Strategic risk management that is focused on efficiency, performance, and enterprise value helps banks move beyond noise toward a more optimized, decision-focused approach.
Risk management professionals and compliance leaders know all too well that “perfect” doesn’t exist when it comes to strategic risk management. Nor is it necessary. But what does an effective program look like?
Strategic risk management in banks is most effective when the first and second lines operate in close alignment and pair proactive risk ownership with strong, independent oversight. A critical differentiator is embedding risk appetite into day-to-day decision-making so it serves as a consistent, objective benchmark rather than relying on individual judgment or intuition. This approach strengthens accountability across both lines and creates a measurable framework for evaluating risk decisions. At the same time, the third line of internal audit plays a vital role. While maintaining independence, the third line can add significant value through thoughtful collaboration with the first and second lines and reinforce a more integrated and effective risk management ecosystem.
Ideally, both first and second lines are simpatico in terms of strategic risk management. The first line knows where the organization’s risks lie, who’s managing risk, and who to talk to when an issue arises. The second-line risk and compliance teams don't spend too much time managing risk; instead, they provide oversight while helping the first line understand and manage risk.
With this highly proactive approach to strategic risk management, the first line can react quickly and execute bold business strategies knowing they’ve got a qualified and prepared second-line team ready to triage and mitigate risk right away.
For most banking risk leaders, the reality of their risk management and organizational strategy probably looks less like the ideal and more like one of the following three scenarios. Read on and see which story resembles your experiences, past or present.
Get our Financial Institutions Executive Briefing in your inbox
Get updates from Crowe banking specialists on a variety of financial reporting, governance, and risk management topics.
Story 1: Edward needs more risk management resources and a life preserver
Edward works as the chief risk officer for a large regional bank. With a recent shift in strategic initiatives, the bank’s environment has grown more dynamic and complex. These initiatives marked a big change in terms of how the bank aims to conduct business.
With this shift in strategy, new risks have emerged, and those new risks keep demanding more of Edward’s time, but that extra time doesn’t exist. The risk management to-do list keeps growing and growing, but resources and talent haven’t expanded to match.
Acquiring available talent is a constant struggle for Edward. Very few individuals have the niche enterprise risk management skill set and experience to fill the roles that Edward needs most. Consequently, Edward takes on responsibility for doing everything, all at once, all the time, and that’s unsustainable.
Sometimes, Edward is simply too busy putting out fires and managing too many disparate risk disciplines to focus deeply on any area of risk. He knows that he could get some traction if only he had the right resources.
Story 2: Jeanine’s big risk management budget hasn’t translated to focus and strategy
Jeanine works as the chief compliance officer at a larger bank, and a lack of resources is one problem she doesn’t struggle with. Jeanine’s position is more manageable than Edward’s in a lot of ways, but she has her own challenges to tackle.
A few years ago, Jeanine’s bank received a regulatory enforcement action. In the wake of that challenge, the direction from the top was clear: Open the checkbook for risk management and spend whatever it takes to get the bank into compliance and in good standing from a regulatory perspective.
Now, Jeanine’s team has so many people that it’s hard for Jeanine to remember who’s who and who does what. The lines of communication constantly feel jumbled. The entire risk management framework was dashed together to solve a pressing regulatory problem. But with that task in the rearview, what’s next?
The first line feels like it’s stuck in a maze of risk management processes. Without an ability to see through the inner workings, first-line team members don’t have a solid sense of where risk is lurking in the organization. At the same time, stakeholders are evaluating the organization’s big risk management budget, and they wonder what value they’re getting.
Despite all the resources at her disposal, Jeanine is concerned that the dots aren’t connecting. She’s not sure how she can untangle the complicated knot of her enterprise risk management program, and sometimes she wonders if she should just strip it back and rebuild it in a way that makes sense. This set of circumstances is ideal for responsible optimization of the risk management function.
Story 3: Pierre’s risk teams do it all, leaving the business team uninvolved and uninvested
Meanwhile, Pierre is a chief risk officer whose life is less stressful than either Jeanine’s or Edward’s. As a relatively young startup banking organization with a lot of fintech partnerships, Pierre’s bank decided early on that it wanted to focus on a highly efficient approach to strategic risk management.
An experienced chief risk officer, Pierre had seen the pitfalls at other organizations, and he worked hard to design a risk management approach that was right-sized for his bank’s needs and complexity. That strategic approach led to a second-line team that is organized, honed, and efficient – but Pierre isn’t sure that the efficiency always translates to effectiveness.
