McKinsey On Risk Number 10

McKinsey
on Risk
New risk challenges and enduring
themes for the return
Number 10, January 2021

McKinsey on Risk is written by Editorial Board: McKinsey Global Publications
risk experts and practitioners Tucker Bailey, Bob Bartels,
in McKinsey’s Risk & Resilience Richard Bucci, Holger Harreis, Publisher: Raju Narisetti
Practice. This publication offers Bill Javetski, Carina Kofler,
readers insights into value-creating Marie-Paule Laurent, Maria del Global Editorial Director:
strategies and the translation of Mar Martinez, Luca Pancaldi, Lucia Rahilly
those strategies into company Thomas Poppensieker, Inma Revert,
performance. Kayvaun Rowshankish, Thomas Global Publishing Board
Wallace, John Walsh, Olivia White of Editors: Lang Davison, Tom
This issue is available online Fleming, Roberta Fusaro, Bill
at McKinsey.com. Comments External Relations, Global Risk Javetski, Mark Staples, Rick Tetzeli,
and requests for copies or for Practice: Bob Bartels Monica Toriello
permissions to republish an
article can be sent via email to Editor: Richard Bucci Copyright © 2021 McKinsey &
[email protected]. Company. All rights reserved.
Contributing Editors:
David DeLallo, Roger Draper, This publication is not intended to be
Cover image: Kristen Jennings used as the basis for trading
© Henrik Sorensen/Getty Images in the shares of any company or for
Art Direction and Design: undertaking any other complex
Leff Communications or significant financial transaction
without consulting appropriate
Data Visualization: professional advisers.
Richard Johnson, Matt Perry,
Jonathon Rivait No part of this publication may
be copied or redistributed in any
Managing Editors: form without the prior written
Heather Byer, Venetia Simcock consent of McKinsey & Company.
Editorial Production:
Roger Draper, Gwyn Herbein,
LaShon Malone, Pamela Norton,
Kanika Punwani, Charmaine Rice,
Dana Sand, Sarah Thuerk, Sneha
Vats, Pooja Yadav, Belinda Yu
Table of contents
Risk and resilience
5 The emerging resilients:

Achieving ‘escape velocity’ 12 Resilience in a crisis: An interview
with Professor Edward I. Altman
The experience of the fast movers One of the leading researchers
out of the last recession in corporate financial health
teaches leaders emerging from discusses what executives can do
this one to take thoughtful to help their companies endure the
actions to balance growth, financial stresses of crisis times.
margins, and optionality.
18 Meeting the future: Dynamic risk

management for uncertain times 26 A fast-track risk-management
transformation to counter
The world is changing in the COVID-19 crisis
fundamental ways, leading to An accelerated transformation
dramatic shifts in the landscape of to enhance efficiency and
risks faced by businesses. effectiveness will enable risk
organizations to deal with the
pandemic while addressing rising
regulatory and cost pressures.
Risk culture
39 Strengthening institutional risk

and integrity culture 46 When nothing is normal:
Managing in extreme uncertainty
Many of the costliest risk and In this uniquely severe global
integrity failures have cultural crisis, leaders need new operating
weaknesses at their core. Here models to respond quickly to
is how leading institutions are the rapidly shifting environment
strengthening their culture and and sustain their organizations
sustaining the change. through the trials ahead.
54 A unique time for chief risk

officers in insurance
Amid rising economic uncertainty,
leading insurers are looking to
their CROs to do even more than
manage risks.
Extraordinary risks
63 The disaster you could have

stopped: Preparing for 72 How the voluntary carbon market
can help address climate change
extraordinary risks The voluntary carbon market is
Ignoring high-consequence, low- gaining momentum and plays
likelihood risks can be damaging an increasingly important role
to an organization, but preparing in limiting global warming.
for everything is impossibly costly. Here’s how.
Here is how leaders can make
the right investments.creative,
pragmatic solutions.
Derisking
81 Derisking AI by design: How

to build risk management into 91 The next S-curve in
model risk management
AI development How banks can drive
The compliance and reputational transformations of the model
risks of artificial intelligence life cycle in a highly uncertain
pose a challenge to traditional business landscape.
risk-management functions.
Derisking by design can help.
97 Applying machine learning

