey on Risk & Resilience Number 17, July 2024

produces in a greater range of markets across the two-thirds of respondents sourcing more from
world. The idea is that a broader and arguably more suppliers located closer to their production sites
global web of connections adds resilience, since it is last year. 6
not dependent on any one region or country.
While reshaping footprints and supply chains can
Multinational companies that instead opt for segment geopolitical risk, it comes with costs and
structural segmentation in operations seek to make complexity. Some organizations may struggle to
sure that production and supply could survive if one replicate supplier networks in new markets because
region were to be cut off. So far, companies have of factors such as labor shortages and infrastructure
attempted to localize across multiple regions to limitations. For others, diversification efforts may
various degrees. Some have declared an “in market, only shift concentration risk from one tier of suppliers
for market” strategy, building localized production to another, without significantly reducing overall
and supply chains so that in-market supply meets risk. A third challenge is the stickiness of supply
in-market demand as much as possible. Others chains. Even as many multinationals, for example,
have opted for a market-plus strategy, which entails are expanding their footprints in geographies such
a substantial footprint and supply chain—for both as Southeast Asia, China’s export share to ASEAN
domestic and export purposes—in one region, economies is also continuing to grow. That results in
supplemented by imports and exports as needed the deepening use of components made in China by
from other geographies. multinationals in some supply chains.7

Few companies are considering complete Ring-fencing research and development

localization or the relocation of their entire With technology top of mind for business and world
production from one geography to another. Those leaders, multinationals are having to adapt their R&D
that do so tend to only have a few affected product footprints. They can no longer rely on open access
lines and focus on only the most sensitive portions to talent and should balance geopolitical, regulatory,
of their supply chains. Indeed, as all goods supply reputational, and commercial factors. Organizations
chains start where resources come out of the may wrestle with questions such as where they
ground, there is a natural limit to how much of a should conduct R&D, who is conducting it, and with
supply chain a company can practically relocate. whom they should share it.

Many firms are considering some degree of On one end of the spectrum of structural
structural segmentation, however. A recent segmentation, some companies are seeking to
European Central Bank survey of multinationals fully localize their R&D in multiple regions. A leading
with significant operations in the European life sciences company, for example, has opted to
Union, for instance, reports that 42 percent of build parallel R&D efforts in two different markets
firms plan to “friend-shore” production over the that are geopolitically distant from each other.
next five years, in contrast to only 11 percent That way, it can sustain access to top talent in each
that reported having done so in the past five market and preserve—and possibly enhance—its
years. 5 Similar trends emerge in supply chains. flexibility to develop products that meet varying
Our 2023 survey of supply chain leaders found local requirements.

5
Maria Grazia Attinasi et al., “Global production and supply chain risks: Insights from a survey of leading companies,” ECB Economic Bulletin,
2023, Volume 7.
6
Knut Alicke, Tacy Foster, Katharina Hauck, and Vera Trautwein, “Tech and regionalization bolster supply chains, but complacency looms,”
McKinsey, November 3, 2023.
7
Geopolitics and the geometry of global trade, McKinsey Global Institute, January 17, 2024.

Can your company remain global and if so, how? 7

 Other companies are moving assets toward their Increasingly, other companies are structurally
home markets. Leading US technology companies segmenting their enterprise technology stacks
are home- and friend-shoring researchers in in various forms. Collectively, the moves seek to
sensitive technology domains, fully moving them adapt technology and data location to geopolitical
away from markets that are geopolitically distant and regulatory demands. Many are shifting toward
from the United States. structural segmentation not just to accommodate
individual geographies but also to take a holistic
In the middle of the spectrum, some companies approach to managing broader geopolitical risks,
are maintaining R&D operations in markets that including those related to intellectual property
are geopolitically distant from the location of their theft and data appropriation.
headquarters. But they are introducing strict
guardrails, including restrictions in technology One approach is to invest in a fully localized IT
arenas that are part of the strategic competition domain and separate sensitive data from high-risk
between nations or have multiple use applications markets. Our research shows many US companies,
like quantum computing and applied AI. from private equity to professional services, are
actively exploring or executing on efforts to fully
Companies that use these strategies often find decouple their tech stacks in sensitive regions.
they can not only mitigate risk but also gain a These moves follow escalating geopolitical
competitive advantage. A local R&D presence can competition and new expectations from customers
make products more tailored to market-specific and public stakeholders.
consumer preferences, fueling a global organization’s
local growth strategy. While the approaches vary, Even firms that have stopped short of full
the motivating factor is the same: to build geopolitical localization are introducing architecture changes,
resilience while preserving an edge in innovation. storing data in states that are geopolitically close
to the location of their headquarters—subject
Derisking technology stacks and data lakes to local regulations. Companies taking this
A unified global technology stack was once seen as approach aim to create a minimal viable technology
a source of competitive advantage as companies footprint in geopolitically distant countries that
sought to win through scale at low cost. Now, this then complies with the data and privacy laws of
strategy is under stress from multiple sources: those countries. Cloud providers, for example, are
the proliferation of data protection, privacy, and developing new platform governance processes
localization laws around the world; the increasing while disconnecting some markets from their
threat of data theft, malevolent-technology global infrastructure backbones. Software
insertion, and espionage; and concerns about the companies in advanced fields like AI, the Internet
overconcentration of data in markets where threats of Things, and edge computing are separating
are present. these sensitive capabilities from their global
offerings, often in partnership with local providers,
As a result, companies are revisiting their enterprise to manage information security.
technology stacks and considering rebalancing
their traditional approach to technology and data Creating decision-making distance through
management. Some businesses are opting to legal entities
adopt a globally optimized footprint, subject to local Organizations are rethinking the role of legal
regulations, even if this involves hosting technology entities and the part they play in navigating
services in high-risk markets and accepting the geopolitical challenges. Business leaders who
associated additional geopolitical risk. A leading have revisited their entity structures cite diverging
consumer company, for instance, took a local regulatory requirements, increased in-market
regulatory change as an impetus to localize its risk, and the intent to be seen as a local player.
e-commerce stack, thereby improving in-market
customer experience while managing compliance
with the new regulation.

8 McKinsey on Risk & Resilience Number 17, July 2024

One example of legal segmentation is an and the unpredictable operating environment that
international defense company that redesigned its rendered continued operations untenable and
entities to enable it to operate as a local contractor inconsistent with its values. From global ownership
in each of its major markets. Leadership and to local strategic partnerships to wholesale exit,
decision making are handled locally, while equity this company has had to contend with multifactorial
remains with the global parent. geopolitics and customize and evolve its approach
across essential markets—a level of agility that
Creating distance from the parent, however, can global companies may need to develop.
come with its own set of new challenges: functions
are duplicated, costs rise, risk appetite between the Safeguarding capital invested in geopolitically
parent and local units diverges, global culture can distant regions
erode, and efficiencies are traded off. Geopolitical shifts affect capital flows. The
International Monetary Fund, for example, reports
In addition to these ramifications, there is a risk that that increases in geopolitical distance between two
entity segmentation may not be enough to offset nations are associated with reduced investment. 8
geopolitical risk. The parent and segmented entity Since 2015, direct investment in China and Russia
may still be viewed as one and the same—albeit has dropped precipitously, as a result of decreased
now with potentially inadequate governance and spending from advanced economies in Asia, Europe,
risk controls. and the United States.9 However, flows into other
developing economies have increased, notably into
Some companies have therefore gone further, Africa, India, and developing Europe (Exhibit 3).
judging that a continued overall parent was
untenable. A leading law firm, for instance, has In this environment, many global companies are
established a stand-alone unit for its in-country selecting some form of structural segmentation,
operations. Leading venture capital firms also strengthening the geopolitical lens through which
have split off their regional businesses into new they examine capital decisions—be it the capital
entities with distinct brands and local boards. In intensity of their business models or the capital
these cases, of course, the benefits of operating structures by which they are financed.
globally will be lost, and in some cases, a fully
separated business unit has also turned into a major Some companies are using a localization strategy,
competitor in some markets. adjusting financing so cash inflows and outflows
are exposed to similar geopolitical conditions: for
Sometimes the same company has had to make example, financing the purchase of aircraft leased
more than one of these moves across the globe to airlines in a country with debt from banks in that
in a market-differentiated manner. One of the same country.
world’s largest food and beverage companies, for
example, is seeking to reacquire global ownership An alternative approach is to move toward home,
over one of its local franchises in the Middle East. shifting capital away from more geopolitically
It entered into a minority stake in a joint venture distant regions. To retain connections in these
partnership with a local operator in China and later markets, some firms have shifted toward
increased its stake, noting the need to anchor its partnerships and ecosystem plays and away from
partnership structure and to continue capturing direct, tangible capital investment. The aim is to
increased demand in an important market. Lastly, mitigate the risk of stranded or written-off assets,
the company fully exited and sold off its operations while bringing a local market’s talent, networks,
in Russia following Russia’s invasion of Ukraine, and capital to a venture. Other companies are
citing the humanitarian crisis caused by the war taking capital off the table in higher-risk markets

8
Global financial stability report: Safeguarding financial stability amid high inflation and geopolitical risks, International Monetary Fund,
April 2023.
9
Geopolitics and the geometry of global trade, McKinsey Global Institute, January 17, 2024.

Can your company remain global and if so, how? 9

 through liquidity events—such as IPOs, private have sold or leased fixed in-country assets, such as
sales, and share sell-downs—including to other manufacturing plants and warehouses, to trusted
international investors that are less geopolitically local partners; these exchanges are underpinned by
distant from the market in question. A number of long-term contracts to enable supply chain stability.
global consumer goods companies, for example,

Exhibit 3

Global investment is shifting.

Capital flows have moved to Africa, India, and developing Europe

Share of global 100

announced Greater China and Russia
investment
inflows, %

75
Advanced economies

50

Developing economies

25

0
2015 2016 2017 2018 2019 2020 2021 2022 2023

Announced greenfield Africa India Developing Europe

investment in 200
developing economies,
nonexhaustive, $ billion

150
Source of investment: +109%
Greater China
and Russia
100
Advanced
economies
+54%
Developing +33%
50
economies

0
2015–19 2022–23 2015–19 2022–23 2015–19 2022–23

Note: Data for 2022–23 is through Oct 2023.

Source: fDi Markets (a service from the Financial Times 2023; all rights reserved); McKinsey Global Institute analysis

McKinsey & Company

10 McKinsey on Risk & Resilience Number 17, July 2024

Securing people and connections spoke with has sought to shore up cultural cohesion
The extent to which an organization can remain by purposefully bringing the entirety of its incoming
global is a question that is most delicate when class of employees from a geopolitically distant
it concerns people and culture. In keeping a market to global headquarters for shared learning
workforce secure, organizations should find and connectivity.
balance. They should preserve long-standing and
cherished principles of global connectivity Business leaders know that healthy organizations
and a one-firm culture. But at the same time, that are inclusive and deeply connected can
they should address the crucial need to maintain better deal with external change and crises. The
robust screening and insider risk programs and challenge today, however, is fostering that sense
reassure geopolitically concerned stakeholders of inclusivity and connection when geopolitical
of adequate people-related processes. risk mitigation can demand segmenting the
organization’s global operating model in ways
The reality is many multinationals do not have a that create purposeful distance.
choice in instituting some measure of structural
segmentation with people; stakeholders ranging
from government officials to customers increasingly Emerging playbooks for
expect them to do so. Some approaches include structural segmentation
shifting the staff’s home office locations, changing Broadly, we find that businesses typically adopt
travel policies and protocols so that staffing pools one of two postures—recommitting to a single
are more localized by region, segmenting access global strategy or moving toward structural
to data on global networks from certain markets, segmentation—and use it to guide decision
and creating firewalls for certain communications making across each of the six dimensions. That
outside market. said, companies do have the flexibility to follow a
singular approach across all areas or otherwise
Organizations that conclude they need to implement adopt a more mixed set of tactics.
such approaches should do so with care to
avoid singling out a set of colleagues and, thereby, While every company’s circumstances—and,
eroding the global fabric of the organization. hence, optimal response—are different, some
Previous McKinsey research has shown that archetypes are emerging. Asset-light companies
organizations that can operate as “one firm” are require limited assets in-market to generate large
2.3 times more likely to be in the top quartile revenues. These businesses might decide to follow
of health and high-performing organizations.10 a global approach to operations and capital, as
Accordingly, multinationals may, for example, their risks are inherently lower, while potentially
choose to limit discussions on geopolitically segmenting technology stacks and legal entity
sensitive topics to senior leaders in headquarters, structures to support agility in a volatile geopolitical
as well as to the top in-country leadership, to context. More capital-intensive companies are
avoid inflaming internal sentiment and risking leaks progressively introducing (or at least thinking hard
that could trigger a market backlash. about how to introduce) greater segmentation
across multiple dimensions, notably operations and
Additionally, given the internal scrutiny that such supply chains, often with a market-plus strategy.
segmentation approaches can generate, many Financial franchises present a special case:
multinationals are having to think equally hard delegating decision making to semiautonomous
about how to continue fostering a sense of global regional entities and sourcing capital locally allows
connectivity not only for cultural reasons but also segmentation that both reduces geopolitical risk
for talent retention. One leading US firm that we and accelerates growth.

