Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Heightened Risk Standards: Focus on Risk Frameworks, Processes, and Controls

Increased regulatory scrutiny in the management of risk and controls

flag flying in front of capital building

KPMG Regulatory Insights

  • Risk Framework: Heightened regulatory scrutiny built on established prudential risk frameworks and comparisons to ‘peers’.
  • Risk Governance: Expanded internal controls and non-financial risk management breadth/depth of supervisory and enforcement actions.
  • Issues Management: Expectation for enterprise-wide review/application of identified risks to risk assessments/RCSAs, expansion of mitigating controls, and robustness of end-to-end processes.
  • Sustainability and Continuous Improvement: Need to demonstrate continuous improvement and sustainability of processes in such areas as internal controls, data management, change management, issues management. 

 __________________________________________________________________________________________________________________________________________________

As part of the current focus on heightened risk governance and risk management practices, the financial services sector is experiencing high regulatory intensity in the area of non-financial risk management, inclusive of a focus specifically on Internal Controls and Operational Risk. 

Supervision and Enforcement

In keeping with established prudential regulatory frameworks, financial services regulators expect a company’s risk governance framework to fully incorporate policies and standards, credible challenge and demonstrable evidence of dynamic risk assessment in support of the design, effectiveness, and sustainability of risk controls. Key regulatory areas include:

Regulatory Area

Key Areas of Focus, Including:

KPMG Regulatory Insights

Governance

  • Reclarification of roles, responsibilities, and accountability for all three lines of defense.
  • Talent management, covering skills development, recruitment, succession planning, and compensation/performance programs.
  • Stature afforded risk functions (e.g., autonomy, empowerment, visibility).

Key Ten Regulatory Challenges of 2024

  • Risk Standards
  • Risk Sustainability
  • Data

Risk Framework

  • Risk appetite approved by the Board, including company’s risk culture and quantitative risk statements (measured against earnings or capital). Risk appetite clearly connected to the risk assessment programs.
  • Data governance, quality, and utility of risk limits, set and measured (with clear metrics/limits) at enterprise, concentration, and front-line unit levels. Clear transparency and escalation reporting to management/board of risks and of early warning of elevated risk.
  • Communication, and periodic review and monitoring, of the risk appetite and the enterprise, concentration, and front-line unit risk limits.

Internal Controls

  • Content and quality of the controls inventory (e.g., right/key controls, quality of controls).
  • Adequacy/coverage/effectiveness of controls testing (including timeliness to remediate identified gaps).
  • Integration of control testing with risk assessments, and demonstration of actions taken (e.g., enhancements) based on failures and/or risk assessments.

Data Management

  • Deficiencies in data, data outputs, or reporting (e.g., data quality, timeliness, accuracy, traceability, metrics, models).
  • Data management, including access controls; practices related to collection, retention, disposal; third-party governance/agreements; and reporting capabilities at the lines of business and enterprise levels.
  • Ability to train, recruit, and retain, skilled talent resources to identify, measure, manage data risk management processes.

Issues Management

  • Completeness and quality of issues inventory.
  • Governance over the issues management lifecycle (e.g., planning, implementation, closure).
  • Identification and resolution of issues (distributed across the three lines and across risk tiering) and associated testing, critical challenge, and validation of sizing, mitigation, and resolution.
  • Demonstration and validation of sustainability.

Change Management

  • Processes for identifying, managing, challenging, approving, and monitoring changes due to new products, activities, processes, and technologies.
  • Evidence of sustainable processes and effective risk coverage, including metrics.
  • Periodic review and changes in the risk management framework to reflect industry developments and changes to the company’s risk profile as a result of internal and external factors (e.g., new products, M&A, negative news, systems changes, regulatory changes).


Regulatory Issuances

The financial service regulators have stated that outstanding supervisory findings are increasing across entities of all sizes and that operational risk issues – including governance, internal controls, IT and cybersecurity, and third parties – are among the most cited supervisory issues. The agencies have further identified these operational risk areas as part of their top supervisory priorities for 2024 along with companies’ efforts to remediate previous supervisory findings, including:

Agency

Activity

Description

KPMG Regulatory Insights

FRB

Supervision and Regulation Report

Operational risk identified as a supervisory priority or 2024 for banking entities of all sizes; specific areas include governance and controls, third party management, novel activities, and fintechs.

FRB Reports: Supervision and Regulation; Financial Stability

OCC

2024 Bank Supervision Operating Plan

Risk-based supervision will focus on:

  • Change management, where change to leadership/staffing, operations, risk management frameworks, and business activities are “significant”.
  • Operations, including products, services, third-party relationships with unique, innovative, or complex structures (e.g., AI, fintechs).
  • Incident response, data recovery, threat detection/remediation, third-party controls, and maintenance of IT assets inventory related to cybersecurity.

Fall 2023 Regulatory Agendas: Key Federal Banking Agencies

 

Semiannual Risk Perspective

 

One of four key risk themes, operational risk is deemed to be “elevated”; highlighted risks include:

  • Innovative technologies and new products/services that change the operating environment as well as the relationship with legacy technologies.
  • Management of third parties and other risks commensurate with size, complexity, and risk profile – more rigor to higher risk and critical activities – talent management for sufficient resourcing and subject matter expertise.
  • Strong threat and vulnerability monitoring, and effective security controls, given increasing sophistication of cyber attacks and geopolitical tensions.

FDIC

2023 Risk Profile

“Operational risk remains one of the most critical risks to banks.”

n/a

SEC

2024 Examination Priorities

Information security (e.g., data privacy, access, cyber) and operational resiliency identified as key emerging risk areas. Attention to safeguarding data and assets; risk management/prevention; and event response. Specific attention to clearing agencies, and changes related to the standard settlement cycle.

Examinations: SEC 2024 Priorities

Dive into our thinking:

Heightened Risk Standards: Focus on Risk Frameworks, Processes, and Controls

Increased regulatory scrutiny in the management of risk and controls

Download PDF

Explore more

Points of View
Insight
Webcast Replay Webcast Upcoming Listen Now From The Web

Points of View

Insights and analyses of emerging regulatory issues and their impact.

Read more
Regulatory Insights View
Insight
Webcast Replay Webcast Upcoming Listen Now From The Web

Regulatory Insights View

Series covering regulatory trends and emerging topics

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now From The Web

Regulatory Alerts

Quick hitting summaries of specific regulatory developments and their impact.

Read more

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

Subscribe

Meet our team

Image of Amy S. Matsuo
Amy S. Matsuo
Principal, Growth & Strategy, Regulatory Insights, KPMG LLP
Read bio
Image of Todd Semanco
Todd Semanco
Partner, Advisory, Financial Services Risk, Regulatory & Compliance, KPMG US
Read bio
Image of Cameron Burke
Cameron Burke
Principal, Advisory, FS Risk, Regulatory & Compliance, KPMG US
Read bio
Image of Amy S. Matsuo
Amy S. Matsuo
Principal, Growth & Strategy, Regulatory Insights, KPMG LLP
Read bio
Image of Todd Semanco
Todd Semanco
Partner, Advisory, Financial Services Risk, Regulatory & Compliance, KPMG US
Read bio
Image of Cameron Burke
Cameron Burke
Principal, Advisory, FS Risk, Regulatory & Compliance, KPMG US
Read bio

Thank you

Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

To receive ongoing KPMG Regulatory Insights, please submit your information below:
(*required field)

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2025 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline