McKinsey on

Risk & Resilience

From compliance to excellence:
Elevating risk management practices

Number 18, December 2024

The articles in McKinsey on Risk & Editorial Board: McKinsey Global Publications
Resilience are written by risk experts Bob Bartels, Oliver Bevan, Joseba
and practitioners from McKinsey’s Eceiza, Daniela Gius, Justin Greis, Publisher: Raju Narisetti
Risk & Resilience Practice and other Will Humphrey, Andreas Kremer,
firm practices. This publication offers Mihir Mysore, Thomas Poppensieker, Global Editorial Director
readers insights into value-creating Sebastian Schneider, Lorenzo and Deputy Publisher:
strategies and the translation of those Serino, Diana Urieta, Marco Vettori, Lucia Rahilly
strategies into company performance. David Weidner
Global Publishing Board
This issue, and future issues, External Relations, of Editors: Roberta Fusaro,
are available to registered Global Risk & Resilience Practice: Lucia Rahilly, Mark Staples,
users online at McKinsey.com. Bob Bartels Rick Tetzeli, Monica Toriello
Comments and requests for copies
or for permissions to republish Editor: David Weidner Copyright © 2024 McKinsey &
an article can be sent via email to Company. All rights reserved.
McKinsey_Risk@McKinsey.com. Contributing Editor:
Joanna Pachner This publication is not intended to be
Cover image: used as the basis for trading
© PM Images/Getty Images Art Direction and Design: in the shares of any company or for
LEFF undertaking any other complex
or significant financial transaction
Data Visualization: without consulting appropriate
Richard Johnson, Matt Perry, professional advisers.
Jonathon Rivait, Jessica Wang
No part of this publication may
Managing Editor: be copied or redistributed in any
Heather Byer form without the prior written
consent of McKinsey & Company.
Editorial Production:
Mark Cajigao, Nancy Cohn, Roger
Draper, Ramya D'Rozario, Mary
Gayen, Drew Holzfeind, LaShon
Malone, Pamela Norton, Katrina
Parker, Kanika Punwani, Charmaine
Rice, Dana Sand, Katie Shearer,
Regina Small, Maegan Smith, Sarah
Thuerk, Sneha Vats, Pooja Yadav
Contents

3 The six habits of highly successful chief

risk officers
Our interviews with top CROs reveal practices risk leaders
12 The cybersecurity provider’s next opportunity:
Making AI safer
New technology means new challenges—and new
at financial institutions can use to expand their influence
solutions—for cybersecurity providers.
and build greater resilience in their organizations amid
unrelenting change.

25 Elevating the risk function in insurance: Building a

strategic advantage 31 BCBS 239 2.0 resurgence: Strengthening risk
management and decision making
A renewed focus on the 2013 data risk management
Today’s rapidly developing risk landscape demands a new,
more nimble approach for insurance companies to assess regulatory standard poses new challenges and
and respond to risks, a function inherently in their DNA. opportunities for European and US banks. Achieving
compliance will take a structured, top-led approach.

37 The European Union AI Act: Time to start preparing

A successful digital future depends on responsible use of
AI. The EU AI Act marks a significant step in regulating AI
systems and could serve as a blueprint for other jurisdictions.

1
 Introduction
In this latest issue of McKinsey on Risk & Resilience, companies are dedicating the resources needed to move the
risk management function from compliance to excellence.

Change is happening faster than ever, creating significant challenges for organizations and their risk functions. Today,
leaders are unable to rely on previous experience and analysis to manage and mitigate future outcomes. Crises that
before took weeks or months to develop now may happen in days or hours. No one feels these changes more than the
chief risk officer (CRO), a role that was previously limited to risk but now is about building long-term resilience.

To better understand that shift, we spoke with more than 30 risk leaders from across the globe. With their experience,
combined with our own insights, we identify six habits of highly successful CROs. They include being explicit about the
risk and resilience purpose and vision and championing a risk-aware culture; investing in, empowering, and creating
the next generation of risk—and other—leaders; leading beyond risk by engaging deeply with the executive team and
board to accomplish risk and business objectives; treating supervisors as partners and being fully transparent; focusing
on what only the CRO can do by integrating insights across the organization; and continually monitoring personal
effectiveness and taking steps to manage time.

Our latest research and industry survey reveal that cybersecurity providers must not only rethink and innovate their
products and services but also reshape how they approach customers, with the emergence of generative AI being both
an opportunity and a threat.

We offer unique data and insights into the expanding and maturing role of risk in the insurance industry, in which risk
management can become a strategic advantage in building business.

We discuss BCBS 239 and data risk management standards, offering five best practices for meeting these challenges
and the opportunities presented.

Last, we address how AI is evolving and how the EU AI Act represents a significant step toward regulating AI systems to
ensure responsible AI governance, as well as how the act could serve as a blueprint for other jurisdictions globally.

Together, our research and insights underscore the need to build maturity and excellence across the risk function,
which in turn helps to drive long-term resilience across an entire organization from top to bottom.

We hope you enjoy these articles and find the ideas worthy of application. Let us know what you think at
McKinsey_Risk@McKinsey.com and on the McKinsey Insights app.

Thomas Poppensieker
Senior partner and chair,
Global Risk & Resilience Editorial Board

Copyright © 2024 McKinsey & Company. All rights reserved.

2 McKinsey on Risk & Resilience Number 18, December 2024

The six habits of
highly successful chief
risk officers
Our interviews with top CROs reveal practices risk leaders at financial institutions
can use to expand their influence and build greater resilience in their organizations
amid unrelenting change.
by Ida Kristensen, Marc Chiapolino, María del Mar Martínez, and Ritesh Jain

© Getty Images

3
 In just the past few years, a series of interviews and surveyed more than 30 current
unprecedented and fast-moving threats have and former CROs of major financial institutions
disrupted organizations. How companies, worldwide; each of these individuals has spent at
particularly financial institutions, respond to least five years in the role.
these complex risks has profound implications.
Through these discussions and our own insights,
The COVID-19 pandemic wreaked havoc on credit we identified six essential habits of successful
models, and social media has played a leading CROs today:
role in accelerating bank runs to real time. The latter
exposed a systemic risk that has required banks to 1. They are explicit about their risk and
rethink their liquidity and interest rate models. resilience purpose and vision and champion
a risk-aware culture.
No one feels these changes more than the chief risk
officers (CROs) at financial institutions. Traditionally, 2. They invest in, empower, and create the next
these CROs focus on dealing with financial risk generation of risk–and other–leaders.
and limiting credit and market losses—both critical
for keeping institutions safe for customers and the 3. They lead beyond risk by engaging deeply
economy at large. But over time, a new era emerged with other C-suite leaders and the board
in which CROs faced greater nonfinancial risk amid to accomplish business, resilience, and
pressure to boost the bottom line. Today’s evolving risk objectives.
risk environment once again puts new pressures and
requirements on CROs. 4. They treat supervisors as partners and are
fully transparent.
To be successful these days, CROs need to exert
more influence and manage more risk. They need to 5. They focus on what only the CRO can do
do so amid mounting scrutiny from supervisors while by integrating insights across the organization
building the business. Most important, they need to to anticipate future threats and strengthen
embed future-ready resilience in their institutions. resilience.
As Richard Treagus, CRO of Old Mutual Limited told
us, resilience has become the North Star guiding the 6. They continually monitor their personal
CRO office and leadership suite: “We [as CROs] really effectiveness and take steps to manage time.
need to demonstrate that organizational resilience is
respected, healthy, and a high priority.” Many of these habits may seem familiar, but how
well CROs utilize them varies. CROs told us they
To understand just how much the CRO role should be applied across all decisions. Indeed,
is changing and which mindsets, skills, and CROs who follow these habits are more likely than
best practices are now required for excellent their peers to manage risk more effectively and
risk leadership, McKinsey conducted in-depth embed resilience in the organizations they lead.

‘We [as CROs] really need to demonstrate that

organizational resilience is respected, healthy,
and a high priority.’
– Richard Treagus
CRO, Old Mutual Limited

4 McKinsey on Risk & Resilience Number 18, December 2024

Habit 1: Be explicit about the risk not only demystifies risk and provides greater
and resilience purpose and vision understanding but also helps to provide a margin for
and champion a risk-aware culture error. Stakeholders will “give you a lot of latitude to
Given the expanding scope of potential risks, now make mistakes, to manage through difficult times,
more than ever, employees in financial institutions’ if they see that your values and their values are
risk functions need a North Star. This guiding aligned,” he said.
principle is an understanding of the organization’s
long-term vision, mission, and objectives relating With the vision in place, CROs can champion risk
to risk and resilience—and a risk culture to match. culture across the organization and foster a risk-
The most effective CROs relentlessly pursue the aware culture in line with their purpose and vision.
North Star and continually evaluate whether an As Frank Roncey, CRO of BNP Paribas, explained,
organization is following it or not. “One of my primary focuses is to preserve the risk
culture of the bank, which has served us quite
To develop this North Star, CROs will need to think well so far. This doesn’t mean we are necessarily
beyond regulatory compliance and safeguarding conservative; it means we are disciplined,
the bank. While both remain essential, they are no demanding, and thorough.” Roncey considers
longer sufficient as the focus for the risk function. himself “guardian of the temple,” and his chairman
sees the risk team as “angels of the bank.”
A good first step for CROs is to reflect on the
following questions: What is the company’s “Among other things,” Roncey said, “I am tasked to
overarching strategy? How does our organization ensure that this culture is kept across generations.
differentiate itself through our business model? This is done through strong, principles-based
What areas are most important to us? What do risk decision making at the highest level of the
our stakeholders care most about? What does organization and through clear communication
success look like? A CRO who regularly helps about the decisions, drawing and sharing lessons
the risk organization answer these questions from risk events or our mistakes, and explaining our
can significantly boost institutional awareness decisions to younger colleagues.”
and engagement.
One CRO would encourage transparency and timely
For some CROs, the North Star is articulated in a escalation by letting his team know that “if you tell
mission statement. One risk team used 360-degree me about a risk issue and that issue subsequently
feedback from C-suite leaders, business leads, and blows up, then that’s my problem. If you don’t tell me,
the risk team to come up with one. Another CRO then it’s your problem.”
told us his organization intentionally separated
its mission statement into three sections: to set Establishing a mission, vision, and risk culture
standards for the whole organization, to partner won’t happen overnight; nor is it easy. One CRO
with the board and the CEO to maximize the return described it as a “cultural journey” in which risk and
on capital invested in resources, and to meet resilience principles slowly permeate into all levels
regulatory and external standards (including for of the organization. Lorie Rupp, who has been the
shareholders and communities served). Still another CRO at First Citizens BancShares since 2017, used
CRO reported that their institution’s rallying cry can a creative way to champion risk culture. “We found
be summed up in one word: trust. Everything they a picture of one of the teller stations in Smithfield
do must reinforce customers’ and employees’ trust where they had bars on the teller windows. That
in the institution. was risk management back in 1898. We have been
managing risk as a company since the beginning of
Getting buy-in on the value proposition can yield time. Then I started telling that story and everybody
benefits to a risk function. A veteran CRO we invited me to do that with their teams. It became a
spoke with said aligning values with management, little bit of a road show to make the point that risk
shareholders, and the communities the bank serves management is what we do every day.”