10
Blair Epstein, Caitlin Hewes, and Scott Keller, “Capturing the value of ‘one firm,’” McKinsey Quarterly, May 9, 2023.

Can your company remain global and if so, how? 11

 Businesses with long-standing presences in country, a few countries—and if so, can they be
geopolitically distant markets have more complex treated together, or does each require distinct
choices. Their de facto postures emerged postures against the segmentation dimensions—or
out of decisions made during the last three a broad swath of the world?
decades. Given the costs incurred to establish
their presences, these firms are more likely to
stick with their current postures or change more
incrementally—with segmentation occurring For leaders dealing with today’s volatile
around the edges, dimension by dimension. geopolitical environment, Peter Drucker’s maxim
The result is a mixed strategy: for example, is more apt than ever: “The greatest danger in
implementing a segmented tech stack but times of turbulence is not the turbulence; it is to
doubling down on a global approach to people, act with yesterday’s logic.”
R&D, and capital.
Structural segmentation is today’s logic, one that
In setting their postures, business leaders should business leaders are exploring both to navigate
consider both risk management and growth geopolitical headwinds and to potentially secure
strategy, as well as execution feasibility, of course. growth. Indeed, navigating the new geopolitics
While they are more commonly reported on, not and geometry of global trade requires business
all structural-segmentation decisions have been leaders to conduct multifactorial calculus and at
made to reduce risk; quite a number have been times develop market-differentiated approaches
made to, at least in part, enable more locally to structural segmentation. What structural
tailored and therefore resilient growth strategies segmentation is not, however, is a magic formula
in geopolitically distant markets. to eliminate all risk. Geopolitically distant regions
by their nature present risk, as well as opportunity.
Finally, these dimensions of structural Multinational companies must be prepared
segmentation play out at the market level, but for greater scrutiny of their operating models
deciding where a market starts and stops requires globally, no matter how thoughtful a segmentation
thought. Is the segmentation meant for a single approach they may employ.

Andrew Grant is a senior partner in McKinsey’s Auckland office, Michael Birshan is a senior partner in the London office,
Olivia White is a director of the McKinsey Global Institute and a senior partner in the Bay Area office, and Ziad Haider is the
global director of geopolitical risk and a partner in the Singapore office.

The authors wish to thank Knut Alicke, Tucker Bailey, Raphael Bick, Mike Doheny, Ben Fletcher, Henry Frear, Axel Karlsson,
Lucas Lim, Karol Mansfeld, Jean-Christophe Mieszala, Brooke Weddle, Lola Woetzel,
and Carter Wood for their contributions to this article.
Copyright © 2024 McKinsey & Company. All rights reserved.

12 McKinsey on Risk & Resilience Number 17, July 2024

Europe’s new resilience
regime: The race to get
ready for DORA
As the directive for the European Union’s Digital Operational Resilience Act
approaches, financial institutions and their providers of information and
communications technology have significant work ahead, a new McKinsey
survey shows.
This article is a collaborative effort by Jim Boehm and Sebastian Schneider, with Florian Stoll, Lucy Shenton,
and Nils Motsch, representing views from McKinsey’s Risk & Resilience Practice and McKinsey Digital.

© Getty Images

13
 Digitalization of the financial sector has progress in achieving DORA compliance. The
brought significant benefits but has also exposed results are mixed: most institutions have started
businesses to rising technology risks, including the journey, but many will need to do more to meet
cyberattacks, system outages, and third-party their obligations on time. In this article, we explore
information and communications technology (ICT) some of the most pressing issues highlighted in
failures. To ensure financial institutions (FIs) remain our survey, and we reflect on the steps that have
resilient in the face of these threats, the European put some institutions on a more promising DORA
Union’s Digital Operational Resilience Act (DORA) compliance path than that of their peers.
sets out detailed requirements for EU-based FIs to
protect their key business processes (see sidebar
“DORA’s scope”). While DORA has some overlap DORA implementation: Where
with other regulations (such as BAIT and VAIT in does the industry stand?
Germany1), it is the first regulation of its kind to European FIs and critical ICT service providers still
focus on digital resilience across the European have time to align their resilience capabilities with
financial ecosystem. DORA requirements—but the window is closing. Our
survey finds that 94 percent of FIs are fully engaged
As DORA’s enforcement date of January 17, 2025, in understanding the detailed requirements of the
approaches (some regulatory requirements are legislation; most are doing so through a dedicated
not yet finalized), McKinsey has conducted a DORA program, with DORA as a board-level
survey with major European financial institutions agenda item (see sidebar “How one large European
and critical ICT third parties to understand their financial company tackled the DORA challenge”).

1
Bankaufsichtliche Anforderungen an die IT (BAIT) and Versicherungsaufsichtliche Anforderungen an die IT (VAIT) are the banking supervisory
requirements and the insurance supervisory requirements for IT in Germany.

DORA’s scope
The DORA regulation comprises five main — ICT-related incident management, — Management of third-party risk
content chapters, supported by two batch- classification, and reporting requires an ICT risk-management
es of regulatory technical standards (RTSs) involves defining, establishing, framework, third-party register,
and implementing technical standards. In and implementing a process risk assessments, analysis of
total, the documents contain more than to manage and record incidents concentration risk, and continued
600 pages and 1,100 lines of requirements and cyberthreats—and to monitoring and auditing of ICT third-
relevant to financial institutions and ICT centralize reporting. party service providers that support
third parties. The chapters of the final text critical business services.
focus on the following components: — Digital operational resilience testing
mandates a risk-based approach to — Information-sharing arrangements
— ICT risk management requires an
all testing, including physical testing, allow FIs to exchange cyberthreat
internal risk-management framework
application testing, technology information and intelligence and require
and strategy; risk tolerance; policies,
resilience (“switchover”) testing, and them to notify competent authorities
procedures, and protocols; and an
threat-led penetration testing (TLPT). of information-sharing arrangements.
independent control function.

14 McKinsey on Risk & Resilience Number 17, July 2024

How one large European financial company tackled the DORA challenge
An EU-based, market-leading financial to meet the regulation’s requirements by company placed on its delivery leaders:
institution with operations in more than January 2025. It completely redesigned the activity cluster leads, plus the single
50 countries had just completed a major its program by defining specific activity points of contact for each operating
technology risk-remediation program in clusters focused on each of the regulation’s entity. That approach had dual effects:
2023 and had to rapidly shift efforts to meet content areas, reorganizing governance and the company drove strong execution of
DORA requirements. In the fourth quarter of steering to include business and technol- DORA-related activities, of course; more
2023, the organization established a small ogy leaders across all key entities, and significantly, it created a culture of tech-
DORA program focused on compliance in establishing enterprise-wide tracking and nology risk management throughout the
a few defined areas, but it lacked the ability reporting of progress and documentation in organization, while training and upskilling
to scale and execute across the group in a a centralized tooling solution. Notably, it also the entire staff.
risk-based way, given the highly complex brought all of its operating entities under
By taking such strong, positive steps—both
intrafunctional and geographic setup. In the same program orchestration umbrella
toward central, strategic orchestration
addition, some senior stakeholders had a for end-to-end support and execution man-
and planning and toward action-oriented,
lack of focus, and working-level teams agement. The company was highly efficient
leader-driven accountability for delivery—
were misaligned. in those activities: it achieved its redesigned
the company has started to see tech risk
program structure within one month (more
Not wanting to lose momentum from its management not as a “nonfunctional task”
than 300 staff members onboarded, full
highly successful 2023 remediation efforts but, instead, as a key driver of business
planning and gap assessment complete).
and knowing how much ground it had to value. This truly strategic, business- and
Now with a better, more holistic structure in
cover to meet the DORA expectations, the risk-based, holistic, structured approach
place, it turned to the activation plan.
company redoubled its DORA program has set the company on a much steeper
efforts, starting at the very beginning of Key to its successful activation was DORA preparation trajectory than that of its
the first quarter of 2024, and set a target the strong sense of accountability the peers across Europe.

As of April 2024, most organizations say they have Regarding the first challenge, one chief information
completed a gap analysis and are in the process security officer said, “The breadth of the DORA
of designing or rolling out implementation programs. program, given the broad range of topics, is
Nevertheless, every organization reports some unavoidable. However, the chosen depth of scoping
uncertainty—for example, around the precise significantly impacts the size of effort required to
requirements of the legislation. In particular, achieve compliance.”
respondents point to two challenges:
At some institutions, uncertainty over scoping has led
— limited clarity on the scope of key items (for to increased budget allocations (Exhibit 1). Typically,
example, the definitions of critical or important an institution might have earmarked €5 million to
functions [CIFs] and of critical ICT third- €15 million for its DORA program strategy, planning,
party providers) design, and orchestration. But early estimates for
full implementation costs are coming in at five to ten
— concern over the timeline for implementation, times that range. One large FI reported that its final
considering that the second of two batches planned DORA implementation spend across the
of the European Supervisory Authorities’ group amounted to nearly €100 million, split between
regulatory technical standards (RTSs) is only program orchestration and technology control
set to be finalized in July 2024, and that some upgrades. According to our conversations with other
regulatory requirements (for example, updating FIs, we expect similar multiples across the financial
all relevant third-party contracts) require industry—particularly at large companies or those that
significant lead time for implementation struggle to adopt a risk-based approach to scoping.

Europe’s new resilience regime: The race to get ready for DORA 15
 Web <2024>
<DORA - the status quo and strategic opportunities for the European finance industry>
Exhibit
Exhibit <1>1 of <5>

Most surveyed institutions plan to spend €5 million–15 million on Digital

Operational Resilience Act strategies, planning, design, and orchestration.

Planned spending to comply €30 million

with Digital Operational 17 €15 million
Resilience Act requirements,1 €5 million
% of respondents (n = 12)

58

25

1
1-off costs to reach compliance.
Source: McKinsey survey on Digital Operational Resilience Act (DORA) program readiness, 18 executives and DORA program leaders from leading EU financial
institutions and information and communications technology service providers, Mar 2024

McKinsey & Company

When it comes to DORA program capacity, Regulatory compliance is rarely inexpensive,

about 40 percent of financial entities and ICT and most survey respondents feel that maintaining
providers dedicate more than seven full-time DORA compliance will incur ongoing costs.
equivalents (FTEs), while less than 20 percent Among our survey respondents, 70 percent say
have yet to assign dedicated FTEs (Exhibit 2). In our continuing to meet DORA requirements will result
client engagements, several leading organizations in permanently higher run costs for technology and
say the broad scope of DORA requirements technology control.
means that different functional areas are driving
deliverables, albeit with central coordination. All
told, these factors tend to reduce the number of Challenges facing industry
dedicated FTEs. participants and ICT service providers
Of the many challenges facing institutions, one
Program steering is a vital cog in the that stands out in our survey responses is ICT third-
implementation machine, but our research party risk management (Exhibit 4). To manage
gives little indication that the industry has arrived third-party risk effectively, financial institutions
at a standardized approach. At about 50 percent must make significant efforts on two fronts:
of surveyed institutions, the IT organization ensuring comprehensive oversight of all ICT
drives DORA implementation, whereas among service providers and their associated risk and
the remaining group, a mix of business and proactively managing the digital risk associated
oversight functions more commonly take control with critical ICT third-party service providers. To
(Exhibit 3). The prevalent ownership distribution achieve these goals in a cost-effective, end-to-end
suggests many organizations still see digital manner, leading FIs take a risk-based and holistic
resilience as an “IT problem” rather than a approach, in turn requiring dedicated processes
groupwide concern. and technologies.

16 McKinsey on Risk & Resilience Number 17, July 2024

Web <2024>
<DORA - the status quo and strategic opportunities for the European finance industry>
Exhibit
Exhibit <2>2of <5>

Companies dedicate varying numbers of full-time employees to their

Digital Operational Resilience Act–compliance programs.

Number of full-time employees dedicated to

Digital Operational Resilience Act program,
% of respondents (n = 17)
≥8 41

4–7 18

1–3 24

0 18

Note: Figures do not sum to 100%, because of rounding.

