Rising to the Risks of a Changed Industry: Seven Themes From the 2025 RMA CRO Outlook Survey

This report is based on the 2025 RMA CRO Outlook Survey, which was conducted in the summer of 2024 and prepared in collaboration with Oliver Wyman and published by ProSight. Find out more about the survey, including the demographic profile of respondents, here. 

RMA’s fourth annual CRO Outlook Survey reveals a financial services industry that is still managing the fallout from the 2023 regional banking crisis. Some of the effects of the crisis have been temporary. Others, according to the 177 primarily North American bank CROs and other senior risk leaders who responded to the survey, have fundamentally changed the business of banking. At the same time, perennial challenges that were top of mind prior to the crisis—including cybersecurity, fraud, and third-party risk management—show no sign of abating. 

CROs and their teams—whose agendas were already full before the crisis—are facing added challenges flowing from the crisis. And the future holds still more uncertainty, as risks and opportunities emerge from the rise of generative AI and other technology, geopolitical events, market behavior, and as-yet unknown sources. 

The CRO Outlook Survey reveals that banks are in a new environment compared to the years prior to the crisis: The speed of risk is faster, regulators are more demanding, and, as a result, the risk function’s role in strategy is larger. Informed by post-survey interviews with respondents as well as an analysis of the survey results, this report explores seven key themes that emerged from the research to illuminate how banks are responding to a changed industry, even as they address additional challenges. 

The Continuing Effects of the 2023 Bank Crisis

1. Banks Are More Alert to the Speed of Risk 

Well over a year after the regional bank crisis, many developments remain relevant, while others remain remarkable. In a post-survey interview, one CRO said the lightning speed of deposit drawdowns at Silicon Valley Bank—$42 billion over the course of one day—still stands out, especially when compared to the previous record: $16.7 billion over 10 days at Washington Mutual Bank in 2008. 

SVB was clearly an extreme case. But it was part of a fast-moving, massive outflow of deposits that brought home to bankers just how quickly risk can develop in an environment of real-time transactions—and one where information, and misinformation, about a bank’s soundness can spread on social media and online forums. For some, it took the crisis to truly appreciate the phenomenon: Eighty-two percent of respondents agreed with the statement, “The banking industry was caught flatfooted by the speed of risk in the 2023 regional banking crisis.” 

But lessons were learned. Nearly all respondents (93%) said it is imperative that the banking industry address the increased speed of risk. And the vast majority (89%) also said they have a clear path forward for doing so. Along that path, 40% of respondents said they are investing in early warning indicator programs. 

One CRO said in an open-ended survey response that, considering “the events in 2023, we began closely monitoring social media on a daily basis [regarding] our bank as well as our competitors in the marketplace. The data helps us understand the temperature with our customers and the community and is a data point that we use in consideration of various decisions we make.” 

2. Regulatory Scrutiny May Be Heightened for the Long Haul 

In post-survey interviews, CROs said that the liquidity crunch that reached a peak in 2023—marked by deposit flight, bank borrowing from the Federal Home Loan Banks, investment sales to raise cash, and a trio of high-profile bank failures—has long since receded. But this temporary storm has left in its wake a heightened regulatory focus on liquidity risk and asset/liability management. 

Typical responses to an open-ended question on the nature of supervisory comments included several related to liquidity, including “heightened stringency” and a “higher bar” for liquidity risk management in the eyes of regulators. CROs also noted heightened regulatory scrutiny across the board, including related to governance/oversight, enterprise risk management, credit risk, fair lending, and concentration risk. One CRO noted a “significant increase in the depth and intensity of regulatory exams and heightened expectations.” 

And, at a time when banks are challenged to respond to the speed of risk, some CROs said they are being urged to respond more quickly to regulatory questions and findings too. “Regulators expect faster progress on open issues,” one said. The “tone is one of ‘not moving fast enough’ to implement an effective ERM framework and more threats of MRBAs as a result,” said another. 

In all, 84% of respondents said that, compared to before the crisis, their institutions are being held to a higher standard by their supervisory teams. CROs largely expect that trend to continue. Two-thirds expect regulatory scrutiny to increase somewhat or substantially over the next 12 months. In particular, respondents expect more oversight regarding credit risk (named by 51% of respondents), liquidity (43%) and capital (32%). (See Figure 1.) 