The six habits of highly successful chief risk officers 5

 Having merged risk into the organization’s crisis provides important insights. Aditya said that
vision—and continually nurturing it—CROs have in stable times leaders often seem strong, but in
elevated their role. It’s moved from traditional risk a crisis, some show weakness and indecisiveness.
management to one in which a resilient culture fuels “Do they instinctively lead or look for someone to
and, in many ways, leads growth. But this change blame . . . for me, this is the first true test of a leader,”
doesn’t happen without a team built to meet today’s he said.
unprecedented changes.
It’s a process of learning and development. Many
CROs told us they consistently check in with their
Habit 2: Invest in, empower, and people to give feedback. They want employees to
create the next generation of not just accept feedback but ask for it. Successful
risk–and other–leaders CROs model this behavior by asking for feedback
The demands of managing in today’s increasingly themselves. “That sets a tone of deliberate
complex risk environment require CROs to build a vulnerability and being open to growth, and that
bench that meets the moment. That’s why CROs makes it OK for other people to do the same,” said a
create the next generation of risk leaders—and, former CRO.
ultimately, the organization. They do so by building
a diverse team, delegating to and empowering the Or, as former Ally Financial CRO Jason Schugel puts
team, and planning for leadership development and it, “We have some uncomfortable conversations [as
succession from the beginning. a leadership team]. That’s OK. But if we don’t have
those conversations, we won’t get any better.”
The CROs told us that the most critical aspect
of diversity is diversity of thinking. Achieving CROs cull top performers among junior risk
this involves combining different backgrounds, professionals. They prepare them for future
experiences, and skill sets. growth and career elevation within or outside
the risk organization. Day-to-day, this can include
CROs also said that as nontraditional professionals showcasing them with an organization’s executive
learn risk, they bring their experience and point team, business leaders, and, in some cases,
of view on board. Many leaders purposely shift the board.
workers in and out of risk and between the first and
second lines of defense. In doing so, they gain a As with other C-suite roles, meetings, dinners, and
broader perspective while making external talent other events are places where CROs introduce the
attraction easier. Role shifts need to happen inside next wave of talent. CROs allow their top people to
the risk function as well. The same principle applies shine, present, and answer questions. For instance,
to geography. By rotating risk professionals around Brian Leach initiated the Women in Risk program at
its geographic footprint, an organization creates Citigroup. It aims to elevate women through training
opportunities for team members to share insights and added visibility, preparing them for senior
and adds a boots-on-the-ground perspective while leadership roles in risk and beyond.
also reinforcing the risk culture.
Handing off to junior team members can be a
Another essential component of building a future- tall order for many CROs who feel the weight
ready, resilient risk team is directly investing in them. of responsibility, but as former Goldman Sachs
CROs told us they spend an average of 34 percent CRO Craig Broderick said, “You don’t want to
of their time with members of the risk function. In be defensive of your own position; if [junior risk
this way, they get to know a team’s strengths and partners] are successful, you’ll be successful.”
weaknesses and its natural leaders. He adds, “A CRO shouldn’t be insecure in that
regard. For a successful organization and a
For Mahesh Aditya, CRO at Santander Group, successful person, there’s more than enough
staying close to leaders in his organization during a credit to go around.”

6 McKinsey on Risk & Resilience Number 18, December 2024

In addition to building a top team of risk Relationship building, of course, requires
professionals, the goal of developing talent is to adapting the language of risk and resilience to the
produce a future CRO. It’s not unusual for a CRO language of board members. Because of diverse
to think about succession planning on their first backgrounds, some on the board may not be fluent
day on the job. At the start, there may not be an in the technical dialect of risk management. Some
obvious candidate or front-runner, and one may CROs see themselves as translators for the rest
not immediately emerge. Yet a CRO can nurture of the organization. They use business-focused
candidates by sharing insights and building wording instead of the risk jargon that their teams
personal relationships with the risk team. sometimes use.

Ultimately, these moves pay off by giving leaders the Being able to cross over effortlessly into business
ability to delegate when necessary. Top performers goes beyond words. Today, CROs are more
take center stage and are more prepared for engaged with business decision making, including
succession. A major part of that training will also regarding strategy, products, markets, and
include learning a habit that is critical to CRO M&A. They understand revenue generation and
excellence today: building deeper and more strategic priorities.
influential relationships with the C-suite and board.
One CRO holds regular “teatime” with the
organization’s chief information officer (CIO). These
Habit 3: Lead beyond risk by talks help them both understand the organization’s
engaging deeply with the executive technology and information priorities, as well as the
team and board to accomplish risk implications.
risk and business objectives
Today’s leading CROs don’t simply inform the board As some CROs put it, conversations aren’t always
and the CEO; they become a vital member of the and shouldn’t always be about risk. Talking about
executive team and a trusted adviser to the board. a wide variety of issues—or what a business leader
They’ve built a deeper relationship that keeps cares about—helps avoid an “us versus them”
risk and resilience synced with the organization’s mindset as the CRO demonstrates strong interest in
overall mission. They communicate early and often business development.
and generate debate, which ensures there are
no surprises. One of the markers of effective engagement,
said one CRO, is “being called into the room when
In relationship building, successful CROs are close you don’t need to be there and being asked to be
to the board and executive team so nothing comes involved in crafting a business case on day one,
as a shock. CROs who see themselves as business instead of having it handed to you for limit approvals
drivers in their institutions are especially adept at when it is fully baked six months later. Success as
this. CROs told us they spend up to 56 percent of a CRO is when instead of having to make outbound
their time with the executive team and board. Those calls to get information and make things happen,
interactions go far beyond formal meetings. Some you receive inbound calls.”
CROs have informal talks with the CEO every day.
They also talk to the board risk committee often, The goal is to create relationships that allow for
sometimes meeting more than once a month. honest discussion and avoid leaders viewing
challenge as criticism. “You’re going to take risks,
CEOs and boards always welcome good news. But and you’re going to make mistakes,” Broderick said.
CROs have an obligation to deliver uncomfortable “That’s perfectly fine so long as the distribution
news when needed. Having an ongoing dialogue of those mistakes and the composition of those
makes hard discussions easier and fortifies the mistakes or losses … fall within parameters and
principle of “no surprises.”

The six habits of highly successful chief risk officers 7

 within a spectrum that you clearly identify to the adversaries, and take a relationship management
respective constituent as being possible outcomes.” approach with them. We have an active relationship-
planning mindset internally in the way we engage
Familiarity, trust, openness, and understanding with regulators.” Another CRO said “You need to be
are ways in which CROs have reshaped their transparent and collaborative, or else in the long-
role to make an organization more resilient. Yet term you lose,” adding, “We are very challenging
these qualities aren’t limited to the organization. with supervisors, but never aggressive … we try to
They are needed to shift relationships with anticipate their requests, we come very prepared,
supervisors and regulators into collaborations with a lot of data and facts to defend our position.
that benefit both sides. For this reason, [supervisors] respect us.”

Some CROs emphasize their ability to influence rule

Habit 4: Treat supervisors as making and policy when relationships are strong
partners, and be fully transparent and trust is established. Trust enables supervisors
Just as CROs need to understand and influence to lean on CROs for guidance. After all, CROs are
the leaders in the C-suite and boardroom, CROs closer to the communities that supervisors are
should establish successful working relationships seeking to keep safe.
with supervisors. They should find a common
ground with supervisors and try to understand Fostering stronger relationships with supervisors
their perspectives, motivations, and what makes and regulators is one way a CRO can bring a unique
them successful. They should also be transparent skill set and value to an organization. But there’s
and proactive in discussing both good and bad more that a CRO is especially suited to do, and the
developments. most successful make a habit of it.

A key to building a constructive relationship

is internalizing the supervisor’s priorities and Habit 5: Focus on what only
understanding what problem the supervisors intend the CRO can do by integrating
to solve. insights across the organization
Inside the organization, successful CROs see three
One CRO told us they begin every conversation unique levers they can use to help their institutions
with a supervisor assuming they have a different succeed. First, they have a distinctive vantage point,
view. Supervisors worry about their jobs, too. granting them visibility and access to details across
So CROs should begin by trying to understand the entire organization as well as to external trends.
and support the priorities of their supervisory It provides them with an independent view on cross-
counterparts. cutting issues with the greatest risk and resilience
implications. Second, they can afford to take a
A mindset of collaboration is essential. Successful longer-term vision and build resilience for future
CROs meet often with supervisors and openly events. Finally, they are the ones managing the
discuss what’s happening in their business. Similar deployment of resources against risks that threaten
to the habit of engaging the executive team and the institution.
CEO, CROs should aim to avoid surprises with their
supervisors. It’s not uncommon among CROs today Successful CROs who engage in Habit 1—being
to think of supervisors as advisers on some topics. explicit about their function’s purpose and vision—
have already infused risk and resilience into the
“The important thing for any of us is to take time to organization. In turn, the business, when guided by
understand what the regulator is trying to achieve,” the risk function, is always working to strengthen
said National Australia Bank’s (NAB’s) Shaun its resilience to make sure it is ready for any
Dooley. “We need to see them as partners, not disruptions.

8 McKinsey on Risk & Resilience Number 18, December 2024

‘It’s my accountability at the top of the house to have
my own independent, supported-by-facts analysis.
[It’s my responsibility to offer an] extreme amount of
rigor and data to give my own personal, independent
view of how we’re operating within or without our
risk appetite. I’m the only one who can do that.’
– Lorie Rupp
CRO, First Citizens BancShares

Since risk can be unpredictable in nature and CRO at Standard Chartered, put it: a CRO needs to
timing, CROs need to build capabilities to prepare have developed “influence and gravitas” to remind
the institution for future crises that are at least leaders of the medium- and long-term impact of
partially unknown. They do so by learning from their short-term decisions. She said, “You may, at times,
organizations’ responses to previous crises while not be the most liked person in the room, so you
always looking ahead for the next potential crisis. need to be prepared for this and be courageous
They are ready to use those lessons not only to nonetheless.” Westpac CRO Ryan Zanin said, “Even
reduce risks but also to find opportunities that help in a crisis, my demeanor is calm. That doesn’t mean
their institutions’ business goals. I don’t have anxiety or concerns about things. But I
think slowing things down initially to figure out what
Leaders and the board may be influenced by short- are the three things that we must do right away, and
term goals and pressure from investors. But the then what are the things that can wait until later, can
CRO is in a special—if not easy—position to help an enable you to run faster with confidence.”
organization find balance. As Sadia Ricke, group

‘You may, at times, not be the most liked person in

the room, so you need to be prepared for this and
be courageous nonetheless.’
– Sadia Ricke
Group CRO, Standard Chartered

The six habits of highly successful chief risk officers 9

 Just as successful CROs make a habit of their own long-term sustainability. These CROs
finding the right balance of their time to give to recognize that running a risk function is a marathon,
current and potential issues, they also need with occasional sprints. They ask for others’
to manage organizational resources with the opinions, regularly meeting with industry peers
same judicious approach. while developing an inner circle of close advisers
they use to stay grounded and up to date.
“The things that should come to me are the
really big resource allocation decisions or major Many CROs highlighted what they see as a paradox
complex or large exposure issues or strategy for of the role. It’s one of the most interesting roles
the organization,” said David Kimm, former CRO of of their career, given its broad cross-cutting
R&T Deposit Solutions. “Those are the ones I ought perspective on the institution. Yet it’s one of the
to be seeing, and my organization better worry most challenging, due to the vast range of issues to
about the rest.” handle and the various demands of stakeholders.