Source: McKinsey survey on Digital Operational Resilience Act (DORA) program readiness, 18 executives and DORA program leaders from leading EU financial
institutions and information and communications technology service providers, Mar 2024

McKinsey & Company

Web <2024>
<DORA - the status quo and strategic opportunities for the European finance industry>
Exhibit
Exhibit <3>3of <5>

Organizational responsibility for driving alignment with the Digital

Operational Resilience Act is often in the IT function.

Organizational function responsible for alignment with Digital Operational Resilience Act,
% of respondents (n = 18)

IT function under 1st-line security 2nd-line IT 2nd-line nonfinancial

chief information officer function resilience function risk function Other1
44 22 6 0 28

Includes 1st-line function under COO, 2nd-line nonfinancial risk function, and combination of multiple functions, among others.
1

Source: McKinsey survey on Digital Operational Resilience Act (DORA) program readiness, 18 executives and DORA program leaders from leading EU financial
institutions and information and communications technology service providers, Mar 2024

McKinsey & Company

Europe’s new resilience regime: The race to get ready for DORA 17
 Web <2024>
<DORA - the status quo and strategic opportunities for the European finance industry>
Exhibit
Exhibit <4>4of <5>

Management of third-party information and communications technology

risk is seen as a key challenge.

Most complex element of Digital Operational Resilience Act to fulfill, % of respondents (n = 17)

Chapter III:
ICT-related-incident Chapter VI:
Chapter II: management, Chapter IV: Chapter V: Information-
ICT1-risk classification, Digital-operational- Third-party-ICT- sharing RTS2 and ITS3
management and reporting resilience testing risk management arrangements requirements
0 6 12 53 0 29

Information and communication technology.

1

Regulatory technical standards.

2

IT services.
3

Source: McKinsey survey on Digital Operational Resilience Act (DORA) program readiness, 18 executives and DORA program leaders from leading EU financial
institutions and information and communications technology service providers, Mar 2024

McKinsey & Company

Once more, a key variable is scoping, and our In terms of engagement with third parties, many
discussions with major FIs show wide variation in FIs report challenges when negotiating with
understanding of the legislation’s scope—even smaller entities. One difficulty is that smaller third
among companies working with similar numbers of parties often lack sufficient talent or resources
ICT vendors. For example, in contract remediation, to achieve full DORA compliance and, thus, may
some organizations are focusing on as few as struggle to meet requirements on time. Such
20 remediations, whereas others plan to remediate variations in capabilities among organizations
as many as 3,000 contracts (see sidebar “Key are likely to lengthen the time frame for some
scoping items for DORA remediation activities”). implementation programs.

An important factor in making remediation A common structural challenge for a financial

decisions is how to define a “critical” ICT institution is in its dual role of engaging with
third-party service provider. Under Article 31 providers and being a provider for others. For
of DORA, criteria for consideration include instance, a financial institution may offer payments
systemic impact on stability, continuity and services on behalf of another financial institution,
quality of provision of financial services, the while also using third parties to support its own
number of institutions relying on the provider, business services. These twin dynamics can expose
and interdependencies among institutions. the institution to regulatory scrutiny from two
Organizations must work closely with legal angles: it may need to both initiate and respond to
counsel to determine which interpretation of that contract remediation exercises.
definition optimally fulfills DORA requirements
and boosts digital resilience.

18 McKinsey on Risk & Resilience Number 17, July 2024

Key scoping items for DORA remediation activities
Below are key scoping areas companies the provision of technical support objectives (RTOs) and recovery point
should consider when assessing their via software or firmware updates objectives. For example, achieving
DORA compliance. by the hardware provider, excluding four-hour recovery times (a standard
traditional analogue telephone RTO) would be reasonable in the
— Defining critical or important
services.” Given this broad language, event of a small, contained incident,
functions (CIFs). Accurately defining
it is up to market participants but it would be nearly impossible
CIFs is a cornerstone of DORA
themselves to decide whether after a large-scale ransomware
scoping (for example, mapping of
individual ICT providers meet the attack leading to a major outage.
IT assets to CIFs, defining recovery
definition. Some decision makers Leading organizations take a
times). The challenge for institutions
believe that services provided by use case and criticality-oriented
is that no industry-wide framework
companies outside traditional IT, approach to set recovery times, often
determines which functions should
such as law firms and consultancies, tied to business impact analyses.
be deemed as CIFs. Instead, industry
could fall within the legislation’s
participants tend to rely on individual
scope; some, however, do not. In — Defining and choosing appropriate
third-party frameworks, such as
addition, organizations often lack test scenarios to conduct thread-
BaFin’s RRP (recovery and resilience
a consolidated view of third-party led penetration testing. Some
plan) or the Bank of England’s IBS
relationships across business units, organizations say they struggle to
(important business services), and
geographies, parents/subsidiaries, define the right test scenarios for
on the European Banking Authority’s
or group/legal entities. Such lack TLPT, a particular concern when
technical guidance.
of alignment could yield different testing critical or important functions.
classifications of the same provider, It may make sense to agree on a joint
— Scoping ICT service providers.
causing confusion during an definition of critical scenarios, or on
DORA defines an ICT service
onsite examination. a respective sharing/recognition
provider as “an undertaking
of testing results with critical third-
providing ICT services; digital and
— Understanding feasible and party providers—or on both.
data services provided through ICT
acceptable recovery times for
systems to one or more internal or
different scenarios. Financial entities
external users on an ongoing basis,
report challenges in determining
including hardware as a service and
appropriate target recovery time
hardware services, which include

Across the industry, timing is likely to be a Taking action: Four strategic

significant concern in the months ahead. In our imperatives
survey, just about a third of financial institutions Preparations for DORA will continue to accelerate
express confidence that they can fulfill all DORA in the coming months. As decision makers navigate
regulatory expectations by January 2025. Moreover, the process, best practice will be not only to focus
all expect at least some DORA efforts to continue on complying with the regulation, but also to reflect
beyond then (Exhibit 5). Even those that believe broader business goals. We have seen some
they can achieve compliance by January 2025 say leading organizations anchor their efforts on four
that implementation and rollout into “business as strategic principles.
usual” across geographies will continue beyond the
legal enforcement date.

Europe’s new resilience regime: The race to get ready for DORA 19
 Web <2024>
<DORA - the status quo and strategic opportunities for the European finance industry>
Exhibit
Exhibit <5>5of <5>

Surveyed institutions are uncertain that they can meet the Digital
Operational Resilience Act deadline.

Organizational confidence in fulfilling Very confident

all Digital Operational Resilience Act Confident
regulatory expectations by Jan 2025, 31
% of respondents (n = 16) Neutral
Doubtful
Very doubtful

38

31

Source: McKinsey survey on Digital Operational Resilience Act (DORA) program readiness, 18 executives and DORA program leaders from leading EU financial
institutions and information and communications technology service providers, Mar 2024

McKinsey & Company

See the regulation as a resilience opportunity — Drive the transformation from the top. For
rather than a tick-box exercise an effective transformation, senior managers
As many as 80 percent of remediation programs need to formulate a clear strategy, enhanced
fail because they lack a strategic foundation. by programmatic support structured around
To prevent DORA programs from succumbing to the business and its priorities. Regulators’
the same fate, decision makers need to see the expectations will be relevant in this context.
program for what it can be: a transformational In one recent examination, the regulator
opportunity to reorganize and enhance processes, requested evidence that IT risk-management
tools, and technologies, while boosting resilience. efforts were business-led and involved leaders
But if institutions simply update policy documents from the business. Our experience suggests
and define system mappings to do the bare that linking regulatory remediation deliverables
minimum, they risk turning their DORA programs to business objectives is key to measuring
into paper tigers—inflating costs with limited resilience success, which is possible only
impact beyond paper. If, conversely, institutions when business colleagues are at the helm in
implement DORA with digital resilience as an driving implementation.
objective—by using their DORA program to
identify and eradicate ICT risk at scale—they — Appoint a single accountable program owner.
will create a fundamentally stronger financial While DORA affects multiple functions, a
ecosystem and improve customer trust. single accountable owner provides a point of
coordination and steering. This approach will
Make resilience business-led sharpen strategic oversight and lead to better
As in many transformative projects, leadership is a prioritization and communication throughout
critical enabler. We see two vital building blocks: the program.

20 McKinsey on Risk & Resilience Number 17, July 2024

Scope astutely: Take a risk-based alignment, but information sharing can actually
approach; define ‘done’ clearly streamline the implementation process and build
From our survey, scoping is a significant challenge— trusted networks. We have seen, time and again,
and opportunity—as DORA preparations reach the power and impact of cross-industry collaboration
their final stages. Our surveyed FIs commonly on security and regulatory topics. Consider
report struggling with seemingly unending these approaches:
regulatory programs that “boil the ocean” in
terms of interpreting and meeting regulatory — Invest in information sharing and exchange;
expectations, consequently with ever-growing candidly communicate how you view scope
scope and costs. requirements and challenges. Given that DORA
expressly aims to strengthen the resilience of
Organizations that precisely define the regulation’s the entire financial ecosystem, it should catalyze
risk-based aims are most likely to execute collaboration across the European financial
effectively. They engage in two best practices: industry. Lean into the fact that it makes sense
for FIs to work together.
— Implementing requirements based on
risk. Leading companies take a risk-based — Use DORA to build digital trust. ICT service
approach to resilience, identifying their most providers and FIs can use DORA to boost
critical processes and prioritizing capability transparency and build trust in their digital
requirements according to risk. This means not products and services. As quality, resilience,
creating “one control requirement set to rule and security improve, so will uptime, access, and
them all” but defining risk-differentiated policies fraud-mitigation outcomes. Digital trust can
and controls based on the business value of become a value differentiator for customers.
different processes. Such an approach yields a
more streamlined, efficient application of DORA
requirements, optimizing both DORA spend and
time to compliance. As the deadline for DORA implementation
approaches, financial institutions and ICT service
— Explicitly defining “done”: when DORA providers have their work cut out to achieve
requirements are met and risk is mitigated. the expected level of digital resilience. Scoping
Often in the course of regulatory and exercises and closure of gaps against the final text
remediation programs, organizations run into and RTS batches will demand significant attention
the challenge of proliferating requirements and in the months ahead.
ever-lengthening timelines. That may occur
when internal stakeholders seek to add their That said, DORA also presents a valuable
own priorities to the list, increasing the effort opportunity. Institutions have a chance to revisit
required. By agreeing from the outset on how critical challenges around digital resilience, bring
to define “done,” a company can save months of diverse parts of the organization together, and
program extension, spend, and iteration. transform fundamental capabilities that will
maintain the resilience of the financial ecosystem.
Collectively collaborate to ensure Given the systemic reach of digital technologies,
systemic resilience financial institutions and ICT providers can work
Business leaders may feel it is counterintuitive together to increase trust in the industry and create
to collaborate with competitors on regulatory value for the long term.

Jim Boehm is a partner in McKinsey’s London office; Sebastian Schneider is a senior partner in the Munich office, where
Nils Motsch is an associate partner; Florian Stoll is a consultant in the Frankfurt office; and Lucy Shenton is an associate
partner in the Berlin office.

Copyright © 2024 McKinsey & Company. All rights reserved.

Europe’s new resilience regime: The race to get ready for DORA 21
 Banking on interest rates:
A playbook for the new era
of volatility
Five levers can help banks set themselves on a course to more proactive and
effective interest rate risk management.
by Andreas Bohn and Sebastian Schneider, with Enrique Briega and Mario Nargi

© Getty Images

22 McKinsey on Risk & Resilience Number 17, July 2024

The recent accelerated rise in global interest rates, The volatility playing out in rates markets is reflected
the fastest in decades, brought the curtain down in bank deposit trends, with customers more
on an extended period of cheap money but provided actively managing their cash to make the most of
little clarity on the longer-term outlook. In 2024, shifting monetary conditions. In Europe, deposits
competing forces of tepid growth, geopolitical reached 63 percent of available stable funding
tension, and regional conflict are creating nearly (ASF) in 2023, compared with 57 percent in 2021.1
equal chances of higher-for-longer benchmark In the US, conversely, the share of deposits
rates and rapid cuts. In the banking industry, this over total liabilities fell over a similar period as
uncertainty presents both risks and opportunities. money migrated to investments such as money
But in the absence of recent precedent, many market funds.
institutions lack the necessary playbook to tackle
the challenge. In the face of accelerating deposit flows, McKinsey
research shows that bank risk management and
As rates have risen from their record lows, banks funding performance has been highly variable.
have in general profited from rising net interest Between 2021 and 2023, the best-performing US
margins (NIMs). However, if policy makers switch and EU banks saw interest rate expenses rise
swiftly into cutting mode, banks may see the 70 percent less than at the worst-performing banks
opposite effect. For now, futures markets predict (Exhibit 1). Among the drivers were better deposit
the start of that process toward the end of 2024. and interest rate management.
In that context, the question facing risk managers
is how they can retain the benefit of higher rates Alongside the impacts of deposit flows, funding has
while preparing for cuts and managing the potential come under pressure from other factors, including
for macroeconomic surprises. the steady withdrawal of pandemic-related central

1
Monitoring of liquidity coverage ratio and net stable funding ratio implementation in the EU – third report, European Banking Authority,
June 15, 2023.

