KPMG Financial Risk&Regulation

The rapidly changing geopolitical environment, digital transformation, AI-based services, and expanding regulatory expectations elevate the operational risk of financial institutions to a new level. Resilience—i.e., the ability to withstand operational disruptions and to recover quickly in the event of failure—is no longer merely a risk management aspect but a matter of business survival. The 2025 KPMG Risk and Resilience Survey^[1] examined large U.S. corporations, including financial institutions. However, we consider the survey’s findings worth summarizing briefly here, as they may offer valuable insights for financial institutions operating in the EU as well.

According to the study, only 48% of organizations have centralized risk and resilience management. Even fewer—only 26% apply a cross-functional risk perspective, and merely 17% extend resilience planning beyond critical processes. Advanced analytics, which would be key to forecasting and response effectiveness, is a core tool at only 15% of the organizations.

These numbers show not only that the “good enough” approach falls short, but also that the absence of integrated, data-driven, cross-functional systems (where functions such as finance, IT, and operations work in a coordinated manner to form a comprehensive view of organizational risks) renders risk exposures invisible in real time. This is particularly critical in the financial sector, where disruptions to digital services can cause reputational and financial damage within minutes—and these effects do not stop at national borders. Traditional methods, such as the “heat map” approach—which assesses operational risks separately based on impact and likelihood and prioritizes those marked red—do not necessarily yield the greatest risk reduction. By considering interdependencies among risks, addressing a few well-selected, lower-ranked risks might prove more effective. For this to inform executive decision-making (including financial impact measurement), a sound methodology (model) and integration into the governance framework with consistent application is essential.

It is important to recognize that resilience is not a static condition in this constantly changing environment, but a capability that must be continuously developed. Institutions would benefit from going beyond compliance-focused risk management to build an integrated model where different functions—such as IT, finance, legal, and internal audit—not only share information but also plan together. Best-performing practices show that resilience creates true value when it is built into business and operational strategy—from resolution planning and third-party risk management to assessing the reliability of AI-based systems.

Organizations that have been able to shape internal risk management frameworks that detect disruptions in advance are now not only more effective at defense but also quicker to respond. Where internal reporting is aligned, data quality is consistently high, and decision-making analyses are conducted using modern tools, resilience supports not just compliance but also market agility.

The survey also shows (still in the U.S.) that at the executive “C-suite” level, only 41% of organizations express real confidence in leadership’s risk awareness. This figure is low, considering that resilience depends not just on technology but also on organizational culture, responsibility-sharing, and the speed of decision-making. Frameworks where compliance, risk management, and business development work closely together significantly enhance responsiveness. It is noteworthy that in 72% of the organizations surveyed, a responsible leader was appointed for resilience at the executive level, but only in 35% of the cases was this person the CRO. This may be due to the fact that a key element of resilience is technological and cybersecurity resilience, which is often managed within IT.

In the area of digital compliance, increasing attention is being paid to the practical implementation of regulatory frameworks—such as DORA or the AI Act in the EU. These can be paired with resilience-focused approaches that align regulatory compliance for technological and data-driven operations with the organization’s operational security objectives. Evaluating the risk of third-party supplier relationships, aligning internal and external data, or continuously reviewing the condition of digital infrastructure are all intervention points where resilience delivers business returns as well.

The solution is not necessarily to introduce yet another tool or to apply external standards. Rather, the focus should be on building an internally integrated, technologically supported, structured but flexible framework that detects, analyzes in context, and prioritizes risks efficiently. Increasingly, organizations are using external benchmarks, automated monitoring tools, or targeted assessments—for example, to evaluate operating models, anti-money laundering controls, or ESG compatibility.

The final conclusion of the study is clear and valid within the EU context as well: volatility is not going away. The question is how an organization incorporates resilience into its strategy. Those actors who do this will not only comply with regulations but will also respond to future uncertainties more rapidly, soundly, and effectively—while building internal operations based on sophisticated methods that not only deflect disruptions but also actively enhance business competitiveness. It is therefore worth investing in.

KPMG’s experienced financial risk management and regulatory compliance division, in collaboration with other specialties (e.g., machine learning, legal, IT…), is ready to support financial and non-financial SMEs and large enterprises in building and strengthening resilience.

[1] KPMG Risk and Resilience Survey