Costs and budgets may force CROs into tough How a CRO manages their time and resources goes
choices regarding resource management. For beyond personal effectiveness. Being a role model
NAB’s Dooley, reallocating resources can run afoul is paramount. How a CRO balances work and life
of a more traditional approach such as adding and sets boundaries around each is important to
workers to solve a problem. “My role is to actually motivating a team—and themselves. So input from
say, ‘You know what? I’m going to disinvest in this family and friends isn’t ignored. Many successful
part of the risk function because we’re going to CROs have what they call a “circle of trust” that
automate, and we’re going to invest here. And you allows for honest feedback.
all might not see that as the most important priority,
but I do, and here’s why.’” This includes people inside the organization who
feel free to discuss a CRO’s performance, as well as
The habit of embracing what only a CRO can do outside voices. CROs say the more voices the better
means using a holistic view to “see around the when trying to gauge their overall effectiveness.
corner” and make tough decisions. CROs need to
learn from past crises, anticipate the next crisis, And yet for all the value of close advisers, CROs
delegate responsibility to a trusted team, and need time alone to read and think strategically.
manage resources—and their own time. Given They need to know about current issues, meet
all the new responsibilities CROs are taking on, with people in the industry, go to conferences, and
they need to employ a final habit that keeps them participate in think tanks.
balanced and ready.
To benefit from these perspectives without
becoming overwhelmed, CROs need to delegate
Habit 6: Continually monitor and manage time, not only for their teams but for
personal effectiveness and take steps themselves. CROs spend different amounts of time
to manage time on daily risk issues. But all of them have spent at
Successful CROs also reflect on their own least a fifth of their time–29 percent on average—
effectiveness. They are relentless and deliberate finding and preparing for potential risks. Some
about how they spend their time, set goals, and spend as much as 73 percent of their time on future
prioritize. They maintain poise by identifying threats, according to our survey.
strategies to maintain work–life balance and

10 McKinsey on Risk & Resilience Number 18, December 2024

‘[My mother’s wisdom was] any time you do
something, always think about what it will look
like six months later. . . . If that means doing
something that gets you fired, at least . . . you will
be able to say it was because you disagreed with
the principle and not because you sold yourself.’
– Mahesh Aditya
CRO, Santander Group

One CRO told us that after getting feedback, they The six habits of highly successful CROs—being
adjusted their work schedule to model better explicit about and championing the risk and
balance for their team—and themselves. Another resilience purpose, investing in the next generation
said effectively prioritizing responsibilities can of leadership, leading beyond risk, partnering with
include simple measures such as cutting one-hour supervisors, focusing on their unique role, and
meetings to half an hour. And many mentioned continuously improving their effectiveness—are
receiving encouragement from their spouses and essential practices that enable them to meet the
slotting exercise into their daily routines. challenge of today’s unprecedented risks.

For all successful CROs, engaging in self-reflection Ultimately, these habits stem from the acute need
and measuring performance are critical for the for resilience and are crucial for embedding a strong
endurance necessary for the role. Input from risk culture within the organization. By adopting
professional and personal sources ensures that these habits, CROs can evolve their roles from
work does not impede life. risk managers to influential leaders who drive the
organization’s success and sustainability in an ever-
changing environment.

Ida Kristensen is a senior partner in McKinsey’s New York office, where Ritesh Jain is a partner; Marc Chiapolino is a partner
in the Paris office; María del Mar Martínez is a senior partner in the Madrid office.

This article was edited by David Weidner, a senior editor in the Bay Area office.

Copyright © 2024 McKinsey & Company. All rights reserved.

The six habits of highly successful chief risk officers 11

 The cybersecurity
provider’s next
opportunity: Making
AI safer
New technology means new challenges—and new solutions—
for cybersecurity providers.
by Justin Greis and Marc Sorel
with Julian Fuchs-Souchon and Soumya Banerjee

© Getty Images

12 McKinsey on Risk & Resilience Number 18, December 2024

The rapid advancement of AI and generative AI (gen organizations are increasingly leaning on third
AI) is fundamentally transforming the cybersecurity parties to help them manage cyber risk.
landscape, presenting both opportunities and
challenges for cybersecurity providers. As more Helping companies address these risks represents a
organizations in both the private and public sectors significant opportunity for providers of cybersecurity
use AI to enhance their operations, they risk solutions, but capitalizing on that opportunity
inadvertently introducing new cyber-related threats. requires considerable investment in innovation and
This is creating a significant and growing demand new paths to market.
for advanced cybersecurity solutions.
In addition to securing the general use of AI, using
AI is also being used by bad actors as a tool to fuel AI to help improve security is also an opportunity for
more sophisticated cyberattacks and increase their cybersecurity providers. According to our research,
volume, as exemplified by the rise in AI-enhanced customers say today’s cybersecurity solutions
social engineering and the substantial financial often fall short of meeting demands in terms of
impact of data breaches. For example, gen AI has automation, pricing, services, and other capabilities.
enhanced social-engineering techniques, in Helping organizations manage this risk in a cost-
which attackers generate highly realistic phishing efficient manner is a big opportunity for cybersecurity
emails or deepfakes to trick employees into providers, but they will need to understand AI
sharing sensitive information or credentials. In technology and embrace it within their offerings.
2023, the total cost of cybercrime had more than Innovation also remains critical in traditional
doubled since 2015.1 cybersecurity products as the market continues to
evolve, requiring providers to shift their marketing
While companies’ response time to cyber-related strategies to meet customers where they are
risks has generally decreased over the past seeking solutions.
several years, it still takes organizations an average
of 73 days2 to contain an incident, highlighting the AI is expanding what is already a $2 trillion
ongoing difficulty of containing breaches. Combined opportunity for cybersecurity providers. In fact,
with an expanding attack surface (that is, more with a large and increasing number of customers
devices and technologies that could be breached wanting to shift workloads from public cloud back
or exploited), an increase in threat actor to private cloud,3 organizations will incur new costs,
sophistication, a lack of skilled cybersecurity making the capturable value for cybersecurity
workers, and a wave of new regulations, providers even greater.

As more organizations use AI to enhance

their operations, they risk inadvertently
introducing cyber-related threats. This
creates a significant and growing demand
for advanced cybersecurity solutions.

1
“ Why we need global rules to crack down on cybercrime,” World Economic Forum, January 2, 2023.
2
Cost of a data breach report 2024, IBM, 2024.
3
Emil Sayegh, “The evolving cloud landscape: How private clouds are reshaping the tech industry,” Forbes, November 7, 2023.

The cybersecurity provider’s next opportunity: Making AI safer 13

 Earlier this year, McKinsey surveyed and interviewed same time, organizations are gradually spending
more than 200 cyber leaders worldwide, gaining more on third-party products than internal labor;
valuable insights into how the cyber market is about 65 percent of cyber budgets today represent
evolving, including a deep dive into the impact of third-party spending, and only 35 percent
AI on cybersecurity. Below we examine trends represent internal labor (Exhibit 1).
shaping the cybersecurity market and strategic
implications for cybersecurity buyers, investors, Put another way, there is a trend toward bigger
and providers. budgets and spending on third-party vendors. This is
driven not only by the rising number of breaches
but by the cost of complying with newly introduced,
Attacks are increasing, with or strict regulations such as the Securities and
without AI Exchange Commission’s rules in the United States5
In the face of increasing—and increasingly and the NIS 2 Directive in the European Union.
sophisticated—cyberattacks, organizations spent
approximately $200 billion on cybersecurity Organizations can harness the power of AI to
products and services in 2024, up from $140 billion help keep pace with attackers. Top cybersecurity
in 2020.4 The vended cybersecurity market is providers are already using AI, with 17 of the top
expected to grow 12.4 percent annually between 32 cyber suppliers now offering advanced-AI
2024 and 2027, outstripping historical levels of use cases. However, established vendors are not
growth as organizations look to quell threats. At the the only ones introducing AI solutions. Investment

Exhibit 1

Companies spend more of their cybersecurity budgets on third-party

products and services than they do on internal labor.

Average cybersecurity spending, by type, 2024, % of total cybersecurity budget

3 years ago Today In 3 years

1 Other
6 7 7
8 Retainers
10 10
Cyber insurance
18 19 19 Third-party services
Third-party products
Internal labor

29
30 31

38 35 34

Note: Figures may not sum to 100%, because of rounding.

Source: McKinsey Cyber Market Survey, Mar 2024 (n = 200)

McKinsey & Company

4
McKinsey Cyber Market Survey, March 2024.
5
“Cybersecurity risk management, strategy, governance, and incident disclosure,” US Securities and Exchange Commission, 2023.

14 McKinsey on Risk & Resilience Number 18, December 2024

in AI-powered cybersecurity start-ups has surged, A growing attack surface is leading
particularly for application security and data to higher risk exposure
protection start-ups. More than 70 percent of The cybersecurity landscape today is fraught
cybersecurity buyers at large organizations with familiar threats. Phishing, business email
across most industries are “highly willing” to invest compromise, and stolen credentials are leading
in AI-enabled cybersecurity tooling, though to breaches that are costing organizations
enthusiasm to adopt differs by industry. Customers an average of $5 million per successful incident.
are also looking not only to enhance cybersecurity AI and gen AI have added a new level of danger
capabilities with AI but also to secure other AI use to traditional attacks, making them harder to detect
cases within their organizations. using traditional means. (Exhibit 2).

Exhibit 2

Cyberattackers continue to use generative AI to accelerate phishing as

their primary method of attack.

Annual number of phishing sites detected, million

+138%
3

1
ChatGPT
launched
0
2008 2023

Source: State of the Phish Report, Proofpoint, 2023

McKinsey & Company

The cybersecurity provider’s next opportunity: Making AI safer 15

 AI-enhanced advances also make it easier to remain resilient and are responsible stewards of
exploit a growing attack surface, in turn introducing customer data. Rule makers have zeroed in on
new risk exposure (Exhibit 3). AI-based attacks secure development, data protection, reporting,
can target the traditional perimeter (for example, and resilience. Beginning in 2023, the United States
endpoints, servers), the modern perimeter (for introduced several new regulatory frameworks,
example, identities, applications), and the expanding including Executive Order 141106 and CIRCIA.7
perimeter (for example, social media, data, Outside of the United States, the European Union
collaboration tools). There is a growing number of has proposed the Cyber Resilience Act and has
devices, identities, and tools across perimeters, instituted the NIS 2 Directive and DORA8 frameworks.
ranging from roughly 7 to 30 percent. To remain or achieve compliance with such
regulations requires a growing cost to organizations,
These attacks have already exploded in volume. driving demand for cybersecurity products and
Since the proliferation of gen AI platforms, starting services. For instance, compliance with the European
in 2022, phishing attacks have risen by 1,265 Union’s NIS 2 Directive is expected to increase
percent. In short, bad actors have not only ramped cyber budgets by up to 22 percent in the first
up their ability to find vulnerabilities but also years following its implementation. Already, cyber
launched an unprecedented new wave of attacks. regulatory risk remediation constitutes an average
of more than 10 percent of cyber budgets.

Regulatory regimes and talent The cybersecurity industry will need to fortify its
gap as key market drivers talent base and resources to meet both increased
Amid this growing threat, a regulatory landscape threats and regulatory demands. Workers trained
is rapidly evolving to ensure that organizations in cloud security, AI, and zero-trust9 (for example,

Exhibit 3

The cyberattack surface is expanding, leading to additional risk exposure.

Expected increase in risk exposure in the next 3 years, select examples, %

Endpoints Identities Cloud/workload Internet of Things devices

+30% +10% +7% +10%

Traditional perimeter Modern perimeter Expanding perimeter Expanding perimeter

Source: McKinsey Cyber Market Survey, March 2024 (n = 200)

McKinsey & Company

6
Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, October 30, 2023.
7
Cyber Incident Reporting for Critical Infrastructure Act (proposed).
8
Digital Operational Resilience Act 2022. DORA was published in the EU’s Official Journal on December 27, 2022, and entered into force on
January 16, 2023. It will apply in full on January 17, 2025.
9
In this security system design, all entities—inside and outside the organization’s computer network—are not trusted by default and must prove
their trustworthiness.