The question facing risk managers

is how they can retain the benefit
of higher rates while preparing for
cuts and managing the potential
for macroeconomic surprises.

Banking on interest rates: A playbook for the new era of volatility 23

 Web <2024>
<Banking on interest rates>
Exhibit
Exhibit <1>1 of <3>

Best-performing banks incur lower-interest-rate expenses and attract

more deposits.

Increase in interest expenses by performance, Dec 2021–June 2023,1 multiple

Top performers Bottom performers Change in customer deposits,
Dec 2021–June 2023, %
1× 10× 20× 30×
US 14 1

UK –5 –4

France 8 1

Spain 8 1

Germany 29 8

Italy 1 –2

Eurozone2 8 –1

1
Top performers defined as 10th–49th percentile of interest expense increases; bottom performers defined as 50th–90th percentile of interest expense
increases. Percentiles 0–10 and 90–100 were outliers on the distribution and therefore excluded. US, n = 5; UK, n = 7; France, n = 8; Spain, n = 9; Germany,
n = 16; Italy, n = 6; eurozone, n = 70.
2
Eurozone includes banks from France, Spain, Germany, and Italy alongside banks from other eurozone countries.
Source: S&P Capital IQ; SNL Financial; McKinsey analysis

McKinsey & Company

bank liquidity facilities. Meanwhile, innovations such funding plans and contingency measures for
as instant payments have motivated customers to short-term liquidity shocks, including evaluating
make faster and larger transfers. These withdrawals the adequacy of assumptions supporting some
can happen quickly and be fueled by social media, behavioral models.2 In the same vein, the Basel
creating a powerful new species of risk. Committee on Banking Supervision in 2023
proposed a recalibration of shocks for interest rate
In the context of a more uncertain environment, risk in the banking book. Banks can achieve
regulatory authorities are doubling down on this by extending the time series used in model
oversight of the potential impacts of rate volatility— calibration from the current December 2015
for example, by asking banks to mitigate the standard to December 2022, bringing more
potential effects of rate normalization, increasing volatile rate distributions into the equation.
overall scrutiny, and demanding evidence of
methodology upgrades. Among European In a recent McKinsey roundtable, 40 percent of
supervisory priorities for 2024–26, banks are Europe, Middle East, and Africa bank treasurers
advised to sharpen their governance and said the topic that will attract most regulatory
strategic frameworks to strengthen asset and attention in the coming period is liquidity risk,
liability management (ALM) and develop new followed by capital risk and interest rate risk in the
banking book (IRRBB). With these risks in mind,

2
“SSM Supervisory Priorities, 2024-2026,” in Supervisory priorities and assessment of risks and vulnerabilities, European Central Bank, 2023.

24 McKinsey on Risk & Resilience Number 17, July 2024

34 percent of treasurers said their top priorities with Five steps to enhancing
respect to rate risk were enhancing models and the treasury function
analytics, revising pricing strategies on loans To manage volatile interest rates more effectively,
and deposits, and beefing up ALM governance and leading banks are revisiting practices in the
monitoring capabilities. treasury function that evolved during the low-
interest-rate period and may no longer be
Most participants also expected treasury teams fit for purpose—or at least should be updated
to get more involved in strategic planning and for the new environment. Pioneers have taken
board engagement and to engage business units steps in five broad focus areas: steering and
more closely to define pricing strategies and monitoring, risk measurement and capabilities,
product innovation (Exhibit 2). stress testing, bank funding, and hedging.

In response to these dynamics, we expect to see Build efficiency and sophistication

many banks revisiting the role of the treasury A precondition of effective oversight of interest
function in the months ahead. For many, this will rate business is to ensure decision makers have a
mean moving away from approaches designed clear view of the current state of play. Currently,
for the low-rate era and toward those predicated on the standard approach across the industry is
uncertainty. In this article, we discuss how forward- somewhat passive, meaning it is based on static
looking banks are redesigning their treasury or seldom-reviewed pricing and risk management
functions to obtain deeper insights into probabilities decisions, often taken by relationship managers.
around interest rates and their impacts on pricing, Models are fed with low-frequency data, and
customer behavior, deposits, and liquidity.

Web <2024>
<Banking on interest rates>
Exhibit 2 of <3>
Exhibit <2>

Most banks expect more treasury involvement in strategic processes and

more interaction with business units.

Expected change in treasury activities and capabilities over the next years, % of respondents listing
option as top 31
Increase treasury Interact more with
involvement in business unit to Increase use of Increase frequency Sophisticate Partner with risk
strategic process define pricing more sophisticated of monitoring and hedging strategies to sophisticate
and overall board strategies and modeling techniques introduce use and collateral scenario-planning
management product innovation and data of early warning management capabilities
32 24 20 18 12 7

1Data gathered Nov 23, 2023; n = 29.

McKinsey & Company

Banking on interest rates: A playbook for the new era of volatility 25

 banks use static fund transfer pricing (FTP) to frameworks, and capturing behavioral indicators
calculate net interest margins. Monitoring that can inform balance sheet planning and hedging
often reflects regulatory timelines rather than the activities. Some banks are employing behavioral
desire to optimize decision making. models to forecast loan acceptance rates and
credit line drawings. Best practice involves using
Forward-looking banks are tackling these challenges statistical grids differentiated by type of customer,
through a more hands-on approach to steering and product, and process phase.
monitoring, including the following measures:
When it comes to loans, some banks are leveraging
— dynamic reviews of FTP, reflecting microsegment AI to predict prepayments and their impacts on
behaviors and pricing strategies tied to balance sheets and hedging require­ments. Best
customer lifetime value and the opportunity practice in prepayments modeling is to move away
cost of liquidity from linear models and toward machine learning
algorithms such as random forests to consider
— increased product innovation to boost funding non­linear relationships (for instance, between
from both corporate and retail clients prepayments and interest rate variation) and loan
features (for example, embedded options), as well
— ensuring access to high-quality, frequent, and as behavioral factors. We see five key steps:
granular data, with systems equipped to
send early warning signals on potential changes — Customer segmentation. Banks can use AI to
in customer behaviors, especially to capture achieve granulated segmentation—for example,
early signs of liquidity shifts incorporating behavioral factors.

— use of risk limits and targets as active steering — Prepayment behavior. Banks can quantify
mechanisms, bolstered by links to incentives constant prepayments and prepayments
subject to criteria including interest rate
— automation of reporting and monitoring, so levels, prepayment penalties, age of mortgage,
liquidity and other events can be scaled and borrower characteristics. Leading banks
internally much faster, backed by real-time establish a parent model and leverage customer
data where possible segmentation to derive dedicated prepayment
functions, taking into account customer
Upgrade IRRBB measurement and capabilities protections such as statutory payment holidays.
Leading banks are getting a grip on IRRBB risk
in areas such as balance sheet management, — Interest rate scenarios. Banks can employ Monte
pricing, and collateral. Many have assembled Carlo simulations and other models to analyze
dedicated teams to help them make more effective a range of scenarios, including extreme and
decisions. Given the threat to deposits, some are regulatory scenarios, and simulate potential
making greater use of scenario-based frameworks, prepayment behaviors for each scenario.
bringing together liquidity and interest rate risk
management. They are using real-time data to — Hedging ratios and strategy. Decision makers
inform funding and pricing decisions. should evaluate the value of mortgages
under different interest scenarios and derive
To ensure they consider all aspects of rate risk, sensitivities to economic value and P&L.
leading banks employ a cascade of models, feeding They can then select hedging instruments with
the outputs into steering and stress-testing the aim of neutralizing scenario impacts.

26 McKinsey on Risk & Resilience Number 17, July 2024

 — Pricing. Mortgage pricing can be adjusted In the context of IRRBB strategy, leading banks are
based on maturity and potential prepayment keeping a close eye on both deposit beta and
behavior. Banks can use fund transfer pass-through rates (the portion of a change in the
pricing, with risks handled by a dedicated benchmark rate that is passed on to the deposit
team in the treasury function. rate). They back their judgments with views on client
stickiness, which they traditionally arrive at
Another important focus area is deposit decay. through expert judgment and market research.
Many banks still prioritize moving-average A more advanced approach is to derive regime-
approaches segmented by maturity and backed based elasticities, capturing data from historical
by expert judgment. A best practice would be to economic cycles.
identify a core balance through a combined expert
and statistical approach, looking at trends across Finally, risks need to be optimally matched with
customer segmentation, core balance modeling, hedges. The recent trend is to use stochastic
deposit volume modeling, deposit beta and pass- models to support hedging decisions, enabling
through rates, and replicating portfolio/hedge banks to gauge non-linearities. Forward-
strategies. This would mean leveraging AI and high- looking banks increasingly integrate deposit,
frequency data relating to transactions, to estimate prepayment, and pipeline modeling directly
each account’s non-operational liquidity, which into their hedging strategies. They also ensure
customers may be more likely to move elsewhere model risk is closely monitored, with models
(see sidebar “Case study: Deposit modeling recalibrated frequently to reduce reliance on expert
to limit deposit erosion”). Some banks also use input (see sidebar “Better modeling enables more
survival models to gauge non-linearities in resilience: One bank’s story”).
deposit behaviors.

Case study: Deposit modeling to limit deposit erosion

One bank achieved an equivalent of action, based on client sophistication, product offerings (for example, investment
€150 million to €200 million positive P&L the quality and intensity of the client’s products and transaction banking services),
impact on €30 billion of deposits by relationship with the bank, and the level optimizing both its funding sources and
using AI techniques for repricing. of market competition profitability. New capabilities to support
The tool provided transparency on the the effort included a deposits command
following measures: — the customer value at risk, an estimate center, producing a real-time dashboard
of future revenues that would be at risk if for monitoring, including early warning
— the amount of liquidity at risk for each
the client moved the liquidity elsewhere triggers, sales team mobilization, and new
client—that is, the excess liquidity the
(for example, including not only the product offering, especially for cash-rich
client could potentially invest or move
opportunity cost of funding, but also corporate clients.
freely to other banks
revenues from related services)

— the churn probability for each client,

Armed with this transparency, the bank
or the probability the client would
was able to formulate client-specific
move the liquidity if the bank took no
strategies for repricing actions and

Banking on interest rates: A playbook for the new era of volatility 27

Better modeling enables more resilience:
One bank’s story
A European global bank wanted to improve its forecasting in a rising- Improve stress testing
interest-rate context. Managers decided to focus more on Several players are integrating interest rate risk,
customer behavior. They moved away from expert-judgment buffers to credit spread risk, liquidity risk, and funding
AI and stochastic modeling and a more focused approach to model concentration risk in both regulatory and internal
calibration. They also updated scenario planning based on regulatory stress tests. Indeed, the IRRBB, liquidity risk, and
guidelines and best-in-class approaches, such as an “interest rate risk market risk (credit spread risk in the banking book,
in the banking book” (IRRBB) dynamic balance sheet methodology. or CSRBB) highlight the trade-off between capital
Through these changes, the bank was able to estimate its duration and liquidity regulations. In short, higher capital
gap (between assets and liabilities) more accurately and thereby requirements may reduce the need for excessive
reduce delta economic value of equity (EVE). As a result, the bank liquidity, and vice versa, for a bank with stable
recorded a 70-basis-point uplift in return on equity, resulting funding—a situation that remains a challenge to
from capital savings on interest rate risk and a direct P&L impact current regulatory frameworks.
from reduced hedging.
Stress testing to measure interest rate risk is also
evolving, with some banks adopting reverse stress
testing (see sidebar “Enhancing Basel’s interest
rate risk measures: Exploring the efficacy of reverse
Enhancing Basel’s interest rate risk measures: stress testing and VAR”).