The problem: Pierre’s second-line team has taken on all the risk management activities for the business, and the first line barely thinks about risk and compliance. The disconnect works both ways. Pierre’s team spends all its time on risk management instead of also engaging with the organization’s overall strategy. Even with a relatively smooth relationship between business and risk management teams, the gaps of knowledge, language, and focus between the first and second lines at Pierre’s organization are as wide as ever.
Stakeholders at the business see this problem, and they want Pierre’s help solving it. They’re willing to invest more in risk management, but that’s not the real issue.
In environments where the first line is charging ahead and the second line is left to shoulder risk ownership, it can be difficult to confirm risk is meaningfully considered. The objective for risk management teams isn’t to impede momentum or delay strategic execution but to position risk as a function that adds value in decision-making. Doing so requires embedding risk into the flow of the business so that second-line perspectives are present in the right forums, conversations, and decisions as they happen. Without that level of integration, risk functions become reactive and might struggle to keep pace with the business and effectively inform or support critical decisions.
The question that Pierre must answer is the same one that can help Jeanine and Edward solve their tough risk management challenges: How can our bank implement more strategic risk management activities that will inform our first-line professionals and help the business grow?
Embedding risk management can help solve a wide range of challenges
Effective risk management does not belong to one line. When teams across the organization understand the jobs to be done, define roles and responsibilities, eliminate redundancies, manage to risk appetite, and measure for ongoing alignment and reporting, appropriate adjustments and decisions become possible.
The risk management approach at each of these fictional banks is held back by fundamental problems. And though Jeanine, Edward, and Pierre have unique challenges and different ways to address them, their goal is the same: a new approach to strategic risk management that shifts the responsibility for managing risk to the first line.
As strange as it might sound, second-line risk and compliance teams at organizations with the most effective, agile risk management programs don’t spend too much time managing risk.
Instead, these second-line teams empower the organization’s business teams to understand and manage risk. With the first line driving risk management activities, the second line can provide the governance, feedback, and oversight that supports those first-line controls and activities and helps them run smoothly and evolve to address new risks.
Banking organizations that want to practice truly proactive, collaborative, and strategic risk management need their organizational stakeholders and risk management leaders to ask questions such as:
- What products and services does our business depend on?
- How do we deliver those products and services?
- What day-to-day activities do our first-line professionals engage in?
- Where does the risk lie in our first line? Within the range of our products, services, delivery methods, and activities, what could go wrong and how?
- Which of the first line’s current day-to-day activities function as controls that address specific risks?
- How can we talk about risk management in a way that makes sense to our first-line teams and frames risk management activities in terms of products, services, and business activities?
Imagine if your organization’s risk and compliance activities didn’t feel like risk and compliance
With a strategic, business-embedded approach to risk management, risk and compliance activities become a natural byproduct of the business processes that support the organization’s bottom line. And bridging the gaps in your risk management program becomes a process of conversation and collaboration instead of a never-ending quest to expand or justify risk and compliance spending.
Crowe specialists can help you rethink strategic risk management
It can take a long time to overhaul your banking organization’s enterprise risk management framework and weave strategic risk management into first-line activities. But the only way to reach the destination is to build a road map and start taking steps.
Understand your influences to find sustainability
Financial services companies looking for up-to-date information to make decisions are on the right track, but how can they effectively gather data? Organizations must know what contributes to their risk appetites and what influences will move the needle.
The names, businesses, situations, events, and incidents are the creations of the author's imagination and are being presented for demonstration purposes only. Any resemblance to actual companies, persons, living or dead, or actual events is purely coincidental.
This article was originally published on March 2, 2023, and was reviewed and updated.
Contact us
Crowe banking risk management and enterprise risk management specialists have the deep skill set, resources, knowledge, and perspective to help your organization build a fundamentally different and more holistic approach to risk management.
Faster payments, AI, and blockchain bring opportunity – and risk. Crowe specialists explain how fintech leaders can innovate quickly and responsibly.
In this webinar recording, Crowe specialists explore how organizational change management can support financial crime program transformation.
From recruiting top execs to building capital strength: What North Texas banks are doing to lead in 2026.
Faster payments, AI, and blockchain bring opportunity – and risk. Crowe specialists explain how fintech leaders can innovate quickly and responsibly.
In this webinar recording, Crowe specialists explore how organizational change management can support financial crime program transformation.
From recruiting top execs to building capital strength: What North Texas banks are doing to lead in 2026.