16 McKinsey on Risk & Resilience Number 18, December 2024

ZTNA10) implementation are and will be the biggest Develop AI-infused cyber products and
need (Exhibit 4). new offerings to secure AI applications
Given the recent advancements in AI, existing
For those charged with keeping organizations safe, cybersecurity providers are working hard to integrate
these new AI-based threats pose an unprecedented AI into their existing security products. More than
challenge—they are more sophisticated, unrelenting, 90 percent of cybersecurity AI capabilities are
and shifting. They are also growing exponentially. expected to come from third-party providers.11 As AI
and gen AI have rapidly advanced during the past
12 to 18 months, most leading cyber providers have
How cybersecurity providers can already announced AI upgrades to their existing
capture the $2 trillion opportunity product suite. Our survey results show that cloud
Providers can take a series of steps to address security, security operations (SecOps), and endpoint
increasing threats and seize the opportunity they security are among the market segments that will
present (Exhibit 5). In our work with clients and benefit the most from AI use cases. Most current
with the information collected in the survey, we have AI-infused cyber products are focused on SecOps
identified four clear pathways that providers threat detection and incident response, and there
can follow. are market opportunities and expectations for AI

Exhibit 4

The cybersecurity industry’s biggest talent gap is in cloud security and

AI/machine learning.
Share of cybersecurity professionals reporting skills gap at organization, %

Cloud security 35
AI/machine learning 32
Zero-trust implementation 29
Penetration testing 27
App security 26
Digital forensics and incident response 26
Risk assessment, analysis, and management 24
Security engineering 23
Threat intelligence analysis 23
Malware research/analysis 22

100%

Source: Cybersecurity Workforce Study 2023, ISC2

McKinsey & Company

10
Zero Trust Network Access is a security service that allows secure access to applications, data, and services by verifying users and devices
before granting access.
11
Securing generative AI, IBM, 2024.

The cybersecurity provider’s next opportunity: Making AI safer 17

 Exhibit 5

The global addressable market for cybersecurity could reach approximately

$2 trillion.

Global cybersecurity
market value, 2024, 10×
$ trillion 2.0
Other1
Web security
Email security and
awareness

Network security

1.5 Endpoint security

Cloud security
Identity and access
management
Security operations
and management
1.0
MSSP2 outsourcing
Security consulting

0.5

0
2024 global 2024 global total
vended market addressable market

Includes governance, risk, and compliance; data protection; application security; Internet of Things; operational technology; and AI security.
1

Managed security service provider.

2

Source: McKinsey Cyber Market Map, 2024

McKinsey & Company

use cases in cloud and endpoint security. Gen AI such as everyday AI assistants for (nonsecurity)
for SecOps threat detection includes suggesting employees to autofill security questionnaires and
and writing detection rules and queries for security reports. Providers also revealed that gen AI for
information and event management by assisting autofilling security questionnaires can add time
in sifting through large data sets to uncover hidden savings of up to 80 percent. For providers, the
threats or recommending actions to security- upgrades can add increased product performance
operations-center analysts. Providers have reported and, as they will be able to increase their prices
to us time savings of up to 20 to 25 percent. Also on for an AI-infused product offering, a return on
the horizon are promising AI use cases and features investment (Exhibit 6).

18 McKinsey on Risk & Resilience Number 18, December 2024

Exhibit 6

Generative AI is expected to significantly benefit many segments of the

cybersecurity market.

Market segments that will significantly benefit from generative AI,1 % of respondents

Email security Identity

Cloud Security operations Endpoint and security access and Data Application
security and management security awareness management protections security

55 52 52 50 47 46 43

Governance, Internet Security consulting,

Network Web risk, and of Things/ advisory, and MSSP3
security security compliance OT2 security assessments outsourcing

42 31 28 23 14 9

1
Question: In your experience, which cybersecurity capabilities would significantly benefit from generative AI (eg, more automation through copilots, more threat
detection, or faster response)?
2
Operational technology.
3
Managed security service provider.

McKinsey & Company

Besides the need to upgrade existing security outside vendors to secure AI use cases, and
offerings, corporations are seeking to build 52 percent say securing AI systems will increase
and integrate AI into various areas of business. vendor costs by more than 5 percent (Exhibit 7).
Securing these new AI systems is high on the In our Cyber Market Map, securing AI is now a
agenda for many companies. Our survey finds that stand-alone cyber-market segment that is poised
vulnerability in cybersecurity is one of the top to grow to $255 million by 2027, from $122 million
three most-cited risks of AI adoption, and many today, with a total addressable market of $10 billion
companies are prioritizing the safety of these to $15 billion.
new systems. After observability and governance,
sensitive-data scanning, vulnerability monitoring, Customers are looking to secure AI use cases
and code scanning are the top security AI use cases primarily through existing vendors, but they are
and will require investment. Nearly all customers willing to seek out new vendors if existing vendors
(more than 97 percent) anticipate spending more on cannot sufficiently secure in-house AI systems.

The cybersecurity provider’s next opportunity: Making AI safer 19

 Exhibit 7

Organizations have clear needs and allocated budgets to address

cybersecurity-related AI risks.
Top AI security capabilities customers are looking to adopt,1 % of respondents selecting option as a top
3 capability

41
35
32
28
26
23 23 22
19
17

Observability PII2/sensitive-data Preproduction Continuous Model drift/

(eg, model scanner and leak code scanning “red teaming” quality monitoring
monitoring, logs) protection for of AI models for AI models
AI models

AI governance Production Data poisoning Denial-of-service Input manipulation

(eg, catalog of vulnerability mitigation for mitigation for protection
AI services) monitoring of AI models AI models (eg, prompt injection)
AI models

Additional third-party spend needed to secure AI use cases,3 % of respondents

None <5% 5 to <10% 10 to <15% ≥15%

2.5 45.6 17.7 17.7 16.5

100%

Question: Which AI security capabilities is your organization looking to adopt?

1

Personal identifiable information.

2

Question: How much additional costs will you expect to incur to secure these AI use cases (if any)? Please answer as a % relative to existing cost of relevant
3

vendor products/services.
Source: McKinsey Cyber Market Survey, March 2024 (n = 200)

McKinsey & Company

In short, providers that can secure AI and tailor office (CISO), and non-CISO cyber spending is
offerings to priority customer use cases will have a expected to grow at a 24 percent CAGR over
competitive advantage (Exhibit 8). the next three years (Exhibit 9). This has changed
from a decade ago, when almost all cybersecurity
Adapt a go-to-market approach to spending came from the CISO organization.
evolving market dynamics Providers will need to increasingly cater to
Evolving market dynamics are changing the way non-CISO customers, with most non-CISO cyber
cybersecurity providers reach potential customers. spending coming from buying centers
Today, nearly 15 percent of cybersecurity spending responsible for cloud, product, network, and
comes from outside the chief information security audit and compliance.

20 McKinsey on Risk & Resilience Number 18, December 2024

Exhibit 8
Customers will give current vendors first opportunity to secure AI use cases
but won’t wait long to seek other options if needs aren’t met.

Approach to securing AI/generative AI use cases, % of respondents

General procurement approach1 Approach when existing vendors do not satisfy needs2

14 Develop capabilities in-house

33 Combination
Wait for vendor solution
29
to materialize

23 New vendors

Seek out and procure solutions

58 that exist in the market
44 Existing vendors

Note: Figures may not sum to 100%, because of rounding.

Question: To what extent do you expect to secure AI/generative AI use cases through existing vendors vs new tools?
1

Question: For capabilities not satisfied by existing vendors, which of the following actions are you planning to take?
2

Source: McKinsey Cyber Market Survey, Mar 2024 (n = 200)

McKinsey & Company

Exhibit 9
Companies are steering cybersecurity spending to outside vendors, with
cloud security the biggest source of external spending.

Average source of Cloud

cybersecurity spending 17
outside chief
information security
office (CISO),1 % Engineering/product
16 60%
of non-CISO
cybersecurity
Network Audit and compliance spending
14 13

Data Digital Risk

9 8 7

Privacy Legal
6 6

Manufacturing/operational technology 4 Other 1

Note: Figures do not sum to 100%, because of rounding.

Question: In your best estimation, how much of your cybersecurity spend comes from outside of your CISO organization? Where does that non-CISO cyber
1

spend come from?

Source: McKinsey Cyber Market Survey, March 2024 (n = 200)

McKinsey & Company

The cybersecurity provider’s next opportunity: Making AI safer 21

 Second, while most cyber sales and marketing Create all-in-one offerings for highest-
dollars are historically spent on direct-sales priority customer use cases
and digital-sales campaigns, customers are now Our survey suggests the market is at an inflection
leaning into education and reputation to help point on best-of-breed offerings—that is, the
them find providers. Customers are using industry best offering in a specific, narrow niche—versus
reports, referrals, and industry analyst consultations best-of-suite offerings, which are complete,
in their decision making. They are also turning all-in-one solutions. For some segments, customers
to service providers and value-added resellers prefer the best individual vendors for each product
when purchasing solutions. on the market; for other segments, customers
prefer to use the best product suite on the market.
Finally, customers that do buy cybersecurity In practice, most customers are still using a broad
services say improving cybersecurity maturity array of cybersecurity products, with larger
scores and risk ratings are big factors in their organizations using as many as 50 to 200 of them.
decision. These metrics are also valuable when Some are shifting to vendors that provide the
customers want to communicate the impact biggest suites, but many still rely on best in class.
to stakeholders. Providers can therefore try to cater to both
types of customers, building best-of-suite bundled
Adapting the go-to-market strategy to these offerings around standout best-of-breed offerings
changing market dynamics can help companies (Exhibit 10).
capture a larger piece of the pie.

Exhibit 10

The cybersecurity market is at an inflection point on ‘best of breed’ vs ‘best

of suite.’
Cybersecurity vendor preferences, by capability,1 % of respondents

Single vendor for all products Best individual vendors for each capability area No preference

Security operations and management 54 36 11

Email security and security awareness 51 38 12

Web security 50 38 13

GRC2/IRM3 48 38 15

Identity access and management 47 45 9

Network security 47 43 11

Application security 46 46 8

Endpoint security 45 48 8

Data protection 43 48 10

Cloud security 43 47 11

Internet of Things/operational technology security 35 31 35

100%
Note: Figures may not sum to 100%, because of rounding.
1
Question: In the future, will your company prioritize finding a single vendor for all of your products (ie, “best of suite”) vs the best individual vendors for each
capability area (ie, “best of breed”)?
²Governance, risk, and compliance.
³Integrated risk management.
Source: McKinsey Cyber Market Survey, March 2024 (n = 200)

McKinsey & Company

22 McKinsey on Risk & Resilience Number 18, December 2024

For example, if a provider has a best-of-breed the number of new cybersecurity companies
offering today, it can look to develop best-of-suite formed since 2017, suggesting a maturing market
offerings through acquisition, the development of ripe for consolidation.
new products, or the bundling of existing ones. It
can also look to build best-of-suite offerings through Prioritize innovation beyond AI
partnerships such as enterprise resource planners Beyond AI, there continues to be customer demand
and customer relationship planners. Practically, for innovation, especially for zero-trust capabilities.
providers can create these best-of-suite offerings Zero-trust architecture has the potential to increase
around common cross-segment packages today. adoption rates over the next three years, with
the highest potential demand in middle-market
While providers are turning to best-of-suite bundled companies (Exhibit 11). Providers can increase
offerings, there is also a shift toward consolidation. zero-trust adoption for middle-market customers
In three years, customers expect to use fewer by assuaging customer concerns that legacy
vendors for network and endpoint security. At the systems and fragmentation inhibit zero-trust
same time, there has been a steady decline in adoption within a company’s environment.

Exhibit 11

Zero-trust architecture has the potential to be more widely adopted,

especially in middle-market companies.

Zero-trust architecture Small and medium- Middle

adoption,1 by company sized business market Enterprise
size,2 % of respondents

58 58

40

Top 5 reasons for not adopting zero-trust architecture,3 % of respondents whose organization has not
adopted zero-trust architecture (n = 56)

Still in the process/ Too many Zero-trust approach No out-of-the-box/

on track to adopt legacy systems would be piecemeal Lack talent one-size-fits-all
within the next that cannot adapt and possibly required to zero-trust solution
three years to zero trust result in gaps implement exists
57 21 20 18 11

Question: Do you have a zero-trust architecture today?

1

Small and medium-sized business = <500 employees (n = 12); middle market = 500–4,999 employees (n = 52); enterprise = ≥5,000 employees (n = 48).
2

Question: Why hasn’t your organization adopted zero trust?