Exploring the efficacy of reverse stress testing

In upgrading their stress-testing frameworks and
and VAR interest rate strategies, banks need to balance
net interest income (NII) and economic value of
Research conducted by a group of bank risk managers suggests that equity (EVE) risks that may materialize as a function
the current supervisory outlier tests for interest rate risk in the banking of rate volatility. On NII, banks can productively
book (IRRBB) may not adequately address all significant risk scenari- apply scenario-based yield curve analysis across
os. Specifically, the scenarios outlined in the BCBS 368 guidelines for regulatory, market, and bank-specific variables and
stress-testing economic value of equity (EVE) and net interest income weigh these in the context of overall balance sheet
(NII) may fall short in identifying substantial IRRBB risks. This oversight exposures, hedges, and factors including deposits,
could make it more difficult for banks to recognize material risks of loss, prepayments, and committed credit lines. Additional
especially if they have complex or unconventional portfolios. economic risks include basis risk, option risk, and
To identify more material risks, experts are recommending a shift in credit spread risk, which also should be measured.
approach. Instead of focusing solely on extreme and plausible scenar-
ios, they are advised to consider all possible scenarios and integrate Tailor planning
reverse stress testing. This would involve simulating thousands of his- Bank funding plans are often generic, periodic,
torical and hypothetical scenarios, covering almost the entire spectrum and spread across different frameworks and
of possible yield curves. After computing NII methodologies, including funding plans, capital
and EVE, attention would be directed to the scenarios that could have plans, internal capital adequacy assessment
the most adverse impact on the bank’s balance sheet. processes (ICAAP), and internal liquidity adequacy
assessment processes (ILAAP). They are often
In alignment with this proposed methodology, Australian banks will designed for a range of purposes and audiences
be mandated from 2025 to calculate IRRBB capital using measures of and updated only when prompted by regulatory
expected shortfall rather than value at risk (VAR). The change is intend- requirements. In future, banks will need dynamic,
ed to incorporate tail risk, with the new methodology utilizing data from diversified, and granular funding plans—for
the past seven years, coupled with a distinct one-year stress period. example, tailored to products and regions. The
plans should reflect flexible and contingent
funding sources, central bank policies, and the
trade-off between risks and costs.

28 McKinsey on Risk & Resilience Number 17, July 2024

Embrace dynamic hedging strategies Hedging strategies are evolving to be dynamic,
In the era of low rates, hedging of interest rate risk horizontally integrated across the organization, and
was a less prominent activity. Banks often employed wedded to risk appetite frameworks, so banks can
simple, static, short-term, or isolated strategies, balance P&L priorities and reductions in tail risk. On
mostly aimed at protecting P&L. Few banks paid a the ground, banks will likely need to recalibrate
great deal of attention to collateral management. their strategies frequently, ideally leveraging a
comprehensive scenario-based approach to reflect
Now, in a more volatile rate environment, the changes in the external environment. Many, for
potential for losses is much higher, suggesting banks example, have already revisited hedging to reflect
need more sophisticated, agile, and frequent hedging higher rates, but as rates fall, they will need to
to respond to shifts in interest rates, credit spreads, assess factors such as the impact of convexity on
and customer deposit behaviors (Exhibit 3). Indeed, short positions. The objective of these exercises
in 2023, the traded volume of euro-denominated would ideally extend beyond risk mitigation to the
interest rate derivatives increased by 3.4 times optimization of NII (see sidebar “Replication and
compared with 2020, according to the International hedging: The upsides of NIM optimization”).
Swaps and Derivatives Association.3

3
“Interest rate derivatives US: Transaction data,” ISDA.

Web <2024>
<Banking on interest rates>
Exhibit 3
Exhibit <3> of <3>

Banks have been more active in interest-rate hedging.

European interest-rate derivatives traded notional, quarterly,1 $ trillion

Overnight indexed swap Forward rate agreements Fixed-for-floating interest-rate swap

35 35

30 30

25 25

20 20

15 15

10 10

5 5

0 0
2014 2015 2016 2017 2018 2019 2020 2021 2022 2023

Includes all terms and all execution venues. Transactions reported by approved publication arrangements, and trading venues located in the European Union
1

and UK. The data is displayed with a 5-week delay due to the posttrade transparency deferrals.
Source: International Swaps and Derivatives Association

McKinsey & Company

Banking on interest rates: A playbook for the new era of volatility 29

Replication and hedging: The upsides of NIM optimization

Broadly, banks may consider four from deposits, enabling derivation of The approach enables NIM maximization,
approaches to replication and hedging, present value sensitivity to changes with the caveat that shorter tenors
each of which offers benefits that in interest rates. The method supports tend to be preferred in periods of low
will vary according to the bank’s unique dynamic hedging and can take into account benchmark rates.
asset base. negative convexity.
Dynamic NIM optimization permits banks
Static replication is a widely applied and Static NIM optimization provides the to model future interest rates with NIM
robust approach that involves derivation recommended trade-off between and investment strategy optimized for
and adjustment of cash flows from deposit granularity and sophistication on the one a future horizon. Again, NIM can be
volume models for deposit rate elasticity hand and usability on the other, and it is maximized, but the approach requires
and pass-through rates. The remainder our preferred approach. It involves design assumptions on volume growth, and
of cash flows are replicated with bonds, of the fixed-income portfolio to replicate the optimization horizon may not extend
interest rate swaps, or loans. Future deposit deposit balance dynamics over a sample to the full rate cycle.
growth can be incorporated if desired. period. The analyst then selects the
portfolio yielding the most stable margin,
Dynamic hedging of present value of net
represented by minimization of margin
interest margin (NIM) treats the deposit
standard deviation of the spread between
portfolio like a structured product. Banks
the portfolio return and deposit rate.
calculate the present value of NIM arising
Sidebar title to text

A key principle of best-in-class hedging strategy is traditional interest rate derivatives but equally could
that a proactive, forward-looking approach tends be options or swaptions to bring more flexibility
to work best and will enable banks to hedge more to the hedging strategy. AI will be table stakes to
points on the yield curve. And with forward-looking support decision making and identify risks before
scenario analysis, they should be able to anticipate they materialize. A more automated approach to
risks more effectively. Consider the case of a bank data analytics will likely be required. And collateral
that was exposed to falling interest rates and did not management should be a core element of hedging
meet the regulatory threshold for outliers under frameworks, with analytics employed to forecast
the new IRRBB rules for changes in NII. Through collateral valuations and needs, optimize liquidity
analysis of potential client migrations to other reserves, and mitigate margin call risk.
products and a push to help clients make those
transfers, combined with a new multi-billion-
dollar derivative hedging strategy, the bank brought Next steps: Making change happen
itself within the threshold. To effectively implement change across the
activities highlighted here, best practice would be
Banks should not view hedging as a stand- to bring together modeling capabilities under a
alone activity but rather as integrated with risk dedicated data strategy. The target state should
management, backed by investment in talent and be comprehensive capabilities, a unified and
education to ensure teams choose the right actionable scenario-based framework, and routine
hedges for the right situation. These may be use of AI techniques and behavioral data for

30 McKinsey on Risk & Resilience Number 17, July 2024

decisions around pricing and collateral. Most likely, then integrate behavioral outputs into stress-
a talent strategy also will be required to support testing simulations, alongside expert-based
capability building across analytics, trading, finance, insights. Once macroeconomic data has been
pricing, and risk management. inputted, banks should be able to compute
delta NII and EVE for three years. Visualization
Banks must marshal a broad range of market data tools and hedging replica analysis can help
to support effective modeling. The data will include teams clarify their insights and test their hedging
all credit lines, including both on–balance sheet strategies across risk factors.
and off–balance sheet items, deposit lines, fixed-
income assets and liabilities, capital items, and
other items on the banking book. Ideally, banks
would assemble 15 to 20 years of data, which Banks that have embraced the levers discussed
would take in the previous period of rising interest here have set themselves on a course to
rates from 2004 to 2007. Alongside these basic more proactive and effective interest rate risk
resources, banks need information on historical management. Through a sharper focus on high-
residual balances, amortization plans, optionality, quality data and the use of AI and scenario-based
currencies, indexing, counterparty information, frameworks, banks have shown they can make
behavioral insights, and a full set of macro data. better decisions, upgrade their hedging capabilities,
Some cutting-edge models incorporate about optimize the cost of funding, and ensure they stay
150 different features. within regulatory thresholds. In short, they will be
equipped to respond faster and more flexibly as
Armed with comprehensive data, banks can build interest rates enter a new era of volatility.
behavioral models (for example, prepayments,
deposits) to estimate parameters and infer
behavioral effects in different scenarios. They can

Andreas Bohn is a partner in McKinsey’s Frankfurt office, Sebastian Schneider is a senior partner in the Munich office,
Enrique Briega is a knowledge expert in the Madrid office, and Mario Nargi is an associate partner in the Milan office.

The authors wish to thank Gonzalo Oliveira and Stefano Terra for their contributions to this article.

Copyright © 2024 McKinsey & Company. All rights reserved.

Banking on interest rates: A playbook for the new era of volatility 31

 The promise of generative
AI for credit customer
assistance
Generative AI can enhance knowledge of the credit customer journey and lead
to improved outcomes.
This article is a collaborative effort by Bruno Batista, Márta Matécsa, and Matt Higginson, with Jose Luis,
Pablo Fulcheri, and Stephan Beitz, representing views from McKinsey’s Risk & Resilience Practice.

© Getty Images

32 McKinsey on Risk & Resilience Number 17, July 2024

With the rapid emergence of generative AI such as customer loyalty serving as a new source of
(gen AI), credit customer assistance and collection competitiveness in managing the cost of extending
functions are taking advantage of the technology’s credit to customers. Some early use cases are
potential. They can use it to enhance operational already yielding measurable results.
capabilities, improve efficiency, increase
effectiveness, and—most importantly—create In our experience, organizations that deploy
better outcomes for customers. advanced gen AI capabilities in customer
assistance and collections can achieve up to a
In recent years, technological disruption has been 40 percent reduction in operational expenses
an inseparable component of credit customer and improve recoveries by about 10 percent.
assistance and collections. The shift has been Additionally, collections could see up to a
driven by increasingly tech-savvy customers and 30 percent increase in customer satisfaction
transparency demands from regulators, both fueled scores, driven by the technology’s ability to better
by the COVID-19 pandemic and other credit crises. identify and address customers’ needs on time,
So far, these technological advancements, such helping them become debt-free more quickly.
as machine learning (ML) modeling, digitization,
and automation, have enabled credit customer In this article, we identify the needs of customer
assistance and collections to become more assistance and collections functions and discuss
streamlined, data driven, and customer oriented. where gen AI can add value both to organizations
New technology has allowed the offering of and to customers. We also explain when and
more services, more relevant arrangements where gen AI can be implemented and discuss three
with customers, new renegotiation pathways, gen AI use cases that, in our view, will dramatically
and improved settlement conditions. These change the operations for collections and customer
can strengthen the customer relationship with assistance.
institutions, improving customers’ financial health
and long-term value to institutions.
Challenges of customer assistance
Gen AI is the latest and potentially most and potential of gen AI
transformative of these advancements, and The goal of customer assistance and collections
it can have an unprecedented positive impact is to support customers in overcoming financial
on customer assistance. It can improve and distress while minimizing losses and keeping
personalize customer contact, boost the capability operational costs low—efforts that enable
of agents serving clients, and automate routine institutions to foster strong relationships and
processes, such as note taking, interaction loyalty with their customer base. These functions
summarization, and even some customer must balance efficiency and effectiveness without
interactions. In turn, these benefits can aid the compromising the overall portfolio risk profile and
regulatory process through the technology’s customer experience.
ability to organize and synthesize information.
Collections functions are typically tasked with four
As a result, the adoption of gen AI in the customer main priorities:
assistance and collections space is by no means
limited to use in reducing delinquencies. It has — Creating a positive experience in the customer
the potential to significantly improve customer journey. This has become the core obligation
interactions and treatment and drastically reduce of the function. That means giving relevant and
collection-related costs by freeing up resources meaningful financial advice, offering payment
in operations while effectively addressing credit holidays when appropriate, and proactively
losses. This enhanced credit efficiency might engaging at an early stage of delinquency.
enable businesses to retain collections in-house as
a core capability and capture additional benefits,

The promise of generative AI for credit customer assistance 33

 — Managing value at risk by strategically lowering — Gathering insights and improving operations.
financial risk. This priority includes identifying Gen AI applications can be fine-tuned on
which intervention is needed—and when—for specific call models and employ quality control
each customer, based on their circumstances metrics to semiautomate the continuous
and ability to pay. improvement of operations. For example, the
technology can interpret screen captures of
— Minimizing cost without compromising efficacy common system reports to generate insights
and experience. This includes knowing when for a call center’s control desk and ultimately
and how to reach out to a customer, automating automate parts of this function for greater
time-consuming tasks such as data collection efficiency. Combined, these additions can also
and note taking, and providing incentives for enable agent coaching, enhanced performance
using self-serve channels. management, and early intervention in quality
issues. All of this can be done at scale using
— Adhering to regulatory guidelines and the information from all client communications
customer duty. Strong customer care requires rather than samples, both improving customer
sensitivity for the intensity and tone of experience and helping to reduce financial risk.
messages, analytics-based guardrails to avoid
bias and availability, and the identification and — Supporting agents and freeing up time. Gen AI
implementation of the right products to improve can bolster the capabilities of case handlers in
customers’ financial outlooks. real time to improve experience and help reduce
financial risk. This can range from adding a
Gen AI can be used as a powerful tool to support knowledge assistance tool to clarify a policy
the overall digitization of customer assistance. or offer eligibility to interpreting conversations
It’s ideal for the many customers who prefer to and suggesting an interaction approach, tone,
negotiate with a machine over having to share their or product to the agent. Ultimately, this could
difficulties with a human. Gen AI can also provide occur through automation. In turn, such a boost
a more personalized touch in messages sent to a can reduce or fully eliminate the need for agents
customer base. to spend time manually writing post-call notes
into a system, freeing up their time for cases that
We see four fundamental areas, all of which require a high-touch approach.
can lead to better outcomes for the customer,
emerging for applying gen AI in customer — Automating interactions. Gen AI can help power
assistance and collections: the next generation of chatbots, human-like
interactive voice response (IVR), and even
— Reducing demand for manual intervention. virtual agents. These tools can potentially offer
Gen AI can be used at scale in analyzing call increased empathy and high-quality solutions
transcripts and chat interactions to identify the for customers while speeding up the process.
core issues a customer is facing, such as when Additionally, they can power hyperpersonalized
customers didn’t receive statements and forgot messages both in these channels and in mass
payments. By addressing these root causes communications (such as emails and text
proactively, institutions can reduce demand messages), further improving their effectiveness
for agent intervention, improving customer and the user experience.
experience by making interactions faster, less
stressful, and personalized.