3. Risk Management Has a Larger Role in Organizational Strategy 

Soul searching regarding the regional bank crisis has led to a renewed focus on robust risk management in the industry—and a more prominent role in strategy and other matters for CROs and their teams. 

Following a crisis in which one institution had gone without a chief risk officer for an extended period of time prior to its failure, 46% of respondents said they have become more involved in defining bank strategy as a result of the regional banking crisis. Eighty-four percent said they are now somewhat or highly involved in shaping their organization’s business strategy. 

In their survey responses, CROs shared ways their influence on strategy has been expanding, including prior to the crisis. “Risk engagement and efforts are much more deliberate on explicitly evaluating and demonstrating linkages across strategic planning, capital planning, and risk management,” one respondent said. Another said, “risk culture has evolved to the point where the CRO has a seat at every executive table.” This “came about by wins in the risk assessment process,” the commenter said, including preventing “an initiative from being launched without a real-time fraud system.” 

Once invested with a voice in their organization’s strategic decision-making, CROs say they contribute to the process by defining and managing the appetite for strategic risk (71%), participating in non-risk management committees (55%), reviewing and challenging strategic plans (55%), and discussing business strategy in management risk committees (53%). 

Still, barriers to an enhanced strategy role remain. Fifty-six percent of respondents cited competing priorities (e.g., responding to regulatory scrutiny). Other barriers included resource constraints (55%), resistance to change within the risk organization (25%), and a lack of necessary talent/skills (24%). (See Figure 2.) 

Enduring and Emerging Risks

4. Financial Risks Have Fallen From the Top of the Risks List, but Are Still Considerable 

CROs are more optimistic than they were a year ago about the economy and the credit environment. This represents improvement (although it should be noted that last year’s outlook was notably bleak). 

Thirty-five percent of respondents expect the macro environment to improve in 2025— an improvement of 28 percentage points compared to last year’s survey. (See Figure 3.) 

A fifth of respondents expect the overall credit environment to improve—an increase of 20 percentage points over last year’s survey, when no respondents were willing to say they expected improvement. 

Lingering uncertainty regarding the macroeconomic and credit outlook is one reason that a CRO in a post-survey interview said that the coming year might feel like a recession for some banks, even if the economy achieves a soft landing. CROs note that trouble continues to brew for banks with exposure to commercial real estate, particularly office CRE lending. At the same time, evidence is mounting that years of inflation and the spending down of stimulus cash is taking a toll on many consumers’ ability to make credit card and loan payments. 

On the other side of the balance sheet, while some banks may benefit from the relief falling interest rates will provide in the area of deposit-funding costs, one CRO said that rates will likely remain high compared to recent years, dampening that effect. 

And competition for funding may persist, CROs noted in interviews, because depositors—conditioned by the rising-rate environment to seek out higher returns (and enabled by increasingly transparent digital transactions)—are likely to continue to rate shop as deposit interest heads lower. 

Even as financial risks recede from the very top of respondents’ lists of concerns, deposit concentration risk—which was a factor in the 2023 bank failures, as customers with similar industry profiles, motivations, and pressures withdrew funds en masse—maintains a foothold among the most pressing challenges. Nearly a quarter of respondents (24%) listed deposit risks/concentration risk as among their top five risks. In interviews, CROs said that institutions that have long been accustomed to managing the risk of concentration by industry, geography, and many other factors on the lending side of the banking equation are now coming to terms with the need for robust concentration risk management around deposits too. Efforts abound: One CRO described a new heat map that helps the bank identify areas of deposit concentration risk in real time. 

5. Non-Financial Risks Remain Elevated 

Four of the top five risks identified by the survey were non-financial. In addition to cybersecurity at No. 1 (named as a top risk by 63% of respondents) and fraud at No. 2 (44%), the top five was rounded out by technology risk (38%), wholesale credit (32%), and third-party risk (32%). (See Figure 4.) 

Despite the attention and spending it receives, there is still no magic bullet to solve cyber risk, CROs say. “It’s just changing so rapidly. If you can even stay a step and a half behind you’re lucky,” one said in a post-survey interview. “Every time we shut the window and bar the door, they’re going to come in sideways. It’s a constant fight that takes time, talent, and money.” 