3

Source: McKinsey Cyber Market Survey, March 2024 (n = 200)

McKinsey & Company

The cybersecurity provider’s next opportunity: Making AI safer 23

 Extended detection and response (XDR) products to the survey. There is a significant opportunity,
are also popular immediate solutions in that they therefore, for cyber-insurance firms to improve their
provide security across all parts of an organization: insurance coverage at the right price point in the
endpoints, network, cloud, and more. XDR cyber market.
providers tend to differentiate on their telemetry,
as customers look to efficient high-fidelity curated
signals compared with comprehensive but tedious, As the cyber market expands,
resource-intensive monitoring of logs. Customers providers must keep pace
are expecting to see about a 25 percent increase in Cybersecurity has always been a dynamic field of
log visibility in three years, and providers that can moving targets and threats. The emergence of AI
deliver more advanced telemetry could capture and gen AI presents a new challenge for companies
a larger share of the pie. Quantum security—which while also amplifying existing threats. Organizations
refers to defense against powerful quantum- in need of cybersecurity to meet the moment are
computing attacks—is seen as a more medium-term looking to providers to help ensure that these new
priority. While quantum is further out on and fast-developing technologies are manageable
the adoption curve, most industries say quantum and that their institutions and clients remain safe.
is less than five years away from being part of their
cyber budget, with software and consumer and Just as the environment has changed, cybersecurity
retail the most likely to adopt. Identification of where investors and providers need to shift as well. They
encryption keys are stored and automated recycling must rethink and innovate their products while also
of encryption keys are two promising use cases reshaping their approach to reaching customers.
where quantum is expected to play a role.
Providers can assuage their clients’ concerns and
Cyber insurance is also gaining significant harness the dynamic changes already taking place
momentum and attention, especially after the recent to grow their own businesses and positions in the
global outages. While cyber-insurance firms have marketplace. To do so, they can tailor their offerings,
significantly improved their assessment and loss ratio revise how they communicate and market themselves
on cyber-insurance coverage, nearly 50 percent to customers, create products that appeal to
of companies that have cyber-insurance coverage nontraditional buyers of cybersecurity services, and,
do not feel adequately covered by it, according finally, keep innovating on all fronts.

Justin Greis is a partner in McKinsey’s Chicago office, Marc Sorel is a partner in the Boston office, Julian Fuchs is a knowledge
expert in the Stuttgart office, and Soumya Banerjee is an associate partner in the New Jersey office.

The authors wish to thank Anatoly Brevnov, Bharath Aiyer, Elisa Becker-Foss, Jeffrey Caso, Kevin Telford, Nick Curcio, and
Wolfram Salmanian for their contributions to this report.

This article was edited by David Weidner, a senior editor in the Bay Area office.

Copyright © 2024 McKinsey & Company. All rights reserved.

24 McKinsey on Risk & Resilience Number 18, December 2024

Elevating the risk
function in insurance:
Building a strategic
advantage
Today’s rapidly developing risk landscape demands a new, more
nimble approach for insurance companies to assess and respond to
risks, a function inherently in their DNA.
by Diego Mattone, Luca Pancaldi, and Mina Jurisic
with Daniel Kaposztas

© Getty Images

25
 Today, banks use risk management to help Emerging risks and challenges
drive strategic development for growth. This One sign that risks are emerging at a rapid pace
is a comprehensive approach to risk that insurers is that most insurance CROs use early-warning
should aspire to emulate, especially as new KPIs for a broader set of risks than those deemed
risks are emerging more quickly and creating material under their Own Risk and Solvency
new challenges. Assessment (ORSA). For example, while only
20 percent of insurers consider data and
According to a 2023–24 benchmarking survey technology risks in their latest ORSA, 50 percent
from McKinsey, leading European insurers should of CROs are using early-warning KPIs to gauge
look to reorganize their risk functions, build out those risks. The notable exception is climate risk:
the necessary capabilities, and elevate the status 60 percent of respondents cite climate risk as
of chief risk officers (CROs) within the leadership material, but just 25 percent have an early-warning
structure. This will allow them to address the rapidly KPI in place (Exhibit 1).
changing risk landscape and position the company
to use risk management as a strategic advantage.

Web <2024>
<InsuranceRisk>
Exhibit
Exhibit <1>1 of <3>
If I have not implemented any of your changes it will likely be because it breaks some guideline.

Emerging risks already have early-warning KPIs in place, even if they are
not yet included in the Own Risk and Solvency Assessment.

Which risks are considered material in the Own Risk and Solvency Assessment (ORSA),¹
and which have early-warning KPIs,2 % of respondents

100
Risks considered material in ORSA
Risks for which there are early-warning KPIs
80

60

40

20

0
Cyber Climate Regulatory Model risk Data and Conduct 3rd-party risk Asset liability Other
risk risk compliance management technology risk risk management management

1
Question: Which are considered material in your latest ORSA?
²Question: Which have early-warning KPIs?
Source: McKinsey European Insurance Risk Survey, 2023

McKinsey & Company

26 McKinsey on Risk & Resilience Number 18, December 2024

In fact, many emerging risks feature prominently demanding that insurers better understand their
in companies’ risk taxonomies today, including climate risk exposures and be ready for nonlinear,
data and technology, cyber, and climate risk. And, abrupt changes in climate patterns. For carriers
according to our survey, several challenges are with significant commercial or personal property
adding to the complexity of the CRO task. One positions, investments in advanced climate analytics
of the most notable is a scarcity of talent—both are becoming required capabilities, especially in
attracting and retaining it. Half of the survey combination with access to third-party data.
respondents said they are having difficulty finding
talent to fill roles in data and technology, cyber Our survey found that climate risk ownership is
risk, and nonlife underwriting. split among participants, with some assigning it
to the CRO and others to the chief sustainability
Moreover, talent problems exist to some extent in officer. Most participants see gaps in all areas
all areas of risk management (except in financial of their climate risk framework. The reporting
crime, according to our survey participants). This framework seems to be the most advanced area
shortage of skilled personnel in the industry poses of preparedness, followed by exposure strategy
a hindrance to fully capitalizing on the opportunity and investment in data and analytics to baseline
of artificial intelligence and generative AI. In our portfolio emissions (Exhibit 2).
experience, companies must train the teams they
have but be clear about the specific skills they need. Interestingly, however, most participants seemed
unphased by the climate stress test methodology
Alongside talent, respondents said that increasing of the European Insurance and Occupational
data, analytics, and data interconnectivity across Pensions Authority (EIOPA). Some stated that it has
products and platforms is critical to improving limited applicability to them, while others said they
cyber risk preparedness. Managing cyber risk are already fully in line with its recommendations.
is becoming a strategic priority for the second
line, drawing significant investment and requiring Looking at the broader topic of sustainability,
strict prioritization. Insurers have access to large our survey found that the board, shareholders,
amounts of sensitive data that need protection. employees, and regulators were the key influences
Even sophisticated, large carriers with significant of company efforts—despite the widespread
investments in cybersecurity are not immune to perception that retail clients’ opinions are driving
such threats. In addition, the costs of cyberattacks actions to mitigate reputational risks.
are on the rise because of increasing fines, business
losses, and remediation costs, and they often have
significant reputational impact as well. Transforming the risk function
Across all insurers in our survey, it is clear that
The key to success for carriers in the second line of the role and status of the CRO, as well as the risk
defense is to conduct targeted reviews based on function itself, must evolve to address emerging
cyber risk scenarios and triggers for risk threats. To challenges. Among our survey’s respondents,
address resource constraints, the risk team should the size of the risk function varies broadly from
understand key risks facing the carrier; credibly 0.07 percent to 2.8 percent of the total workforce
challenge internal policies, procedures, objectives, (0.8 percent on average), while the average risk
and performance; and provide the board and budget represents only 0.3 percent of operational
executive team with an independent view of the expenses. These findings imply varied operating
first line’s program, including its testing. models with no market best practice.

Another major challenge area for risk remains As for the actual role of the CRO, along with risk-
climate. With mounting natural catastrophes based decisioning, managing the relationship with
and scientific forecasts for a continued upward the CEO and board of directors, communicating
trend, investors and regulators are increasingly the company’s risk position, and aligning the

Elevating the risk function in insurance: Building a strategic advantage 27

 Web <2024>
<InsuranceRisk> If I have not implemented any of your changes it will likely be because it breaks some guideline.
Exhibit
Exhibit <2>2of <3>

Climate risk, led by the chief risk officer or chief sustainability officer,
currently appears to focus on reporting and baselining.

Elements of climate risk preparedness implemented,1 Somewhat Yes, mostly Yes, completely
% of respondents

Introduction of climate risk reporting

20 40 40
(eg, sustainability report)

Significant investment in data and analytics to baseline

20 80
portfolio emissions (for investments and/or underwriting)

Forward-looking climate strategy to

40 40 20
address climate risk exposure

Significant investment in data

40 40 N/A
and analytics to quantify climate risk

Integration of climate risk management N/A

framework and processes

Board oversight for climate risk

N/A
(eg, sustainability board committee)

1
Question: Please indicate which of the following your organization has enacted or put in place relating to climate risk preparedness?
Source: McKinsey European Insurance Risk Survey, 2023

McKinsey & Company

organization’s overall risk appetite and framework or confidentiality constraints prevent the use
are becoming core activities. Only 34 percent of of normal corporate processes (for example,
survey participants said that the second line has sudden opportunistic investments).
veto power on important decisions today, and
just 17 percent said business units’ decisions are — Transparent criteria for decisions. Two-thirds
often changed as a result of a collaboration with or of our respondents have fully implemented a
challenge from the risk team (Exhibit 3). transparent set of criteria that the risk function
applies to key event-driven decisions (for
example, impact on volatility, capital, and the
Inconsistent adoption of best practices regulatory remediation program).
In our work with organizations, we have identified
four best practices for involving risk in decision — Involvement in strategic decision making.
making, and none of these have been fully adopted Half of our respondents said the CRO is fully
by insurance companies in our survey. At best, these and consistently involved in strategic decision
practices are often only partially implemented. making, with the right to either veto or escalate
a strategic decision—overruled only by the CEO.
— Explicit processes for risk dialogue. Two-thirds The impact on the overall risk profile, appetite,
of our respondents have fully implemented and risk strategy is consistently considered in
processes to ensure that a comprehensive risk making strategic decisions.
dialogue occurs, even in instances when time

28 McKinsey on Risk & Resilience Number 18, December 2024

Web <2024>
<InsuranceRisk> If I have not implemented any of your changes it will likely be because it breaks some guideline.
Exhibit
Exhibit <3>3of <3>

Managing the risk position up to the CEO and board has become a core
activity for chief risk officers.

Top 5 activities for chief risk officers,1 % of respondents

100 83 67 50 33 33

Risk-based Managing up to Aligning/working Managing internal Building risk Building risk

decision making CEO and board with the first line and external risks organization infrastructure
across business of directors of defense and opportunities and talent

33 33 17 17 17

Communicating Working on the Defining the Responding to Other

progress to internal Own Risk and capital buffer early-warning
and external Solvency signals
stakeholders Assessment

1
Question: Across any given month or quarter, which of the following activities do you consistently spend the most time on? Please select up to 5 top activities.
Source: McKinsey European Insurance Risk Survey, 2023

McKinsey & Company

— Active risk mitigation. Just a third of respondents the table, with appropriate CEO and executive
said that they are actively mitigating risks to committee touchpoints.
the fullest extent prior to commitment (for
example, pilots and staging). It is somewhat — rethink the risk function operating model in
concerning that 17 percent report having no terms of lines of defense, ensuring the right
active risk mitigation whatsoever. governance for risk management and efficient
and effective interactions with business units
and other control functions
Next steps
In terms of next steps for insurers looking to — ensure that risk has appropriate resources
improve the risk function and integrate it more in terms of talent and analytics capabilities
completely into daily decision making, we suggest
fully implementing the four best practices described — use the risk function as a source of competitive
above, while keeping the following goals top of edge—not only as a control function—by, for
mind as they continue to transform the risk function: example, considering results from postmortem
analyses and involving risk in financial planning
— elevate the risk function to the forefront of and strategy building
the strategic agenda; give the CRO a seat at

Elevating the risk function in insurance: Building a strategic advantage 29

 Today’s rapidly developing risk landscape demands authority, resources, and support to reorganize their
a new, more forceful, and swifter approach to risk functions, build out the necessary capabilities,
assessing and responding to risk. While corporate and influence business decisions. Elevating the
leadership does involve the risk function in their risk function in this manner will allow insurers to
decision-making progress, the transition from a transform risk management from its historic role as
consultative unit to a real thought partner is far from a control function to a source of strategic advantage
over. CROs need a seat at the table with genuine to grow the business.