34 McKinsey on Risk & Resilience Number 17, July 2024

 Gen AI implementation across language models (LLMs) that require limited
credit customer assistance development efforts and have minimal risk, as
Getting gen AI up and working in customer they rely on public or internal data and aren’t client
assistance isn’t as simple as plugging in a facing. Additionally, they tackle a function’s area or
computer. Customer care leaders need to process that is clearly defined, not scattered, and
be sure capabilities put in place during early can capture impacts such as customer call insights
development enable the efficient growth of the and quality control effectively.
gen AI ecosystem (see sidebar, “Principles for
implementing a generative AI customer assistance Early on, these use cases shouldn’t require
journey”). The potential benefit of an all-in sophisticated fine-tuning or content interpretation.
approach may be tempting, but simple, small, and Instead, they should have a limited yet clearly
manageable steps better serve functions initially. defined set of guardrails. For example, a gen AI
use case could be for analyzing call data to identify
When considering the implementation road factors contributing to successful outcomes. In this
map, leaders will have to balance value creation scenario, the use case is simple, manageable, and
against disruption to the business and the easy to measure: the low-cost ability to analyze
potential for bugs. One smart approach that call volume has a short implementation timeline,
players are adopting is prioritizing high-value, minimal integration expenses, and limited change
internal use cases. These use cases can be built management or retraining requirements.
in a modular way, allowing for later deployment
for customers when data, regulatory, and risk On the midterm horizon, players are considering gen
constraints are lifted. AI use cases that involve real-time output. These
use cases often require more controls and security
Innovative customer assistance functions are measures than less-advanced ones do, as they
choosing gen AI use cases that can be built may involve the use of confidential customer data.
and implemented rapidly without the need for However, the output of the model doesn’t directly
complicated technical investments. These use interact with customers, as it requires human
cases typically involve using ready-to-use large intervention instead.

Principles for implementing a generative AI customer assistance journey

The following step-by-step guideline question-and-answer document 5. Refine the MVP based on user
can help leaders looking to implement and virtual expert. experience, then roll out and scale
generative AI (gen AI) across their the MVP to the full organization.
customer care and collections functions: 3. Prioritize gen AI use cases
based on impact, feasibility, and 6. Repeat steps four and five for the
1. Ideate and develop a long list of gen
organizational needs. next use case on the priority list.
AI use cases.

4. Agree on the highest-priority gen AI

2. For each use case, identify impact,
use case and start the development
feasibility, and the required gen
of a minimal viable product (MVP).
AI application, such as creating a

The promise of generative AI for credit customer assistance 35

 Advanced applications of gen AI typically require a requires the deployment of a whole portfolio of use
larger set of unstructured data from various sources cases that integrate with one another.
to be fine-tuned. As a result, they require more
advanced testing and validation processes and are Gen AI as a low-cost, high-value
more likely to be built and deployed across different performance booster
areas or functions within an organization. Gen AI can be used to quickly analyze unstructured
data to generate actionable insights. The
The most advanced applications of gen AI will most intuitive application of this in the customer
require significant development effort and assistance space is to analyze call recordings
investment, which often leads to implementation for comparison of interaction quality against a
timelines of roughly two to three years. These use proprietary knowledge base of a call model. The
cases are typically client facing. They will require comparison should include objection management
both sophisticated environments to reduce latency and empathetic approaches, among other
to acceptable levels and robust guardrails to measurements.
safeguard both the data exchange and the output
to customers. They might be costly using today’s With minimal development or integration effort,
technology. this capability allows institutions to improve
strategy and performance management by applying
In the long term, to truly capture the benefits of insights from specific calls. It can be used to
gen AI, leaders should consider how its deployment improve coaching conversations by automating part
affects the end-to-end journeys of both the of the process through self-guided dashboards,
customer and the customer care team. Combining suggestions, and training programs. Gen AI
different use cases has much more impact than algorithms can also identify patterns and use them
developing individual use cases does. When to help leaders rethink their institution’s existing
coordinated, one use case can leverage another to strategy and call-model approach.
amplify the individual impact while building on the
same modular architecture. A consumer finance institution deployed gen AI
to improve the effectiveness of its frontline
Moving to a mature gen AI system is customer assistance workforce. It was able to
transformational. Each area enhanced by this quickly identify the specific call model elements
innovative technology will need a revised operating that helped keep arrangements intact, all with
model to fully capture the value generated. limited model fine-tuning. The company also
Adjustments will be needed for existing processes, used this information to create a 360-degree,
policies, human intervention, staffing, and more. personalized, digital performance management
dashboard. The dashboard included call-level
feedback for supervisors to use when providing
Three concrete gen AI use cases coaching and personalized training, leading to a
for customer assistance 10 percent improvement in performance.
Our research shows that end-to-end
transformation of a business domain such as Similarly, a major European credit manager
collections with gen AI use cases involving company used the gen AI capability of natural
augmentation, automation, and demand reduction language processing with traditional ML
can yield up to 30 percent productivity gains. techniques to help identify collateral and match
Customer assistance functions across institutions it to accounts. They also created a personalized
around the world are already implementing gen digital performance-management dashboard
AI. Here are three examples of how gen AI has with call-level feedback for supervisors to provide
enhanced the process. These examples come with coaching and personalize training, leading to a
the caveat that capturing the full potential of gen AI 10 percent increase in payments.

36 McKinsey on Risk & Resilience Number 17, July 2024

Gen AI as a live copilot: Expanding frontline For chat-based interactions, gen AI can
reach with real-time integration prepopulate suggested responses for customer
Gen AI can serve as a copilot to boost the replies, with agents editing as needed, thus
performance of agents in real time throughout increasing the efficiency of the interaction. These
customer conversations (exhibit). This enables conversational responses can be personalized
a better overall customer experience through based on customer profile, previous interactions,
more structured and targeted interactions that and current exchange to enhance customer
focus on what matters to the customer. experience and the likelihood of a positive outcome.

In early versions of this deployment, agents An implementation of this use case by a bank
can ask a chat interface to provide a summary resulted in an estimated agent productivity
of previous interactions with a customer, how to increase of up to 14 percent. Using gen AI as a
respond to a specific question, and if a specific copilot enabled agents to handle more interactions
product or discount is available to an account. and spend less time on research and typing.
More advanced deployments can be integrated We project that average handling time could be
into telephone calls or other electronic discussions reduced by 10 percent by providing personalized
to suggest actions, products, or approaches to and empathetic responses, resulting in less time
the agent during the evolving conversation. They spent on customer service. Collection agents
can also include automatically identifying if a using this capability are also likely to have more
conversation is going outside policy, gauging successful debt or restructuring negotiations,
quality control, and triggering the intervention leading to a 6 percent increase in recoveries.
of a supervisor to prevent a negative customer
experience before it escalates.

Web <2024>
<Gen AI credit customer assistance>
Exhibit
Exhibit <1> of <1>

Gen AI can analyze customer assistance calls to improve outcomes.

Share of customer assistance calls with payment promise Payment received

that adhered to script, by payment result, % Payment not received

Call opening Customer assistance and negotiation Call closing

100 100

75 75

50 50

25 25

0 0
Ask for Authenticate Share info Bring Update contact Remind of
client on debt commitment information negotiated terms
Introduce State Negotiate Clarify method Create Close
yourself objective of payment urgency call

Script adherence was relatively Calls with kept promise to pay had significantly higher
high in call-opening steps adherence in customer assistance and call-closing steps

Source: GPT-4 results for 631 calls with promise to pay; McKinsey analysis

McKinsey & Company

The promise of generative AI for credit customer assistance 37

 In a simpler copilot implementation, a large bank A utility company is currently migrating several use
in the United Kingdom is training existing LLMs cases of its call center, including authenticating
with regulatory documentation and internal customers and solving specific billing issues, to a
policies to provide a chatbot interface. Frontline gen-AI-powered virtual agent. In this migration, the
agents will soon use it to quickly navigate product company aims to handle more than 45 percent of its
eligibility and compliance guidelines, greatly inbound volumes through the new virtual agent at
enhancing customer experience and call quality a fraction of the cost of customer representatives,
metrics. It’s a step up from architecture originally who could then devote more time to more nuanced
developed for anti-money-laundering and cases or other tasks.
know-your-customer rules.

Gen AI as a customer-facing virtual agent: Credit customer care can lead an

Bringing full power of automation institution’s gen AI journey
Gen AI is already being used across industries to The impact and benefits of implementing gen AI
improve customer interactions, from restaurant in the customer assistance and collection
drive-throughs to customer authentication in call space are already being realized by fast adopters
centers. In the customer assistance space, players across the world. While short-term benefits can
are looking at elements in the journey that could be captured immediately on specific use cases,
be automated with virtual agents to create 24/7, a structured road map is necessary to capture
empathetic support to customers and free up time the most value, minimize risks, and make the
for real-life agents to focus on the cases that need most out of cross-organizational investment for
the most attention. long-term success.

The technology offers a huge benefit in efficiency. By building a scalable gen AI capability in the
Frontline agents often spend excess time on credit customer assistance space and coordinating
process-heavy customer interactions, such as with other functional areas of the organization,
authenticating customers and finalizing payments institutions can combine the power of data,
that weren’t completed because of technical automation, and human capital into collections that
issues. Additionally, many customers hesitate or keep customers and improve finances.
feel uncomfortable when speaking about their
financial distress to someone on the phone. Others The adoption of this new technology in customer
might need to have discussions outside typical assistance shouldn’t be seen only as a way to
business hours. quickly realize value and fund the broader adoption
of the new tools. It’s also a way to pressure-test
Gen AI can alleviate much of the friction by using an organization’s capabilities and technical
traditional, script-based chatbots and IVR that infrastructure needed to scale.
provide a human-like interaction experience that is
both empathetic and personalized. This technology Integrating gen AI can improve the level of support
can also be integrated with existing systems to provided to customers in financial distress in a way
search for and provide responses to customer that can benefit everyone’s bottom line.
questions and suggest specific arrangements in
real time. When the technology is stumped, it can
automatically escalate to a human agent.

Bruno Batista is a partner in McKinsey’s São Paulo office, where Jose Luis is a consultant; Márta Matécsa is a partner in
the Budapest office; Matt Higginson is a partner in the Boston office; Pablo Fulcheri is an associate partner and a senior
knowledge expert in the Charlotte office; and Stephan Beitz is an associate partner in the Frankfurt office.

Copyright © 2024 McKinsey & Company. All rights reserved.

38 McKinsey on Risk & Resilience Number 17, July 2024

Navigating shifting risks
in the insurance industry
How insurance chief risk officers balance today’s complex demands.
by Erwann Michel-Kerjan and Lorenzo Serino

© Getty Images

39
 Today’s insurers are exposed to multiple risks, are witnessing more boards expecting measurable
from financial risks, such as shifting interest progress across these topics to better protect
rates, changing costs and sources of capital, and the insurer and, ultimately, their shareholders
increasing claims levels due to consecutive years of and customers.
significant inflation, to an array of nonfinancial risks,
including extreme climate events and generative In this article, we share what insurance industry
AI (gen AI). This uncertain environment has spurred CROs identify as critical issues facing their
leaders to be more cautious but also more innovative organizations, focusing on selected priorities. We
in a way that still supports a path to sustainable, analyze the steps leaders in the field have taken
profitable growth. to mitigate these risks and discern strategies
by category—whether public, private, or mutual
The industry is taking multiple steps to manage both insurers. We then sketch a pathway forward,
financial risks and pervasive nonfinancial risks. identifying issues early on and implementing agile
We know this based on our ongoing conversations and resilient systems to keep insurers not only
and work with insurers and on insights gathered healthy but also thriving.
in our recent industry benchmark1 of carriers
(representing over $400 billion of revenues)
and at the McKinsey 5th Annual Insurance CRO How insurance CROs are
Roundtable—an event attended by 25 chief risk approaching today’s risks
officers (CROs) of leading life and property and Insurance risk leaders have identified several
casualty (P&C) insurers. issues facing the industry and point to the
strategic options they are using to mitigate these
The majority of participating CROs said that growing concerns.
they expect a slight economic downturn in the
next two years and predict GDP will contract by Capital management is becoming an even
approximately 1 percent, alongside a gradual more strategic topic due to changes in the
normalization of annual inflation rates to about economic and regulatory environments
2 percent. A few CROs expressed concerns over While the inflation spike is less of a concern this
a more severe economic contraction, anticipating year than it was in 2022 and 2023, changes
a GDP decrease of 3 percent or more. It’s clear to macroeconomic conditions, regulatory
that capital management and balance sheet requirements, accounting standards, and the
management have become even more critical for competitive landscape have put significant
many carriers, as we further discuss below. pressure on insurers’ capital positions and are
pushing them to strategically rethink their optimal
Beyond macroeconomic pressure, CROs are balance sheet composition.
working more closely with their CEOs and boards
to brace against nonfinancial threats. These For P&C companies, capacity continues to
leaders face growing geopolitical instability and be the biggest challenge. Losses from
uncertainty, rapidly evolving regulatory complexity, increasingly frequent and severe catastrophes,
cyberthreats, and significant climate risk—all of emerging exposures, and new types of risk
which can impact their portfolios. CROs also need have produced a surge in demand for insurance
to establish their role in the uncharted territory of coverage. As always, insurers must control costs
emerging technologies, including gen AI, and their and derisk through repricing and reinsurance.
exponential growth. The emphasis on nonfinancial In addition, sourcing alternative capital continues
risk management is thus gaining traction. And we to play a meaningful role. The insurance-linked

1
McKinsey’s 2023 insurance risk and resilience benchmark.

40 McKinsey on Risk & Resilience Number 17, July 2024

securities (ILS) market grew by more than Over time, capital management for CROs will
20 percent year to year from 2022 to 2023. continue to evolve from a compliance and risk play
Catastrophe bonds alone hit an all-time to a value creation play. This could mean moving
high in the first two quarters of 2024. 2 Although from focusing on solvency ratio and excess capital
ILS returns have been fluctuating, there to improving transparency on capital generation
are still investors willing to both look for assets and uses of capital across business units and
that diversify their portfolios and seek even products.The aim is to achieve an economic
attractive returns. New business models, return on capital given the cost of capital for the
such as public–private partnerships, present insurer while maintaining a healthy level of excess
new opportunities for different capital capital. This shift would require the risk function
participation models. to navigate complex (and sometimes multiple)
capital frameworks, establish transparency on
For life and annuity carriers, different ownership capital positions and uses (with possible capital
types drive different priorities. Under pressure reallocation across units, which is always a
from investors, public companies are shifting their sensitive topic for the top team), enhance risk/
focus toward capital-light businesses, utilizing return measures, and refine governance for
reinsurance and other levers to optimize capital decision making.
position and returns. Private-capital-backed
carriers pay close attention to ownership structure Gen AI at scale is expected to become
and regulatory treatment based on locations that table stakes for carriers; building a robust,
allow them to keep the growth momentum and take risk-proof maintenance-at-scale model
appropriate investment risk under specific capital supported by the right talent will be critical
regimes. Mutual companies are generally willing At our industry roundtable, technology, advanced
to accept lower returns, but they face the same analytics, and gen AI topped the list of concerns
pressure of having enough capital to back their for insurance CROs. The emergence of gen AI has
policies and staying competitive and resilient under drawn considerable interest in the insurance world,
multiple shocks and market conditions. as it does in banking, since it is viewed as both a
disrupting force to the traditional business model
To build resilience, carriers need to upgrade and a powerful tool in the arsenal of underwriters,
their stress-testing capabilities. While scenario claims managers, and distribution leaders. Some
planning is top of mind for carriers, applying the insurers are considering its potential to transform
scenarios vary widely. In our industry benchmark, distribution across life and P&C lines for both
a third of insurers reported using no more than individual and commercial clients. The technology
ten scenarios for risk appetite and capital can help insurers understand the in-depth risk
requirement determination. Yet, another third profiles of clients and produce much more tailored
reported using up to 250. In best practice, insurers insurance contracts that suit their needs.
are combining scenario simulation and “reverse
stress testing” techniques3 to design and run a In a sector still defined by a high degree of manual
large number—as many as 10,000—of internally processes and legacy systems, we expect a 10 to
consistent macroeconomic scenarios and analyze 30 percent increase in productivity across the risk
a suite of financial measures at a granular level. and compliance function in insurance by deploying
By identifying potential early-warning indicators, gen AI. Gen AI can enhance decision making by
those insurers are able to analyze the impact of businesses by summarizing sets of documentation,
management actions, create transparency on the improving the quality of policy information, and
assessment, and lead to a prioritized set of decisions. automating data extraction and operations.

2
With nearly $50 billion in catastrophe bonds and insurance-linked-securties risk capital outstanding as of May 2024, according to Artemis
data.
3
As a complement to the more traditional approaches consisting of using deterministic scenarios to stress test a given portfolio, reverse stress
testing to determine what multivariate scenarios would seriously impact the firm by generating tens of thousands of scenarios and quantifying
interdependencies for less commonly understood scenarios as well.

Navigating shifting risks in the insurance industry 41

 A key opportunity presented by gen AI lies and conduct regular risk assessments to analyze
in addressing unstructured data. Despite emerging gen AI risk trends. Making sure the risk
strategic investments in analytics, carriers are and compliance, as well as legal, functions are
acknowledging that data quality remains a integrated early on in the development and use
core challenge for many of them. More than of these new models is key.
one-third of carriers in our benchmark indicated
limited accuracy in maintaining a single source The industry is also facing difficulties finding
of truth for data. the right talent to address data and technology
risk management. Nearly 60 percent of
At the same time, gen AI is also a risk that CROs respondents in our benchmark reported that
and their teams will need to learn to manage in the data and technology risk has been the most
second line of defense. The technology can present challenging area for attracting talent. This shortage
problems such as impaired fairness, intellectual of skilled personnel in the industry poses a hindrance
property and privacy concerns, and security threats. to fully capitalizing on the opportunity of advanced
As gen AI maturity evolves, the shortcomings of analytics and gen AI. In our experience, companies
first-generation tools will be gradually addressed, must train the teams they have but be clear about
especially privacy and fairness considerations. the gen-AI-specific skills they need.

Given gen AI’s relatively novel risk profile and We offer one more consideration. Managing the
extremely rapid pace of development, carriers potential risks of a dozen independent gen AI
need to adapt their approach to fully integrate a models in limited use (that is, proofs of concept),
transparent, responsible use of AI. In practical which is where most of the industry is today, is one
terms, this means establishing responsible gen AI thing. But having to maintain and manage risks with
principles and ethical guardrails, such as always hundreds of gen AI models connected with one
having a human in the loop or restricting the use another across the organization and hundreds or
of gen AI for recruitment. Insurers must also thousands of external vendors will be a daunting
establish risk ownership for each AI use case to proposition. Many insurers are not ready for it yet;
ensure robust governance of AI implementation it is a capability that needs to be built.

Given gen AI’s relatively novel risk

profile and extremely rapid pace of
development, carriers need to adapt
their approach to fully integrate a
transparent, responsible use of AI.

42 McKinsey on Risk & Resilience Number 17, July 2024

Advanced climate risk management capabilities positions, investments in advanced climate
are becoming critical competitive differentiators analytics are becoming required capabilities,
When adequately priced, insurance plays an especially in combination with access to
important market-signal role regarding the inherent third-party data.
risks being insured. The rapidly evolving climate
risk landscape—events such as wildfires, extreme Life carriers are not immune to the climate risk
heat, massive flooding, convective storms, and conundrum. As large institutional investors,
hurricanes—and the resulting tension between insurers are working to understand the impact
conditions of insurability and insurance affordability of climate risk on their investment portfolios and
becomes more central for P&C carriers. liabilities. This is a result of recent climate risk
disclosure rules, including those most recently
From 1980 to 2010, the United States faced adopted by the US Securities and Exchange
an average of five severe natural catastrophic Commission (SEC). On the asset side, transition
events (having an inflation-adjusted $1 billion risk, where changing economic conditions, market,
in damages or more) annually. Between 2011 and and regulatory risks arise from the transition to
2022, that number had tripled to an average a low-carbon economy, and physical risk, can
of 15 per year, according to data collected by fundamentally shift expected long-term returns in
the US National Oceanic and Atmospheric specific industries and asset classes.
Administration. Twenty-eight such events occured
in 2023. Insurance plays a critical role in helping The climate crisis is also influencing liabilities,
insured disaster victims and affected areas recover affecting the longevity and health of policyholders.
faster. The weight of these mounting claims is As shifting weather patterns and environmental
pressuring underwriting profitability, reserve factors impact public health, life carriers are
adequacy, and ultimately, the bottom lines of these considering the long-term effects on mortality
P&C carriers. Their reinsurers have also often rates, medical costs, and overall portfolio risk
increased the retention (the level at which they exposure. Carriers now face the complex challenge
will start reinsuring), leaving many insurers with of factoring climate-induced health vulnerabilities
retaining a more significant portion of the losses, into their actuarial models.
especially for midsize events. All of this combined
is forcing even the most sophisticated market Overall, 60 percent of carriers in our latest industry
leaders to fundamentally restructure their models, benchmark reported accelerating efforts on
increase premiums, and shrink their exposure in climate risk management. The next generation of
certain areas, or even stop providing coverage analytical capabilities is needed for insurers to
altogether as several of them have recently done integrate climate risk into organizational strategy.
in California and Florida. At the same time, the However, most insurers recognize that there
nonadmitted property market in the United States is significant room for their climate analytical
is growing 20 percent annually, as customers capabilities to mature: only one out of five carriers
are increasingly forced to pursue higher-cost, reported that they are able to quantify climate
nonstandard property coverage. risks to the extent they would like to or have
developed a forward-looking climate strategy
With mounting natural catastrophes and scientific to address climate risk exposure holistically for
forecasts for a continued upward trend, investors the organization. Boards are also getting heavily
and regulators are increasingly demanding involved in the topic, with about half of carriers in
that insurers better understand their climate our benchmark reporting having board oversight
risk exposures and be ready for nonlinear, abrupt for climate risk, such as a sustainability committee.
changes in climate patterns. For carriers with More frequent disasters, combined with new
significant commercial or personal-property regulations, will only reinforce this trend.