CROs report that regulators are joining them in a focus on persistent non-financial risks. Thirty-two percent expect more pressure over the next 12 months around third-party risk, with pressure also expected to increase regarding cyber (28%) and governance and controls related to AI (10%). In interviews, CROs said fraud and cyber threats are a big factor driving risk-function budgets higher. 

The Road Ahead

6. Emerging Risks and Disruption Demand Planning 

The regional bank crisis was a reminder that risks can emerge in unexpected ways and to an unanticipated degree. It also brought home once more the need to be ready for a wide range of possible circumstances. To that end, respondents to this year’s survey identified digital disruption as the most common top emerging risk, defined as a risk with a high potential to be among an institution’s top risks in a year or two. Thirty-four percent of respondents cited digital disruption as a top emerging risk, followed by cyber risk (32%) and strategic risk/disruption and technology risk (excluding AI) (30% each). Data privacy/data risk (26%) and governance and control issues related to the implementation of AI tools (24%) were also notable entries. (See Figure 5.) 

CROs outlined several ways institutions are readying for a wider range of threats that could throw them off course. In their responses, several mentioned an enhanced focus on emerging risks, including introducing emerging risk reporting, “building out KRIs and KPIs for ERM with a focus on emerging risks,” launching an emerging risk program, and “a more formal and board-level approach to emerging risks.” 

Other approaches included: 

• “Integration of cross-functional ERM teams and enhanced modeling capabilities.” 
• “Expanded capabilities in stress testing and scenario analysis to cover a broader spectrum of risks and evaluate mitigating strategies through a range of conditions.” 
• “More frequent engagement, discussion, and planning at leadership team level.” 
• “Established an executive enterprise risk management committee which meets at least monthly to review risks across the organization and develop strategic plans to address and communicate with employees.” 

7. CROs Look to the Future 

With perennial risks rising and another layer of challenges related to the regional bank crisis added to already full agendas, risk management at financial institutions is not likely to get easier—or cheaper. “If I’m not increasing my budget by 10% next year, that would be a surprise,” one CRO said. “And my budget doesn’t count cyber.” At the same time, there are ever-increasing demands to boost technology spending, and strains on the banking business model caused by market conditions and other factors—strains that some CROs called “existential” in post-survey interviews. It’s no surprise, then, that CROs think there could be an uptick in banks either seeking to exit or expand through M&A. One CRO, for example, envisioned a scenario in which some banks search for deposit-rich merger partners with sticky accounts to boost the funding needed for the loan side of operations. 

Nearly three-quarters of respondents (74%) said they expected consolidation in the industry. But another survey response pointed up a caveat: Seventy-two percent expect regulatory scrutiny to have a chilling effect on merger activity. 

Post-survey interviews also revealed great concern about the uncertainty in the regulatory environment, considering the overturning of the Chevron doctrine, the presidential and congressional elections, and the growing trend of industry legal action against proposed rules and regulations. While compliance can be challenging, they said, uncertainty about the impact and onset of regulatory expectations is also problematic. 

Meanwhile, risk organizations are looking ahead by greenlighting projects to help their institutions mitigate risks and optimize opportunities. The most common major initiatives center on analytics and modeling, cyber/technology risks, risk data and infrastructure, AI, and risk governance and reporting. (See Figure 6.) 

Closing Thoughts

As they prepare for 2025, CROs do so with the knowledge that the disruption of the regional bank crisis has prompted a new layer of challenges. An industry of diverse bank sizes and strategies demands a multitude of approaches to the universe of risk. But whatever path they take, CROs will be focused on rising to the risks that face their institutions. 

About this Report  

In July 2024, RMA surveyed chief risk officers and equivalents at financial institutions primarily in the United States and Canada for its annual CRO Outlook Survey. This year’s report was prepared in collaboration with Oliver Wyman. 

The CRO Outlook Survey explores the top trends in bank risk management and CROs’ most urgent plans and priorities as they seek to address them. 

For this year’s report, we received 177 survey responses. Survey respondents’ institutions represent a broad spectrum of sizes: 

% Respondents by Asset Size, USD

At RMA, Celina Rogers and Ed DeMarco directed the research and Frank Devlin wrote the report. 

Thank you to the CROs who participated in this research program, and to Mike Duane, Jake Ritchken, Christian McNally, Lorelei Vaisse, and a range of Partners at Oliver Wyman for their thoughtful contributions.