Diego Mattone is a partner in McKinsey’s Zurich office, Luca Pancaldi is a senior partner in the Milan office, Mina Jurisic is a
partner in the Paris office, and Daniel Kaposztas is a capabilities and insights expert in the Frankfurt office.

Copyright © 2024 McKinsey & Company. All rights reserved.

30 McKinsey on Risk & Resilience Number 18, December 2024

BCBS 239 2.0 resurgence:
Strengthening risk
management and decision
making
A renewed focus on the 2013 data risk management regulatory standard
poses new challenges and opportunities for European and US banks.
Achieving compliance will take a structured, top-led approach.
This article is a collaborative effort by Asin Tavakoli, Holger Harreis, Kayvaun Rowshankish, and Stephen Reddin, with
Cécile Prinsen, Elias Tsoukatos, and Satyajit Parekh, representing views from McKinsey’s Risk & Resilience Practice.

© Getty Images

31
 The Basel Committee on Banking Supervision reports—seven between 2013 and 2023—issued
(BCBS) issued its standard number 239 (BCBS additional regulatory guidance. The sixth report,
239) nearly a dozen years ago in 2013, with the aim which in April 2020 called for the transition of
of strengthening banks’ risk management through enforcement to local regulators, was followed by
improved risk data aggregation and internal risk a pause of approximately three years. This pause,
reporting. Its binding compliance deadline for global however, concealed the growing pressure on banks
systemically important banks (G-SIBs) was nearly to meet the expectations of local regulators. In
nine years ago, in January 2016. For domestic Europe, this includes the issuance of ECB letters
systemically important banks (D-SIBs), compliance with findings, P2R add-ons, and fines. In the United
was expected within three years following their States, banks face scrutiny from the Office of the
designation as such. Comptroller of the Currency and the Federal Reserve
Board, including MRIAs, MRAs, and, in severe cases,
However, full compliance remains elusive for many consent orders.
institutions; meanwhile, regulators are renewing
their attention and applying an increasingly forceful This pressure was ratcheted up considerably by the
approach. There’s a broadening of scope in terms latest report in November 2023, which highlighted
of which institutions are receiving regulatory a lack of meaningful progress and issued significant
attention—including Tier 2 and Tier 3 institutions. expectations for banks and their supervisors.
The assessments are also deepening in their The report noted that BCBS 239 programs have
application and level of detail across areas of policy, been underfunded and lacking in attention from
capability, and reporting. In Europe, they take the senior leadership, with insufficient recognition of
form of on-site inspections (OSIs), targeted reviews the standard’s importance in relation to capability
of priority areas, and assessments of data quality improvement. It also pointed out a failure to embed
related to supervisory reporting. These actions the standard in relevant urgent programs, such as
often lead to significant penalties, including findings Basel IV/3.1. Contributing to the lack of progress,
communicated in the form of European Central Bank the report suggested, is a “boil the ocean” approach
(ECB) letters, Pillar 2 requirement (P2R) add-ons, taken by some banks, with insufficient prioritization
restrictions on business activity, and fines. In the of requirements and misfires with regard to the
United States, assessments involve examinations scope of implementation. Technical factors, including
of the data management practices of banks, along fragmented IT ecosystems hampered by legacy
with evaluations of related areas such as regulatory systems, add to the struggle.
reporting, resolution and recovery planning, and
specific report examinations (for example, the In addition to the BCBS 239 progress reports,
Complex Institution Liquidity Monitoring Report, or regulatory bodies have called attention to related
FR 2052a). These assessments can result in matters problems. The ECB’s banking supervision identified
requiring immediate attention (MRIAs) and matters risk data aggregation and risk reporting (RDARR)
requiring attention (MRAs); in the most severe deficiencies in its December 2023 report on
situations, they may lead to consent orders. Across supervisory priorities for 2024–26. Likewise, its May
both Europe and the United States, beyond the direct 2024 Guide on effective risk data aggregation and
penalties, there are cascading indirect financial risk reporting (Guide) conveyed a range of guidance,
consequences, such as conservatism add-ons in including highlighting the importance of basic data
risk modeling, for example, margins of conservatism governance hygiene to ensure confidence in the
(MOC) for internal ratings-based (IRB) models. numbers and reports issued by financial institutions,
clearly defining what constitutes critical risk and
finance information across various dimensions,
A renewed call to action prioritizing end-to-end automated lineage, and
According to the Bank for International Settlements, actively involving top management. The Guide also
only two in 31 banks (G-SIBs) have fully complied with adds, for the first time, real practical guidance on
the standard; moreover, several formerly compliant essential requirements across seven areas—leaving
banks have been downgraded. A series of progress no room for neglect.

32 McKinsey on Risk & Resilience Number 18, December 2024

Guiding principles for success initiatives such as shedding excessive hedges and
We are aware of the obstacles encountered capital buffers currently in place due to insufficient
when endeavoring to manage risk-related data timeliness of risk metrics or removing margins of
effectively. In line with the latest BCBS 239 conservatism while remaining within the boundaries
progress report, we’ve identified a number of established by risk modeling.
key challenges that need to be addressed. These
include getting organizations with differing priorities 2. Take a risk reduction approach from the outset
and perspectives to work together, conducting Leaders should identify and prioritize critical
thorough root-cause analysis to identify data issues information, addressing these areas first to
in a context where data are pervasive throughout immediately mitigate the most significant risks. With
the bank, and aligning existing incentive structures the scope prioritized at the beginning, it can then be
to promote a strong data management culture. expanded in terms of both breadth and depth. For
We have five core beliefs, along with ten key example, banks might begin with an initial prioritized
lessons (see sidebar, “A blueprint for success”), scope in the form of select key regulatory reports
about how banking organizations should orient and management metrics, focusing on data quality
their mindset when it comes to BCBS 239. By controls and the reduction of manual interventions
finding the right disposition toward the standard, in high-risk areas of the aggregation processes.
financial institutions can position themselves well to Then, in time, the prioritized scope can expand to
undertake meaningful action. Consider these five include a broader set of reports and metrics, with
guiding principles the foundation for an effective data quality controls across more points in the
strategy blueprint—and as part of that blueprint, aim aggregation processes. In essence, this approach
to create visibility for board and senior management entails breaking the scope into manageable sizes
with frequent progress reports. while enabling the measurement of risk reduction in
critical outputs.
1. Make it a business impact story from the start
It’s crucial—and truly beneficial—to approach the Our experience suggests that the above can be
BCBS 239 journey as a business impact story right achieved by ensuring risk and finance collaboration
from the beginning. This means the CFO, chief from the beginning of the program and tasking the
information officer (CIO), and chief risk officer (CRO) respective areas with identifying the information
should be proactive in bringing the business leaders most critical to them. This can then be conveyed
on board and linking the effort to specific business in terms of common dimensions such as metrics,
objectives that go beyond regulatory compliance. critical data elements (CDEs), and reports based
Leaders should highlight the opportunities that on central guidance regarding what constitutes
arise from more timely data and streamlined criticality. There should also be a focus on sharing/
calculation processes in prioritized areas. Improved reusing CDEs across the metrics so that the
master and transactional data can unlock new population does not keep growing unnecessarily.
commercialization opportunities. Additionally,
improved model explainability can mitigate the 3. Look for opportunities to accelerate
impact of regulatory reviews. Leaders should execution
develop a perspective focused on how initiatives Leaders should look for opportunities to accelerate
can be linked and integrated with existing business- the execution of the approach described in
related efforts and programs. principle 2. The use of generative AI (gen AI) tools
can significantly accelerate data compliance
Our experience suggests that practical and development efforts. In fact, leading
implementation of such an approach entails organizations are deploying gen AI at scale to
interviewing business leaders at the outset to fix data quality issues and go beyond rule-based
identify major data-related pain points and prioritize vendor products, enabling significant value through
the respective remediation. This could include higher productivity.

BCBS 239 2.0 resurgence: Strengthening risk management and decision making 33
A blueprint for success

With the five guiding principles Lesson 4: Ensure the board takes concurrent business objectives such as
we mentioned earlier serving as the full responsibility. Make sure that revenue growth, customer satisfaction,
foundation, we can present ten key incentive schemes (for example, and operational efficiency.
lessons learned for a successful BCBS bonuses and remuneration) are linked
Lesson 8: Embrace a clear data domain
239 approach. to the achievement of the goals and
framework. Use a data domain framework
that members have or build up sufficient
Lesson 1: Ensure the business is also made as the organizing construct for data,
knowledge and experience in risk data
accountable. Create messaging—right including elements such as authorized
aggregation and risk reporting topics
from the top—that the business is also sources, controls, and accountable owners.
(that is, data management, IT, risks).
accountable; moreover, leaders should Moreover, establish strict rules for domain
strengthen the chief information officer’s Lesson 5: Create visibility and trust with management (for example, reconciliation
(CIO) role in funding decisions to ensure regulators. Visibility is essential not to ledger) and thoughtful processes
alignment with data program objectives. only for senior management but also to prioritize the rollout of the domains.
crucial for the relationship between
Lesson 2: Set realistic targets and deliver Lesson 9: Enforce design principles.
banks and regulators. Establish trust by
via incremental spend add-ons. Be To succeed in changing the way of
communicating about prioritization and
conscious of the difference between operating, adhere to design principles.
approach to implementing capabilities;
“must-haves” and “nice-to-haves” in Such principles might prohibit unilateral
meanwhile, build a structured method for
terms of meeting requirements, and decisions, for example, or establish that
regular progress reporting.
articulate clear priorities to meet minimum the front office must use the same data
requirements first. Insofar as it is possible, Lesson 6: Engage and empower key sets as other functions.
add the prioritized requirements to the talent. Position the right people with the
Lesson 10: Spend time to structure and
existing risk data portfolio of interventions right skills, knowledge, and experience
prioritize. Develop the overall blueprint for
and adequately increase the budget. to orchestrate processes effectively. For
risk and finance data requirements and
example, a CRO who is close to the key
Lesson 3: Balance short-term and longer- deliver these in prioritized and efficiently
risk data-related regulatory priorities and
term initiatives. Put in place a program grouped waves.
programs and a chief data officer with
that will enable the CFO, CIO, and/or chief
detailed knowledge of the business data
risk officer (CRO) to demonstrate short-
are well positioned to help drive success.
term progress (for example, addressing
backlog data issues and critical data Lesson 7: Balance regulatory and
issues affecting regulatory capital business data requirements. Maintain
models) while beginning longer-term an understanding that while urgent
efforts, such as adopting new end-to-end regulatory requirements must be
lineage tooling solutions. addressed, data must also support

We have observed that, as a starting point, banks of tools and interventions are needed. Gen AI tools,
can benefit from tools that help automate data for example, can help integrate data privacy and
lineage and transparency efforts to ensure base protection solutions during the data governance
levels of compliance. This approach will also stage. Banks should consider experimenting with
provide banks with a clear view of the gaps and a suite of tools to build deployable data quality
issues in their data. With this in place, banks can workflows—focusing not only on which ones can
take directed actions to remediate data issues. best support their development needs but also on
Next, banks should think through the entire data those that can do so at scale.
development life cycle to understand what types