Navigating shifting risks in the insurance industry 43

 Managing cyber risk is becoming a strategic posture while also reducing spending. Many of them
priority for the second line, drawing significant use so-called zero trust architecture that shifts
investment and requiring strict prioritization their cyber operating model to require strict identity
Insurers are also facing increased cyber risk verification. The majority of insurance CROs we
exposure, as threats increase in sophistication work with take a proactive stance in monitoring and
and frequency. Insurers have access to large mitigating cyber risk in conjunction with the chief
amounts of sensitive data that need protection. information security officer (CISO). However, about
Among them are health and medical records, lists half of the carriers in our benchmark acknowledge
of insured items and properties, and wealth and that cyber expertise in the risk and compliance
assets under management. Even sophisticated, function is relatively new, as they are now building
large carriers with significant investments in their cyber capabilities to oversee their CISO
cybersecurity are not immune to such threats, with function. Investing in targeted capabilities that are
CrowdStrike reporting4 a 75 percent increase in truly second line and do not repeat what the first
cloud environment intrusions and Verizon reporting5 line is already doing will be accretive.
a 180 percent increase in breaches resulting
from vulnerability exploitation. In addition, new The key to success for carriers in the second line
cyberthreats are emerging, especially in connection of defense—that is, efficient and effective
with gen AI, and costs of cyberattacks are on the oversight—is conducting targeted reviews based
rise because of increasing fines, business losses, on cyber risk scenarios and on triggers for risk
and remediation costs and often have significant threats that are based on “cyber risk appetite.” To
reputational impact as well. address resource constraints, the risk team should
understand key risks facing the carrier, credibly
In this environment, cybersecurity is not only challenge internal policies, procedures, objectives,
mandated by regulation; it is a core business and performance, and provide the board and
requirement. Consumers and business partners executive team with an independent view of the first
are demanding that carriers put in place robust line’s program, including its testing.
cybersecurity practices. At the same time, we see
greater reporting requirements due to increased
scrutiny from a variety of stakeholders, including Putting it together: Four moves
the SEC’s cybersecurity requirements. All major for navigating a changing
insurers have elevated cyber risk to the board level, risk scenario for insurers
with 50 percent of carriers discussing it quarterly. The aforementioned risk areas are select priorities
where becoming distinctive can enhance the
Τhird-party cyber risk management, in particular, competitiveness and resilience of the company.
faces increased attention today. Carriers are To thrive in an environment of economic volatility
called to examine who the core third parties are, and operating uncertainty, carriers can focus on
and what their cyber risk levels are. For instance, do four moves:
they process critical data or run a critical business
process? Additionally, investors and regulators want 1. Continue to make the risk function more
to know if the carrier has additional concentration efficient. Insurers today face increasing
risk, and what a third party’s software “bill of cost pressure, which is impacting budgets
materials” is, such as a list of components that make for risk management, too. Among insurers
up software components. with more than $10 billion in revenues in our
self-reported benchmark, the mean size of
Carriers are expected to stay up to date with the the risk function was slightly more than seven
latest developments in cyber technology and full-time employees (FTEs) per 1,000 FTEs
services, improving the organization’s cybersecurity in the company. That number was lower for

4
2024 global threat report, CrowdStrike, 2024.
5
2024 data breach investigations report, Verizon, 2024.

44 McKinsey on Risk & Resilience Number 17, July 2024

 compliance (three FTEs per 1,000 FTEs). and, ultimately, faster execution within a given
This can be a pivotal time to step back risk appetite. Leaders in these functions need
and continue to improve efficiency of core to be agile and ready to innovate as a business
processes and clarify roles and responsibilities partner, not just a pure control function.
for the first and second lines. Cost savings
can then be captured by making selective 4. Enhance strategic agility and resilience. In
investments in efficiency—analytics and the face of uncertain economic conditions
automation are good examples—while and evolving industry landscapes, insurers
reducing check-the-box exercises. And while should prioritize enhancing their strategic
carriers will need to balance efficiency and agility and resilience. This involves not only
effectiveness of their risk and compliance preparing for known risks but also building
functions, they must consider a long-term the capacity to adapt swiftly to unforeseen
perspective and make sure to keep residual challenges. Implementing flexible strategies
risks under control. and agile operational frameworks can empower
organizations to respond dynamically to
2. Build proper identification capabilities for changes, whether they arise from market
emerging risks. When executives across the shifts, technological advancements, or
organization have a clear and timely view regulatory updates.
of what key risks have already manifested
or are currently emerging, the organization
is able to navigate volatility and uncertainty
most effectively. Those risks are not siloed Today, insurance industry CROs are facing multiple
either, and equipping the insurers with a better demands from both relatively well-known and new
understanding of their interdependencies risks. Industry leaders are resisting short-term
is important. This requires having in place actions and are instead focusing on the financial
data-enabled risk identification capabilities and nonfinancial risks that matter most, making
and flexible tech infrastructure to collect, selective investments in capabilities such as
aggregate, and monitor risk with timely data advanced analytics and gen AI. CROs, working
and to link it to a transparency dashboard on with the CEO, the full executive team, as well as the
risk appetite. Advanced scenario planning can board’s audit and risk committees, are also building
help here as well. proper emerging-risk identification capabilities,
fostering a culture of innovation, enhancing
3. Shift risk and compliance “to the left.” strategic agility and resilience, and prioritizing the
Ensuring the risk and compliance functions management of technology. All of this is in service
are at the business decision table early on is of protecting the firm, its customers, its employees,
key. This is especially important for emerging and in the end, its shareholders.
risks. This is a shift away from being the final
reviewers and approvers—the “right” of the While risks are ultimately owned by the first line of
decision-making process—to the left of the defense, the CROs—whether they have been in the
process, where they are an integral part of seat for long or are new to the role—are playing a
the development of new products, policies more strategic role than they did just five years ago.
or changes. This shift to the left fosters a We expect this trend to accelerate.
healthy risk-based decision-making culture

Erwann Michel-Kerjan is a partner in McKinsey’s Philadelphia office, and Lorenzo Serino is a partner in the New York office.

The authors wish to thank Dimitris Paterakis, Justin Greis, Liz Grennan, and Ying Zhao for their contributions to this article.

Copyright © 2024 McKinsey & Company. All rights reserved.

Navigating shifting risks in the insurance industry 45

 The cyber clock is ticking:
Derisking emerging
technologies in financial
services
As financial institutions actively adopt emerging technologies, they should act
now to future-proof themselves against growing cyber risks.
This article is a collaborative effort by Justin Greis, with Grace Hao, Lamont Atkins, Lauren Craig, and
Soumya Banerjee, representing views from McKinsey’s Risk & Resilience Practice.

This article is an executive summary of an extensive survey conducted by McKinsey & Company and the
Institute of International Finance. Download the full report at McKinsey.com.

© Getty Images

46 McKinsey on Risk & Resilience Number 17, July 2024

As financial-services companies around the be needed to successfully adopt and secure
world race to keep pace with a rapidly evolving new technologies?
technology landscape, they should consider not
only what benefits new emerging technologies Of the emerging technologies included in the
offer but also what risks they introduce. survey (see sidebar, “Ten emerging technologies”),
a majority of financial-services companies
To understand how companies are grappling with indicated that they are prioritizing adoption
the best ways to use and protect the technologies of and investment in four of them: cloud and
of today and tomorrow, McKinsey partnered edge computing, applied AI, next-gen software
with the Institute of International Finance (IIF) development, and digital identity and trust
to survey financial institutions around the world architecture (exhibit). All four technologies are
regarding their current and planned usage of ten likely to see quicker adoption than advanced
key emerging technologies. How are companies connectivity, future mobility, immersive reality,
approaching emerging technologies? What quantum, machine learning, and Web3. This is
emerging technologies are they adopting? How perhaps because of their widespread applicability
do they plan to secure and mitigate the associated and maturity, as well as their proven, value-based
cyber risks? What cybersecurity capabilities will use cases for financial-services companies.

Web <2024>
<CyberClock>
Exhibit
Exhibit <1> of <12>

Among technology trends, cloud and edge computing are applicable to

most financial-services organizations, followed by applied AI.

Technology trends being considered by organizations,1 % of respondents (n = 37) Top 4 trends

Cloud and edge computing 84

Applied AI 78

Next-generation software development 73

Trust architectures and digital identity (ie, digital trust) 70

Industrialized machine learning 49

Web3 46

Advanced connectivity 38

Quantum technologies 32

Future of mobility 22

Immersive-reality technologies (eg, metaverse) 14

Other 11

100
1
Question: Which technology trends are applicable (ie, have already been considered or discussed) to your organization?
Source: IIF; McKinsey Future of Cybersecurity Survey 2023

McKinsey & Company

The cyber clock is ticking: Derisking emerging technologies in financial services 47

Ten emerging technologies
Cloud and edge computing. In cloud testing, refactoring, and translation, Advanced connectivity. Wireless
and edge computing, workloads are can improve application quality and low-power networks, 5G/6G cellular,
distributed across locations, such as development processes. Wi-Fi 6 and 7, low-Earth-orbit satellites,
hyperscale remote data centers, regional and other technologies support a host of
Trust architectures and digital identity.
centers, and local nodes, to improve digital solutions that can drive growth
Digital-trust technologies enable
latency, data-transfer costs, adherence and productivity across industries today
organizations to build, scale, and maintain
to data sovereignty regulations, and tomorrow.
the trust of stakeholders in the use of
autonomy over data, and security.
their data and digital-enabled products Quantum technologies. Quantum-based
Applied AI (inclusive to generative AI). and services. technologies could provide an exponential
Models trained in machine learning can increase in computational performance
Industrialized machine learning.
be used to solve classification, prediction, for certain problems and transform
A rapidly evolving ecosystem of
and control problems to automate communications networks by making
software and hardware solutions is
activities, add or augment capabilities them more secure.
enabling practices that accelerate
and offerings, and make better decisions.
and derisk the development, Future of mobility. Mobility technologies
Note that at the time of the development
deployment, and maintenance of aim to improve the efficiency and
and issuing of the survey, generative AI
machine learning solutions. sustainability of land and air transportation
(the next generation of applied AI, which
of people and goods using autonomous,
can automate, augment, and accelerate Web3. Web3 includes platforms and
connected, electric, and shared solutions.
work by tapping into unstructured applications that aim to enable shifts
mixed-modality data sets to enable the toward a future, decentralized internet Immersive-reality technologies.
creation of new content in various forms, with open standards and protocols Immersive-reality technologies use
such as text, video, code, and even while protecting digital-ownership sensing technologies and spatial
protein sequence) was included as subset rights. It’s not simply cryptocurrency computing to help users “see the world
of the applied AI technology category. investments, but rather a transformative differently” through mixed or augmented
way to design software for specific reality or “see a different world” through
Next-generation software development.
purposes. This shift potentially provides virtual reality.
New software tools, including those
users with greater ownership of their data
that enable modern code deployment
and catalyzes new business models.
pipelines and automated code generation,

While these technologies can provide exponential supply chain management and privileged access
benefits, they can also bring cyber risks that management (PAM). As companies continue to
companies must mitigate using their existing increase their reliance on newer technologies,
cybersecurity capabilities. The research shows they must ensure they have thought through and
that current capabilities are falling short of implemented the necessary risk management
addressing these risks. Most survey respondents capabilities. Otherwise, they may find the risks
also recognize the need to strengthen critical outweigh the benefits.
cybersecurity capabilities, including third-party or

48 McKinsey on Risk & Resilience Number 17, July 2024

As the technology landscape in the financial-services — Do we have the right metrics and reporting?
industry continues to evolve rapidly over the next Can we, and do we, accurately and confidently
three to five years and as the associated risks mount, measure against our risk appetite, provide
now is the time to future-proof the environment. transparency to regulators and executives, and
Financial institutions can lay the foundations for identify strengths and weaknesses?
action by asking themselves four questions about
their pursuit of emerging technologies: — Do we have the right talent to close capability
gaps? Do we have sufficient and appropriate
— Are we prioritizing the right technologies and talent not just to maintain existing capabilities
cybersecurity capabilities? Are our technology now but to support future maturity and
priorities aligned with our security capabilities? technology expansions?

— Are we investing in the right technologies and

cybersecurity capabilities?

Justin Greis is a partner in McKinsey’s Chicago office; Grace Hao and Lauren Craig are experts in the New York office;
Lamont Atkins is a senior adviser in the Houston office; and Soumya Banerjee is an associate partner in the New Jersey office.

The authors wish to thank Martin Boer, a senior director for regulatory affairs for the Institute of International Finance (IIF), and
Melanie Idler, an associate policy adviser for IIF.

Copyright © 2024 McKinsey & Company. All rights reserved.

The cyber clock is ticking: Derisking emerging technologies in financial services 49

McKinsey Risk & Resilience Practice

Global coleader and North America

Ida Kristensen
Ida_Kristensen@McKinsey.com

Global coleader and Europe

Cristina Catania
Cristina_Catania@McKinsey.com

Asia–Pacific
Akash Lal
Akash_Lal@McKinsey.com

Eastern Europe, Middle East, and North Africa

Luís Cunha
Luis_Cunha@McKinsey.com

Latin America
Elias Goraieb
Elias_Goraieb@McKinsey.com

Chair, Risk & Resilience Editorial Board

Thomas Poppensieker
Thomas_Poppensieker@McKinsey.com

Coleader, Risk Knowledge

Lorenzo Serino
Lorenzo_Serino@McKinsey.com
In this issue
Can your company remain global and if so, how?
Europe’s new resilience regime: The race to get ready for DORA
Banking on interest rates: A playbook for the new era of volatility
The promise of generative AI for credit customer assistance
Navigating shifting risks in the insurance industry
The cyber clock is ticking: Derisking emerging technologies in financial services

July 2024
Designed by LEFF
Copyright © McKinsey & Company
McKinsey.com