Risk Modernization | The next chapter of operational risk: The AI rewrite

AI is disrupting operational risk management, moving it from subjective judgment to an empirical, data-driven discipline powered by previously untapped insights.

The next chapter of operational risk: The AI rewrite

Download the PDF

Download PDF

Operational risk has historically depended on labor-intensive, judgment-driven frameworks that generate reporting outputs more than measurable outcomes. Artificial intelligence (AI) changes the economics of administration and unlocks more time to focus on outcomes—rationalizing controls, auto populating risk assessments, monitoring signals in real time, and surfacing emerging risks from unstructured data.

Near-term wins, which are further explored in this paper, can drive significant efficiencies in today’s traditional approaches. But the real prize is leveraging the rich datasets that AI can help cultivate to transform into a quantitative discipline that mirrors financial risk in rigor and precision.

Why enable operational risk management with AI now?
Near-term impact and long-term potential of AI integration in the operational risk program.
How to start transforming your operational risk management program with AI.

For too long, operational risk leaders have been constrained by qualitative frameworks like the Risk and Control Self-Assessment (RCSA), which have resulted in rudimentary, costly, and imprecise approaches producing marginal insights. While financial risk management rapidly matured by early regulatory focus and deep, structured datasets, operational risk has always been a slower mover due to data constraints and regulatory expectations.

In the race to comply with broad, principles-based regulations, industries developed a patchwork of tools, with the RCSA emerging as the bedrock for measurement as a well-intentioned solution. It aimed to be forward-looking and comprehensive, but to achieve this, it had to rely on laborious, judgment-based assessments.

This created the fundamental challenge that still exists today: The very techniques designed to make risk management effective resulted in highly inefficient manual cycles, leaving leaders to question if the immense effort was truly delivering commiserate outcomes as the capital exposure.

We can all recognize the importance of adhering to regulatory expectations and the elements of operational risk that create the greatest exposure to an organization. But all too often the greatest time spent on operational risk is the administration and data collection of assessments versus analysis of the results and effectively managing the highest risks to an organization.

AI now offers a unique opportunity to modernize the approach to operational risk. This includes organizing and collecting vast datasets previously unattainable in an efficient manner that allows risk managers to explore historical patterns and overlay advanced quantification techniques to write the next chapter in how firms can manage risk in the future.

Now, the moment to embrace AI—not only in assessment techniques but also across the entire operational risk framework—has arrived. And one of the key barriers to change appears to be lifted. In early 2026, the Office of the Comptroller of the Currency (OCC) filed a new rule proposal that we believe signals the flexibility for a fundamental transformation for the majority of banks in the US to rethink their operational risk management approaches and leverage emerging technology capabilities, like AI, to modernize all aspects of the framework, methodology, and delivery models.

With a major barrier seemingly on the path to being lifted, risk leaders are eager to explore how AI can help them improve the efficiency and effectiveness of their operational risk programs. We see the opportunity AI presents as twofold: some quick wins for today and a complete transformation for tomorrow.

The short-term opportunity is process-reengineering existing ways of managing operational risk and deploying AI toolsets to better manage the administration and maintenance across the entire operational risk lifecycle. Leading firms are already using AI to increase consistency of foundational reference data and rationalize core datasets, including creating direct linage from regulatory inventories to policy and procedure inventories, control libraries, and risk and control inventories. This is making risk assessment and reporting organizationally streamlined, connected, consistent, and efficient. Additional efforts are underway to automate key operational risk processes such as control testing, issues analysis, thematic reporting, and other data-driven insights. This is the low-hanging fruit—a crucial first step that delivers immediate efficiency.

The real revolution, however, lies in what comes next, as AI capabilities continue to advance over time: The chance to fundamentally rethink traditional operational risk management frameworks. The long-term promise of AI is the chance to finally give operational risk the quantitative muscle of its financial risk counterparts, moving beyond subjective assessments to build a truly quantitative, data-driven program. This transformative approach promises significant gains in speed and precision, but most importantly in outcomes. This is the path to transforming the entire discipline from a qualitative exercise into a source of precise, valuable, and strategic insight.

As painful as today’s highly manual, subjective, and resource-intensive operational risk management techniques can be, organizations need the assessments and insights that the risk management playbook provides—and changes should be thoughtful, especially given the people, process, and technical infrastructure built around current programs. In the near term, though, AI can at least improve many of the foundational activities in the operational risk program.

For example, in many organizations, first- and second-line teams spend disproportionate time gathering and organizing data—mapping processes, identifying risks, and manually assessing controls. This leaves little bandwidth for interpreting results or responding to emerging threats. AI can help rebalance that equation. By automating foundational tasks, it allows risk professionals to shift their focus from data wrangling to analyzing the results and exploring risk data relationships. These capabilities don’t just save time—they improve quality and consistency, reduce human error, and enable faster responses to risk events.