34 McKinsey on Risk & Resilience Number 18, December 2024

4. Remediate at the source with a target corrective data quality control requirements for
architecture and operating model to guide critical data along the end-to-end data lineage.
the process
Banks should aim to remediate data as far upstream 5. Be transparent and comprehensive
in the data life cycle as possible, ideally at the point in regulatory dialogue
of origination. Ideally, they should move toward Banks should maintain a strong degree of
a target data architecture that relies on a limited proactiveness and transparency with regulators,
number of authorized provisioning points (APPs) or ensuring they perceive the bank and the
authoritative data sources (ADSs). Implementing a BCBS 239 program as models of openness and
robust set of data controls, preferably automated proactivity. To convey a strong sense of control and
and preventative, early in the data process is crucial oversight, it is important to communicate in a highly
to ensure quality for downstream consumers. It structured manner, providing regular progress
is important to rigorously enforce the use of APPs reports that offer comprehensive information on
and ADSs to ensure that high-quality data are both the current status and upcoming initiatives.
sourced from a minimal set of systems. If existing Insofar as possible, banks should implement
data sources fail to meet consumer requirements, initiatives of their own accord versus waiting for a
they should be upgraded, rather than creating new, regulatory push. This approach will enable the bank
redundant sources, which would require additional to set its own pace.
controls and governance to maintain data quality.
In our experience, this entails communicating
Experience tells us that most data quality issues early on the scope of the program—as well as the
originate from upstream systems in the data vision, ambition level, and execution approach
sources and at the consumption point. To address (for example, deciding to first do a horizontal fix
this, banks can, as part of their data operating of all foundational aspects versus engaging a
model, map the data lineage from its point of origin sprint-based method). Thereafter, this involves
to its consumption point. This enables evaluation building and leveraging structured templates
of the existing data controls to determine their to communicate the current state (for example,
effectiveness and gather feedback on pain points gaps in critical metrics) and upcoming initiatives;
from data consumers throughout the lineage—thus likewise, it includes regular reporting on progress
identifying where additional data controls and/or and bottlenecks. Where possible, banks should
upgrades are necessary. Banks should consider inform the regulator in an integrated way, such as by
implementing a comprehensive framework that communicating BCBS 239-related initiatives and
outlines minimum preventative, detective, and commitments as part of Basel IV/3.1 programs.

It is important to communicate
in a highly structured manner,
providing regular progress reports.

BCBS 239 2.0 resurgence: Strengthening risk management and decision making 35
 Banks across Europe and the United swift, measurable progress and engage the
States are at varied stages of maturity business. Some of those just starting out have
European and US banks vary widely in terms of previous failed attempts behind them. The problem
where they stand on their BCBS 239 journeys. typically lies with execution: despite ambitious
Some are just beginning, while others are refreshing plans, practical implementation has proved elusive,
their efforts or accelerating their progress. Those and tooling sometimes emerges as an excuse.
furthest along have been dedicated to compliance
for several years. They have been closely monitoring
key risk metrics and reports, with business and IT
functions closely involved. Nevertheless, they face The rewards are worth the effort. Banks are at an
regulatory scrutiny, because BCBS 239 demands important moment in their regulatory journeys.
perpetual enhancements, such as the removal of With BCBS 239 getting renewed attention and the
manual processes and the widening of scope across expectations rising rapidly, the pressure is on to
dimensions of reports, models, risk indicators, make meaningful progress toward full compliance.
and critical data elements, with the ultimate aim of By establishing a business impact mindset across
covering all critical data of the bank. the organization, these requirements can also
become an opportunity for competitive advantage
Banks in the middle of their BCBS 239 compliance with a host of indirect financial benefits, including
journey typically have well-documented enhanced digitization initiatives, improved risk
frameworks, such as data governance structures, management, and bolstered relationships with
clearly defined scopes, and have begun exploring regulators based on trust.
new tools. However, they often struggle to make

Asin Tavakoli is a partner in McKinsey’s Dusseldorf office, where Holger Harreis is a senior partner; Cécile Prinsen is an
associate partner in the London office; Elias Tsoukatos is an associate partner in the Athens office; Kayvaun Rowshankish is
a senior partner in the New York office; Satyajit Parekh is an associate partner in the Boston office; and Stephen Reddin is a
partner in the Toronto office.

Copyright © 2024 McKinsey & Company. All rights reserved.

36 McKinsey on Risk & Resilience Number 18, December 2024

The European Union
AI Act: Time to start
preparing
A successful digital future depends on responsible use of AI.
The EU AI Act marks a significant step in regulating AI systems and
could serve as a blueprint for other jurisdictions.
This article is a collaborative effort by Henning Soller with Anselm Ohme, Chris Schmitz,
Malin Strandell-Jansson, Timothy Chapman, and Zoe Zwiebelmann, representing views from
McKinsey’s Risk & Resilience and Digital Practices.

© Getty Images

37
 Artificial intelligence and generative AI (gen AI) organizations that are best positioned to build
will have a transformative impact on economic digital trust are also more likely than others to see
growth and productivity. This is especially true for annual growth rates of at least 10 percent on their
organizations that expect to make changes to their top and bottom lines.
operations using the technology, a recent McKinsey
survey shows.1 While many organizations embrace these concepts,
some still lack fundamental risk controls for the new
To realize the benefits of AI, organizations technologies. In early 2024, McKinsey surveyed
need the underlying models and their use to 180 EU-based organizations in five sectors about
be secure, safe, and trusted. Implementing the state of AI governance in the European Union.
robust data governance, model-risk, security, Seventy-one percent of respondents said their AI
and individual-rights management is crucial risk governance was less than mature, although
for responsible AI governance. Together, these 65 percent of them said they were already using gen
pillars create a solid foundation for future digital AI (Exhibit 1).
transformation, and digital trust. According to
McKinsey research, trusted organizations have Survey participants expressed concerns in
higher margins and better valuations than less- five high-level categories that mirror important
trusted ones.2 And while only a small contingent considerations for AI: data, model output, security,
of companies are set to deliver this digital trust, third-party, and societal risks.

Web <2024>
<20240611_EU AI Act Implementation Status>
Exhibit 1
Exhibit <1> of <6>

Less than 30 percent of survey respondents consider their organization’s AI

risk governance to have some level of maturity.

Maturity of organization’s AI risk governance,1 % of respondents

Overall Financial Energy and Technology, Life sciences Consumer

institutions materials media, and goods
telecom

Very mature 7Very mature 13

Very mature 0Very mature 5 Very mature Series
7Very1mature
SeriesSeries
28 1 Series 2

Mature 21
Mature 30
Mature 26
Mature 15
Mature 15
Mature 18

Neutral 40
Neutral 33
Neutral 30
Neutral 45
Neutral 44
Neutral 43

Immature 24
Immature 23
Immature 22
Immature 33
Immature 33
Immature 18

Very immature 7Very immature 3Very immature 22 immature

Very 3Very immature 0 Very immature 15

Note: Figures may not sum to 100%, because of rounding.

Question: How mature is your AI risk governance?
Source: McKinsey EU AI Act Survey, spring 2024 (n = 180 organizations in Europe)

McKinsey & Company

1
“The state of AI in early 2024: Gen AI adoption spikes and starts to generate value,” McKinsey, May 30, 2024.
2
Jim Boehm, Liz Grennan, Alex Singla, and Kate Smaje, “Why digital trust truly matters,” McKinsey, September 12, 2022.

38 McKinsey on Risk & Resilience Number 18, December 2024

Some concerns fall into one category, while others Based on the use case, AI systems are defined as
span several. Bias, for example, touches model prohibited, high-risk, or non-high-risk. Rules for
output, data, and third-party risk. Among the other “prohibited” AI, which includes models that are
potential concerns expressed in the survey are manipulative or deceptive, are outlined in Article 5
discrimination, bad outputs, personal-data leakage, of the act. “High risk” systems are those that could
intellectual property misuse, security breaches, and threaten health, safety, and fundamental rights,
malicious use. including those related to critical infrastructure,
education or vocational training, employment,
Given everything that could go wrong with AI, access to essential public or private services and
standards and policy setters are increasing benefits (including credit and health insurance),
efforts to control the risks. Regulators globally are profiling, and law enforcement. “Non high risk”
introducing regulatory frameworks and guidelines, systems, with lower or no regulatory requirements,
including in Canada, China, Japan, South Korea, consist of everything not specifically covered by the
and the United States. The EU AI Act, enacted by other two categories, including AI in video games
the European Union in May 2024, is the world’s first and customer service chatbots.
general AI regulation to go into effect. Being the
first of its kind, the EU AI Act will serve as a test bed
for other guidance to follow. In addition, it will have Early days of implementation efforts
extraterritorial effects because the scope includes AI governance and EU AI Act compliance efforts
AI tools developed in other markets if a tool or its are still in the early days, but organizations
output is applied in the European Union. already have questions. More than 50 percent
of survey respondents said they are not clear on
AI act requirements and are unsure of the risk
Overview of the EU AI Act and classifications for their AI use cases (Exhibit 2).
its requirements
The EU AI Act aims to “promote human-centric Organizations consider themselves most prepared
and trustworthy AI while protecting health, safety, with regard to data management, ahead of
and fundamental rights.” It will have wide-ranging governance, model risk management, and individual
implications for all affected organizations as the rights (Exhibit 3).
guidance is rolled out over the next two years.
Even so, data management is still a concern. More
The act sets requirements in four areas: than half—57 percent—of respondents said that
governance, data management, model-risk many data governance requirements remain
management, and individual rights. These unaddressed. Specifically, some organizations said
requirements include risk and quality management, there is a lack of clarity in terms of how the General
human oversight, AI system documentation and Data Protection Regulation (GDPR) and the EU AI
transparency, data management, model-risk Act will interact.
governance measures for nondiscrimination and
bias, accuracy, robustness, and cybersecurity. When asked whether they had already met the
act’s requirements for the four areas, less than
Which requirements apply to each organization 10 percent of survey respondents said that they had
depends on two factors: the risk classification and (Exhibit 4).
the role of the organization in the AI value chain,
which includes providers, importers, distributors,
deployers of AI systems, and combinations thereof.

The European Union AI Act: Time to start preparing 39

 Web <2024>
<20240611_EU AI Act Implementation Status>
Exhibit 2
Exhibit <2> of <6>

Only 4 percent of survey respondents agreed that the EU AI Act

requirements are clear.

Perceived clarity of EU AI Act,1 % of respondents Strongly agree Somewhat agree

Overall Financial Energy and Technology, Life sciences Consumer

institutions materials media, and goods
telecom
SeriesSeries
2 1 SeriesSeries
2 1 SeriesSeries
2 1 SeriesSeries
2 1 Series 2
It is clear what It is clear what It is clear what It is clear what It is clear what It is clear what
the EU AI Act 4 the
32 EU36 AI Act 5 the
33 EU 38AI Act the 22
4 17 EU AI Act 5 the
28 EU 33AI Act 4 the41EU AI
44Act 10 30 40
will require of will require of will require of will require of will require of will require of
us us us us us us

For our AI use For our AI use For our AI use For our AI use For our AI use For our AI use
cases, it is clear cases, it is clear cases, it is clear cases, it is clear cases, it is clear cases, it is clear
what risk 7 what
37 risk44 5 what
40 risk45 4 what
39 risk43 10what
40 risk50 11what37risk48 8 28 35
category they category they category they category they category they category they
fall into under fall into under fall into under fall into under fall into under fall into under
the AI Act the AI Act the AI Act the AI Act the AI Act the AI Act

For our AI use For our AI use For our AI use For our AI use For our AI use For our AI use
cases, it is clear cases, it is clear cases, it is clear cases, it is clear cases, it is clear cases, it is clear
what role our 16what44
role our59 18what43role60
our 9what
43role 52
our what role
25 48 our7373 19what 41
role our59 10 43 53
organization organization organization organization organization organization
takes in the AI takes in the AI takes in the AI takes in the AI takes in the AI takes in the AI
value chain value chain value chain value chain value chain value chain

Note: Figures may not sum to totals, because of rounding.

