Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Risk and Governance: 2023 Regulatory Challenges

Insights on board importance, risk management, and mitigating misconduct

Regulatory and compliance transformation

Across all regulatory challenge areas, the importance of risk management and avoidance of “risk complacency” is vital to remaining in compliance with evolving regulatory landscapes and ensuring resiliency.

Explore here insights on Risk and Governance from the KPMG report Ten key regulatory challenges of 2023.


Board importance

Regulators will continue to look to demonstrable evidence of credible challenge and dynamic risk assessment and decisioning from both within and across the board and senior management. As part of these expectations (and as part of supervisory focus and evolving regulatory reporting), regulators will expect increased and formalized documentation, mapping, ownership, and ongoing testing and monitoring of controls.

Regulators will expect board and senior managers to:

  • Demonstrate board and governance domain skills (e.g., this is key element of the SEC’s proposed climate and cyber rules).
  • Stature Risk, Compliance, Information Security, and Audit comparably to other strategic functions, including the quality of autonomy, empowerment, and visibility.
  • Integrate critical challenges (e.g., escalation procedures, actions initiated, decisions made, and proof of altered/terminated paths based on risk determinations) into risk and governance frameworks.
  • Focus on both novel, complex, long-term risks as well as basic, shorter-term risks (e.g., risks associated with the current rate outlook and mixed market signals impacting credit risk).


Risk management: Mission critical

Regulators will continue to focus on the robustness of the risk framework across all three lines of defense – as a part of rulemaking and as an ongoing theme in enforcement actions. This will include assessing whether risk and compliance programs across the enterprise are “geared” to current and emerging risks as well as sufficiently and appropriately resourced, including investment, funding, technology, and skilled staffing. Individual accountability and companies deemed to be “repeat offenders” will be a key focus of investigations and enforcements.

Companies will need to demonstrate:

  • Completeness of the risk framework across all risk pillars (e.g., credit, liquidity, operational, compliance) and to reporting expectations/requirements (e.g., climate risk management, SEC climate, ongoing examination responses).
  • Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.
  • Planning for and mitigation of disruptive risks to functions of the organization (e.g., climate change, ongoing sanctions due to geopolitical conflicts, economic stability, cybersecurity threats).
  • Information governance processes and controls to protect the confidentiality and integrity of corporate and consumer data.
  • Agility to maintain effective risk management processes through significant change such as mergers, acquisitions, separations, workforce shifts (retention/roll over).


Mitigating misconduct

Conduct risk and ethical business practices will take on additional importance with evolving ESG importance.  Regulators will look to the corporate culture and the investment in ethics and compliance programs to ensure they both reward compliant behaviors and accountability and deter misconduct. Areas of regulatory interest will include:

  • Proactive identification, voluntary disclosure, and remediation of misconduct.
  • Compensation program features, including incentives for compliance; accountability, clawbacks, and/or penalties for individuals contributing to the misconduct; and disclosure of the relationship between executive pay and financial performance (e.g., DOJ guidance, SEC disclosure rule; SEC listing standards rule).
  • Surveillance activities, including insider risk programs, that test and monitor for compliance with regulatory requirements and the firm’s code of conduct (e.g., use of authorized communications channels and devices, records retention and disposal requirements).
  • Customer protections, such as conflict of interest disclosure, best execution/best interest, use of MNPI, and outcomes related to the use of decisioning tools (algorithms, models, AI/ML).
  • New technology applications, including digital adoption, models/AI/ML, access authentication and validation.

In today’s dynamic and ever-changing environment, new risks are constantly identified. Because of this, it is very easy and natural to focus our energy and resources on the hot topic of the moment. While it is important that we quickly assess the risk of these emerging threats, we must not lose sight of the basics. This will help ensure we maintain the effectiveness and integrity of our foundational risk and control environment.

Kandace Heck

Kandace Heck

Chief Audit Executive, US Bank

Call to action: Risk and Governance

☑ Assess board and executive governance structure, skills and composition

☑ Develop and formalize board composition /education program to address critical and emerging risks

☑ Ensure demonstrable board and executive management critical challenge

☑ Actively surveil and mitigate conflicts of interest and conduct risks, particularly in areas of “new” (digital adoption, models/AI/ML, etc.)

☑ Evaluate existing supervision and control testing coverage; explore methods to increase coverage (automation, methodology, etc)

☑ Invest in automation, analytics, and process efficiencies

☑ Appropriately position, scale, and reward risk management

Dive into our thinking:

Ten Key Regulatory Challenges of 2023

Read our report for client perspectives, regulatory recaps, and actionable steps to help mitigate risk.

Download PDF

Explore more

Get the latest thinking from KPMG

KPMG Regulatory Insights comprise key industry practitioners and regulatory advisors from across the KPMG global network.

Thank you

Thank you for subscribing to Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest thinking from KPMG

KPMG Regulatory Insights comprise key industry practitioners and regulatory advisors from across the KPMG global network.

Please enter your information to receive KPMG Regulatory Insights updates.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.