AI changes everything. Every part of the existing operational risk framework can be done by agents.

Global Head of Operational Risk for a global financial institution

Early opportunities to improve operational risk management activities with AI capabilities are below—each one of them developed for KPMG LLP clients:

Improve quality and consistency

Curating foundational risk data: AI capabilities can help develop and maintain critical lineage between foundational data such as applicable regulations, policy and procedures, risk and control inventories, issues, testing results, and key risk indicators (KRIs) and stage assessment-related data consistently across assessable units.
Data informed assessments: Organize and present relevant risk data at the point of assessment to strengthen assessors’ qualitative assessments.

Reduce cost

Streamlining control inventories and identifying redundancies: AI-powered analysis of a financial institution client showed that by reducing the number of tested controls by 20 percent to 30 percent, firms will see average annual savings of approximately $3 million.
Consolidating and refining control practices across the risk framework: Eliminate duplication and clarify the picture.

Faster, more meaningful insights

Monitoring risk signals in real time: Use AI to continuously monitor various data sources (such as KRIs, internal alerts, and external data feeds) to provide real-time insights into the risk landscape.
Diagnosing root causes and surfacing emerging issues: AI can analyze large datasets from sources like external events, losses, issue descriptions, and audit findings to identify patterns and systemic themes that may not be apparent in isolation.
Automated reporting and Insights: Produce automated reporting routines and real-time risk reporting dashboards supplemented with AI-driven analysis.

Enhanced toolkits for second line of defense (2LoD) oversight

Automated QA: Create AI-enabled QA routines to monitor policy, standard, and documentation requirements unlocking capacity of 2LoD to focus on value-adding activities.
Data-driven challenge: Deploy AI-enabled 2LoD challenge capabilities, including cross-comparisons, historical trends, and thematic analysis to better enable a risk-based and data-driven challenge approach.

The true potential of AI in operational risk management isn’t just about streamlining today’s tasks—it’s about unlocking the capabilities and advanced measurement methodology we previously lacked. AI invites us to fundamentally reimagine the entire operational risk framework, moving it from a reactive and fragmented process to one that is dynamic and deeply integrated.

Imagine a future state where:

Risk levels are based on probabilistic models and precisely calculated potential exposure.
Assessments are grounded in data, not just opinion.
Control testing is continuous, and risk signals are monitored with the same vigilance as market movements.
Administrative processes are fully automated.
Risk’s delivery model and value proposition fundamentally shifts.

This transformation is made possible by new, AI-powered capabilities that enhance the entire risk management lifecycle. These include probabilistic modeling of risk levels, real-time scanning of the enterprise-wide risk posture, and intelligent decisioning tools that surface insights as risks emerge.

By embedding this dynamic, quantitative methodology, AI allows us to finally realize the core principles at the heart of sound operational risk management:

How AI delivers transformation

Comprehensive view of risks

AI enhances comprehensiveness by ingesting and analyzing a vast array of data sources—from regulatory requirements, internal loss events, and historical issues to external peer incidents—at a scale impossible to achieve manually. This creates a more complete and interconnected view of risk.

Probabilistic risk modeling

Instead of relying solely on expert speculation, AI can curate large datasets to overlay probabilistic models to analyze historical patterns and quantify risk exposures, surfacing emerging systemic issues and calculate risk levels at a greater level of precision.

Continuous control performance telemetry

Instead of historical lookbacks (i.e., sample-based testing techniques), AI provides the capabilities to overlay modeling capabilities and stress test the control environment’s performance and identify trends and likelihood of potential control failures before they manifest, particularly for automated controls and processes with a plethora of historical data making sample-based testing obsolete.

Data-driven qualitative overlay

The quantitative engine, powered by AI, processes unstructured data and transforms it into structured insights. This provides a powerful, data-supported baseline that allows human experts to apply their unique business context more effectively.

Autonomous workflow

Development of autonomous workflow agents that engineer administrative yet costly activities to fully automated routines while maintaining the same, if not better outcomes.

Delivery models reimagined

Armed with a new set of enhanced tool sets and measurement capabilities, Risk’s current delivery model will also need to adapt to monitor the development, use, outcomes, and adoption of an AI-enabled operational risk framework. Roles, responsibilities, and accountabilities across the first and second lines will need to be revisited, driving greater efficiency and collaboration between risk and the business.

Embedded business accountability and instant transparency

When equipped with intuitive dashboards and actionable, near-real-time insights, business line owners can shift from passive reporting to active, continuous risk management, embedding accountability directly within their teams.

