The end of the year and the start of the next year are typically when boards and executives in insurance and financial services focus on the challenges and opportunities ahead.
Last year, we published Navigating 2024 – Consulting strategic perspectives, sharing our perspectives on the impact of trends observed through our client work and stakeholder engagement. Building on that, we’ve once again gathered our insights on how these trends may evolve in 2025, offering guidance to help you strengthen your capabilities in response.
Cost pressures on risk and compliance management have continued. Our risk and compliance efficiency and effectiveness survey revealed that most CROs have been asked to look at these costs over the last three years. We expect this pressure to continue through 2025. However, this presents an opportunity as well as a challenge if approached strategically. Explore our insight Your CEO asks to cut the costs of risk and compliance. What do you do?
Designing risk and compliance solutions simply to meet regulatory requirements doesn’t add business value and may not even deliver regulatory outcomes. Layering processes to meet regulations and then subsequently simplifying is inefficient. After all, the intention of principles-based regulation is to enable organisations to be driven by what is right and proportionate for them, rather than rigidly following rules. Business processes should be used to support senior management and senior management functions (SMF) holders’ ability to choose the right path for the organisation given the regulatory intentions.
In 2025, CROs should continue to evolve risk management frameworks to reflect emerging trends and support efficient risk oversight. This includes embracing AI, improving IT risk conversations, and integrating opportunity analysis into risk frameworks. There is a lot more that can be achieved by clarifying roles and responsibilities for risk and compliance across the broader organisation.
The regulatory landscape presents multi-faceted challenges of implementing key frameworks like Solvency UK, adapting to evolving requirements such as liquidity, meeting deadlines on operational resilience, and continuing the journey of existing requirements around supplier risk management and consumer duty. Meeting these challenges requires prioritisation and a strategic perspective.
Integrating sustainability into risk selection and pricing remains a core area of focus. In 2025, we expect to see a broader focus on sustainability operating models, as highlighted in our sustainability operating model survey findings. This should enable organisations to be clear on the upside of sustainability through product innovation, e.g. transition related risk transfer solutions, or other means. We’ll be reporting on our second survey of operating models later in 2025.
Transition plans are becoming mainstream, yet our insurer survey revealed a gap: few have draft transition plans in place, though many plan to work on them voluntarily in 2025. This will coincide with regulatory developments, such as the PRA’s updated guidance on climate change risk management, making 2025 a valuable year for organisations to test transition strategies.
US-facing organisations are facing challenges due to the new US administration’s opposition to ESG principles. This ‘anti-ESG’ stance creates difficulties for organisations, especially those with operations in both the US and Europe, as they must balance differing regulatory and political environments. Europe’s strong focus on sustainability contrasts with the US’s current position, making it harder for these organisations to navigate this complex landscape.
Biodiversity and nature are gaining attention. Encouragingly, these topics are framed similarly to climate, with insurers beginning to explore practical approaches and identifying priority areas for action. We will be discussing the implications of the latter two topics in our Sustainability Risk Forum later in January.
1 April 2025 marks the start of the post implementation and post-transition period for operational resilience. We envisage organisations continuing to strengthen the identification of vulnerabilities through enhanced scenario testing in 2025, leading to a balance between traditional risk focus on up front mitigation and resilience thinking about how organisations respond. This requires a sharper focus on sustainability operating models and embedding.
We also sense a wider focus on resilience, focusing on outsourcing and supplier risk management (SRM). This involves organisations thinking beyond their own resilience and outside their organisations. But overall, it is not an area in which organisations have invested in continuously, even if regulatory expectations have been articulated for some time. In recent years, outsourcing and SRM have represented the leading cause of reported operational incidents to the FCA. We see regulators upping up their game and organisations renewing their efforts to enhance frameworks, including materiality criteria, application to fourth parties and consideration of business continuity planning and exit strategies.
Digital operational resilience, particularly in relation to DORA, and cybersecurity are also becoming central to enterprise resilience. Many UK organisations are impacted by DORA as providers of IT services to EU businesses and are seeking to manage DORA efficiently alongside operational resilience. On the cybersecurity front, there’s growing concern about insider threats and increased focus on people-related risks and training.
Operating models are changing to reflect changing consumers’ needs and technologies. We expect to see an increased focus on transformation, reflecting the regulatory focus on resilience, supply chain and sustainability. The challenge lies in embedding these priorities into everyday operations while ensuring sustainability in a business-as-usual (BAU) environment. This must take full consideration of the impact on functions’ roles, data and systems.
AI should go beyond enhancing user experience and should drive cross-functional transformation. It will require assessing capabilities and reimagining existing roles, such as how AI can support underwriters.
We also see a wider recognition that change is a risk driver and that the potential wider impacts on operating models of change initiatives – not just the technical aspects – need to be understood and overseen by risk functions. In the Lloyd’s market, we are starting to see a sharper focus on these issues in respect of the delayed Blueprint 2.
We also see ongoing reviews of Governance, Risk, and Compliance (GRC) tools to support a more integrated approach to sustainability, operational resilience, and risk management.
In an increasingly digital and interconnected world, cybersecurity continues to pose a significant threat; ransomware remains a significant threat. While AI enables more effective cybersecurity tools, criminals are also using AI to increase the speed and sophistication of attacks.
Recent cyber incidents have highlighted the importance of securing supply chains, leading organisations to focus on assessing third-party cybersecurity practices. Enhancing cyber response capabilities, particularly the people side of it through regular testing of incident response plans, is also a growing priority. We see more resilient organisations taking proactive steps to improve their cyber security culture by influencing culture beyond simply training and awareness. This cultural shift is one of the most powerful tools creating a ‘human firewall’ that complements technical defences.
Cloud transformation remains a priority for many – moving from traditional data centres to cloud architecture and focusing on modernising applications to leverage cloud tools. This is partly driven by the persistent skill gaps across tech functions.
We are seeing more interest in transitioning to modern application architecture, where the organisation retains the capability to update the front-end application and outsources the infrastructure management to a third party to enable rapid product deployment and enhance operational efficiency.
Data, cyber, and regulatory requirements continue to drive the need for technology transformation to keep up with the evolving landscape.
While sustainability is on the rise, green technology has yet to become a significant focus. Few organisations are really joining the dots yet between technology’s use of energy and sustainability ambitions.
Data, analytics and AI continue to evolve rapidly, but the challenge is making sense of these developments pragmatically. Like electricity, the full effective adoption of AI will take time. As a parallel, the first power stations were established in late 1800s in the US and it was only in the 1910s electric power was fully adopted in manufacturing. This was because organisations needed to adapt their organisational approaches to match the new technology.
A major issue remains the disconnect between business professionals and AI experts, which can result in either misuse or underutilisation of AI. Bridging this gap is critical for effective AI implementation.
While generative AI and productivity tools are in the spotlight, there are often simpler, more reliable data analytics solutions that are cheaper and easier to implement.
The abundance of frameworks for AI best practices can overwhelm business leaders, making the need for effective governance and assurance becomes imperative. Aligning AI with existing model risk management (MRM) practices could also provide an intuitive and unified control environment.
The key takeaway across all these areas is that we should brace for increased uncertainty and volatility. Now is the time to refine your risk management framework. |
Our Consulting team specialise in Risk and Governance, Sustainability, Resilience and Supply Chain, Change and Transformation, Cyber Security, Technology and Data, Analytics and AI.
We use our skills and experience to support organisations become more sustainable, resilient, and adaptable to change and uncertainty through practical and proportionate approaches.
For more information, please contact Justin Elks or your usual Crowe contact
Insights