Question: To what extent do you agree with the following statements?
Source: McKinsey EU AI Act Survey, spring 2024 (n = 180 organizations in Europe)

McKinsey & Company

Web <2024>
<20240611_EU AI Act Implementation Status>
Exhibit 3
Exhibit <3> of <6>

Survey respondents consider their organizations somewhat prepared

across various dimensions of the EU AI Act.

Self-assessment of EU AI Act governance maturity, averages and ranges

Range of responses Average maturity

Model-risk management

Individual rights

Governance

Data management
Very immature Very mature

Source: McKinsey EU AI Act Survey, spring 2024 (n = 180 organizations in Europe)

McKinsey & Company

40 McKinsey on Risk & Resilience Number 18, December 2024

Web <2024>
<20240611_EU AI Act Implementation Status>
Exhibit 4
Exhibit <4> of <6>

Few of the key requirements of the EU AI Act are fully addressed by more
than about 10 percent of organizations.
Fully addressed, % Somewhat addressed, % Split not available

Governance Model-risk management¹

Overall implementation Overall implementation Series 1 Series 2 Series 3
7 22 44
Data governance controls Monitoring and logging
8 29 63
AI principles and norms Security and accuracy techniques
9 26 49
Governance organization Robustness techniques
9 23 45
Design quality control and verification Standardized technical documentation
10 18 41
Definition of accountability Human in the loop
7 19 38
Third-party risk management Predefined performance metrics
6 20 37
AI risk management Standardized instructions of use
3 22 34
Strategy for regulatory compliance
4 21 0
Employee upskilling .
4 21 0

Data management Individual rights

Overall implementation Overall implementation Series 1 Series 2 Series 3
6 27 7 22
Data collection GDPR rights respected by AI
12 36 17 34
Ensuring representative data AI system informs people of interaction
5 32 8 22
Data preparation Explanation of AI-enabled decisions
9 27 3 22
Appropriate statistical properties Tailored user instructions
6 27 2 23
AI system design choices AI evaluation metrics reported
3 30 3 18
Formulation of assumptions AI systems mark content as AI made
4 22 6 14
Examination of biases
3 17

1
Based on proportion of organizations having technically implemented these measures, not the level at which they have addressed them.
Source: McKinsey EU AI Act Survey, spring 2024 (n = 180 organizations in Europe)

McKinsey & Company

The European Union AI Act: Time to start preparing 41

 Nearly half of respondents said they had not yet implemented strategies for regulatory compliance
allocated any budget for AI Act implementation, or AI risk management.
and most that have allocated a budget have set
aside €2 million or less (Exhibit 5). There are Risk governance. About three in ten respondents
many reasons organizations aren’t spending have developed a mature AI risk governance
yet. Some respondents have likely not started structure, and only a third said they have a
responding to AI Act requirements because the governance organization. Further, about 40 percent
rules are so new. Others are focused on aligning lack clear definitions of accountabilities for AI,
their AI remediation efforts to their existing and about 10 percent say they have fully addressed
governance structure. Still others are unaware of AI principles and norms.
the upcoming regulatory requirements.
Encouragingly, nearly half of respondents said they
have separate usage guidelines, and more than a
Key challenges facing organizations third have input and output guardrails in place for
Respondents cited a variety of challenges to their external AI models. This likely is a consequence
efforts to meet the requirements of the AI Act. of protecting business-sensitive information and
intellectual property as organizations rapidly
Complexity. In some cases, organizations are deployed gen AI tools.
stalled as they seek clarity and the resources to
prepare for complex regulations and technology. Third-party risk management is also a concern.
Only one in four survey respondents have Less than a third of organizations said they have
appropriately addressed AI-related third-party risk.

Web <2024>
<20240611_EU AI Act Implementation Status>
Exhibit 5
Exhibit <5> of <6>

Close to 50 percent of organizations have not yet allocated resources for

EU AI Act implementation efforts.

Amount budgeted for EU AI Act implementation efforts,1 % of respondents

Overall Financial Energy and Technology, Life sciences Consumer

institutions materials media, and goods
Series 1 Series 2 telecom
No budget No budget
47 No 38
budget No budget
48 No budget
48 No budget
Series 148 SeriesSeries
2 1
45 Series 2
allocated yet allocated yet allocated yet allocated yet allocated yet allocated yet

Up to €1 million 22 to €1 million
Up 15
Up to €1 million 17 to €1 million
Up Up30
to €1 million 22 to €1 million
Up 28

€1–€2 million 16
€1–€2 million 25 million
€1–€2 17
€1–€2 million 5 €1–€2 million 7€1–€2 million 23

€3–€5 million 6€3–€5 million 5 €3–€5 million 13

€3–€5 million 13
€3–€5 million 4€3–€5 million 0

€6–€10 million 5 €6–€10 million 10

€6–€10 million 4€6–€10 million 0 €6–€10 million 11€6–€10 million 3

>€10 million 4>€10 million 8>€10 million 0 >€10 million 5 >€10 million 7>€10 million 3

Note: Figures may not sum to 100%, because of rounding.

Question: How much have you budgeted for EU AI Act implementation efforts?
Source: McKinsey EU AI Act Survey, spring 2024 (n = 180 organizations in Europe)

McKinsey & Company

42 McKinsey on Risk & Resilience Number 18, December 2024

Some have implemented GDPR-related controls, defining standards for testing the outputs of
technical guardrails, and model fine-tuning for gen AI models. For self-developed models,
external models. But just 16 percent of respondents respondents said they commonly use continuous
are conducting red-teaming efforts, while some said code integration and deployment, model versioning,
they are rolling back relationships with suppliers and documentation to ensure quality.
while rules and obligations for general-purpose AI
become applicable throughout 2025. Thirty-eight percent of respondents use
“human in the loop” processes, while 30 percent
Data governance. Only 18 percent of respondents use technically responsible AI tooling. Model
said their organizations have mature technical risk performance monitoring, logging, and user
management processes for AI systems in place. In feedback, together with incident detection and
addition, few have robust models or security and management, are the most common measures
accuracy techniques. However, about 75 percent used to ensure quality after deployment.
of respondents indicated they had advanced cyber
controls and data protection measures in place. Talent. Getting the right people to run and manage
AI is proving difficult, too. The talent shortage is
The act introduces requirements for data especially prominent for technical staff but also
management. These cover choices in designing exists for legal personnel. This is a major concern
systems, formulating assumptions, collecting not only for businesses but also for regulatory
and preparing data, examining bias, ensuring authorities that have concerns about competent
representative data use, and including the monitoring and enforcement of the AI Act. Only a
appropriate statistical properties. More than quarter of respondents upskill employees, which
half of survey respondents said they have not takes time and investment.
yet addressed these requirements. Less than
20 percent have addressed bias. Other. Perhaps surprisingly, respondents did
not cite cost, financial resources, or ethical
What models do with the data is another area concerns as top reasons for the slow progress
of concern. Many respondents cited difficulty in on implementation (Exhibit 6).

Given the complexity of the EU AI

Act and the effort needed to comply,
it would be prudent for organizations
to accelerate their planning now.

The European Union AI Act: Time to start preparing 43

 Web <2024>
<20240611_EU AI Act Implementation Status>
Exhibit 6
Exhibit <6> of <6>

Key challenges of implementing the EU AI Act relate to unclear obligations,

complexity, and talent gaps.

Key challenges facing organizations in implementing the EU AI Act,1 % of respondents

Unclear obligations 81

2Complexity
SeriesSeries 1 SeriesSeries
2 1 SeriesSeries
2 1 SeriesSeries
2 1 Series 2 69

Data governance 57

Skills and talent gap 35

Change management 27

Technical resources 13

Cost 11

Financial resources 8

Ethical concerns 6

Source: McKinsey EU AI Act Survey, spring 2024 (n = 180 organizations in Europe)

McKinsey & Company

The time to act Organizations should embrace a “define your

Given the complexity of the EU AI Act and the world” approach, which prioritizes transparency
effort needed to comply, it would be prudent in model use, stakeholders, risks, and regulations.
for organizations to accelerate their planning The EU AI Act has set out requirements mainly for
now. While the act outlines implementation high-risk models, so a risk categorization of the
stages and staggered compliance deadlines, model landscape will help structure the work going
those with experience implementing GDPR forward and control the level of effort.
understand that waiting can create chaos as
those deadlines approach. Defining a target state for governance and
compliance efforts can help organizations build
Managing the scope of an organization’s AI efforts road maps that thoroughly consider strategy, risk
is important. Organizations that align development appetite, organizational structure, technology,
to governance practices manage to limit the number policy, and tooling. And organizations can continue
of models they use, generally to fewer than 20. to get better through a process of ongoing
A clear governance structure can also limit teams’ improvement, using existing best practices and
frustrations in fielding ad hoc requests and trying frameworks as a guide. Ensuring cross-functional
to get support. collaboration and input on ethical and risk
considerations is paramount, so if current risk

44 McKinsey on Risk & Resilience Number 18, December 2024

functions are not equipped, separate action on top But before that happens, the act’s regulators will
of existing governance may be required. need to further clarify their expectations and work
with the industry to find pragmatic implementation
To achieve compliance, organizations will need solutions in an environment of limited resources.
the necessary talent, resources, and relevant Responsible and trustworthy AI is a prerequisite
KPIs to measure progress. AI is evolving quickly, to defining a new digital future. By embracing
so it is essential to stay on top of changes. The responsible AI governance, companies can spur
EU AI Act represents a significant step toward innovation with the trust of consumers, competitors,
regulating AI systems and ensuring responsible AI shareholders, and society behind them.
governance and could serve as a blueprint for other
jurisdictions globally.

This article originally appeared in the August/September edition of The RMA Journal.

Henning Soller is a partner in McKinsey’s Frankfurt office; Anselm Ohme is a consultant in the Berlin office, where Chris
Schmitz is a data science fellow; Malin Strandell-Jansson is an alumna of the Stockholm office; Timothy Chapman is an
analyst in the Wroclaw office; and Zoe Zwiebelmann is a consultant in the Hamburg office.

The authors wish to thank Andreas Kremer, Angela Luget, Angie Selzer, Artem Avdeed, and Silvia Tilea for their contributions
to this article.

Copyright © 2024 McKinsey & Company. All rights reserved.

The European Union AI Act: Time to start preparing 45

McKinsey Risk & Resilience Practice

Global coleader and North America

Ida Kristensen
Ida_Kristensen@McKinsey.com

Global coleader and Europe

Cristina Catania
Cristina_Catania@McKinsey.com

Asia–Pacific
Akash Lal
Akash_Lal@McKinsey.com

Eastern Europe, Middle East, and North Africa

Luís Cunha
Luis_Cunha@McKinsey.com

Latin America
Elias Goraieb
Elias_Goraieb@McKinsey.com

Chair, Risk & Resilience Editorial Board

Thomas Poppensieker
Thomas_Poppensieker@McKinsey.com

Leader, Risk Knowledge

Lorenzo Serino
Lorenzo_Serino@McKinsey.com
In this issue
The six habits of highly successful chief risk officers
The cybersecurity provider’s next opportunity: Making AI safer
Elevating the risk function in insurance: Building a strategic advantage
BCBS 239 2.0 resurgence: Strengthening risk management and decision making
The European Union AI Act: Time to start preparing

December 2024
Designed by LEFF
Copyright © McKinsey & Company
McKinsey.com