From vision to reality: Start transforming your operational risk management program with AI

While AI offers a clear path to modernize operational risk, this evolution must be managed carefully. Shifting from entrenched, manual processes to a dynamic, data-driven framework requires more than just new technology—it demands a deliberate strategy for managing the people, data, processes, and partnerships that underpin the entire operational risk function.

Here are five keys to successfully navigating your transition to AI-powered operational risk management:

Commit to a foundational data strategy

An AI-driven risk framework is only as good as the data it runs on. Capitalizing on these advanced capabilities requires a mature, integrated data architecture that provides access to reliable and comprehensive risk data. This is a significant undertaking that demands up-front investment and strategic commitment from enterprise leadership. A piecemeal approach will yield limited results; organizations must view a robust data strategy not as a technical prerequisite, but as a core business imperative for building a resilient and intelligent risk function.

Keep your governance, risk, and control technology—and AI capabilities—closely connected to your plans

As new data and risk management processes are designed, your fundamental data and reporting hub needs to support them.

Maintain the “self” in self-assessment

The goal is to enhance human judgment, not replace it. As AI takes on more of the analytical heavy lifting, the role of human oversight becomes more critical, not less. To achieve this, organizations must design “human-in-the-loop” systems where experts can validate, interpret, and override AI-generated outputs. This means ensuring models are transparent and explainable, with clear governance that allows risk professionals to apply their professional judgment. By keeping humans in control, firms can satisfy their internal and regulatory expectations for meaningful self-assessments while harnessing the full power of AI.

Close the talent gap and cultivate the skills of the future

The shift from manual assessments to AI-driven analysis will fundamentally change the composition of operational risk teams. In the near term, firms must focus on reskilling and hiring for technical capabilities in data science, AI model governance, and systems architecture. Over the long run, however, as AI becomes more adept at performing complex analytics, a different set of uniquely human skills will become even more valuable. Deep institutional knowledge—of the business’s products, customers, and services—and the experience of navigating complex regulatory expectations will be irreplaceable. The most effective risk leaders of the future will be those who can blend this deep domain expertise with the powerful insights generated by AI.

Create governance and framework for your AI organization

Whether a hub-and-spoke framework for development and oversight of AI agents, or a devolved development approach, governance and framework are crucial.

The shift to an AI-powered risk function is a strategic imperative. The opportunity is not just to improve efficiency, but to redefine risk management as a source of competitive advantage. As a leader, you can start charting your path forward by asking your organization the following critical questions:

Are we aiming for efficiency or transformation?

Is our current AI strategy focused on automating today’s manual processes, or are we fundamentally rethinking our framework to generate qualitative, strategic insights?

Is there a common modernization strategy across risk disciplines?

While there are significant gains to be made in operational risk, an effective transformation includes an integrated strategy across all risk programs to unlock greater efficiency.

Is our data architecture an enabler or an obstacle?

An AI-driven framework is only as good as the data it runs on. Do we have the integrated, high-quality data foundation required to power reliable models, or will data silos and quality issues need to be resolved?

Do we have the right talent to manage the transition?

The risk team of the future requires a blend of skills. Are we cultivating both the deep institutional risk expertise and the data science and AI-coding capabilities needed to build, govern, and act on an AI-driven function?

What is our operating model for innovation?

Do we centralize AI development for governance and efficiency, or do we empower the risk function—the domain experts—with the tools and skills to build their own intelligent agents directly?

How will we govern the use of AI itself in risk?

As we rely more on models for risk decisions, how do we ensure they are transparent, ethical, and explainable? Do we have a robust “human-in-the-loop” framework to maintain accountability and satisfy both our board and our regulators?

How will our operational risk delivery model need to transform with these new capabilities?

As key operational risk processes, methodology, and techniques transform, so will the future delivery model need to transform to better enable these new capabilities.

The answers to these questions will be the first and necessary step on the path forward to your AI-enabled, tailored operational risk management organization and help ensure its ongoing value of your risk function for the next decade.

From back-office operations to customer experiences, AI is transforming risk management by driving operational efficiencies, scalability, and performance. At KPMG, we help you harness the power of AI to transform how you manage risk, driving resilience, efficiency, and business performance. We are distinctly positioned to help modernize how you manage risk, offering:

Deep industry experience in enterprise risk, financial and operational risk, cybersecurity, regulatory compliance, resilience, data, AI, and system implementation skills
A holistic risk management approach that combines AI with traditional practices with market-leading capabilities
An ecosystem of advanced technology solutions, such as KPMG Risk Intelligence
Unwavering commitment to compliance, governance, and ethical AI use
Advanced data analytics capabilities that uncover insights and assess risks
Tailored solutions designed to meet your specific needs
Global resources and wide-ranging services that cover the entire risk modernization lifecycle.