in capital markets: Pricing, 101 Derisking digital and analytics
transformations
valuation adjustments, While the benefits of digitization
and market risk and advanced analytics are well
By enhancing crisis-challenged documented, the risk challenges
financial models with machine- often remain hidden.
learning techniques such as neural
networks, banks can emerge
stronger from the present crisis.
2
Introduction
The tenth issue of McKinsey on Risk arrives as spirits, battered by public-health and economic hardships, have been lifted by
the appearance of COVID-19 vaccines. Vaccines are beginning to reach priority and vulnerable populations, such as healthcare
workers and long-term care residents. Governments and institutions are promising ever-wider distribution in the months
ahead. Serious questions remain about production timelines and the completeness of vaccine delivery. For most economies,
epidemiological uncertainty is the main factor complicating the conditions of return. Yet nations, sectors, companies, and
individuals have endured different challenges and will travel different recovery paths, depending on the damage done.
At the far end of the pandemic tunnel, some economies are demonstrating vibrant life. In other regions, the time for countries
and organizations to grow again approaches at varying speeds. Those that prepare will benefit, as our lead article on the
“emerging resilients” reveals. In the last recession, companies able to take thoughtful actions to balance growth, margin, and
optionality separated themselves quickly from less resilient peers. Coming out of the current recession, which companies
are poised to achieve “escape velocity”? Our authors—some of McKinsey’s most influential leadership voices—discuss the
dynamic business landscape while pointing to a venerable metric that can help companies adjust for the needed balance.
Taken as a whole, these discussions present McKinsey’s latest thinking and recommendations on risk and resilience—including
optimal strategies and necessary transformative actions. Resilience as a business concept took on significance during
the financial crisis of 2008–09. As cyclical stress levels rose in the global economy, challenges were magnified and new
uncertainties were generated. Faced with proliferating risks and spiking volatility, organizations began to realize the need for
dynamic risk management, by which serious threats can be prioritized and addressed as they arise.
Today, as companies emerge from the pandemic-triggered economic crisis, risk organizations face extraordinary
discontinuities on top of more familiar ongoing challenges. The highly complex risk landscape is marked by an accelerating
digital revolution; massive environmental, regulatory, and industry changes precipitated by the changing climate; and rising
stakeholder expectations about corporate behavior. Cost pressures, furthermore, mean that organizations must make
significant, simultaneous improvements in risk efficiency and effectiveness.
In pursuit of these improvements, companies in all industries are applying advanced quantitative capabilities to support faster
operational decision making. Most are launching digital and analytics transformations—digitizing services and processes,
increasing efficiency with agile approaches and automation, improving customer engagement, and capitalizing on new
analytical tools. The present crisis is also creating a moment in which financial institutions can rethink their entire model
landscape and model life cycle. Artificial intelligence, which promises to redefine how businesses work, is already marshaling
the power of data to transform a range of business activities and functions.
The inevitable consequences of all this innovation are elevated risk profiles, which many existing organizational approaches are
incapable of addressing systematically. The following discussions illuminate the most compelling risk issues that companies
in all sectors and geographies are confronting. Here, readers will find deep industry insight and structured risk-management
approaches that are helping leaders build risk capabilities, strengthen institutional resilience, and navigate through this crisis
toward restored performance.
Let us know what you think, at [email protected] and on the McKinsey Insights app.
Thomas Poppensieker
Chair, Risk & Resilience Editorial Board
Copyright © 2021 McKinsey & Company. All rights reserved.
XXXXXXXXXXXXX 3
Risk and
resilience
5 The emerging
resilients: Achieving
‘escape velocity’
12 Resilience in a crisis:
Interview with Professor
Edward I. Altman
18 Meeting the future:

Dynamic risk management
for uncertain times
26 A fast-track risk-management
transformation to counter the
COVID-19 crisis
4 McKinsey on Risk Number 10, January 2021

The emerging
resilients: Achieving
‘escape velocity’
The experience of the fast movers out of the last recession
teaches leaders emerging from this one to take thoughtful
actions to balance growth, margins, and optionality.
by Cindy Levy, Mihir Mysore, Kevin Sneader, and Bob Sternfels
© Henrik Sorensen/Getty Images
5
In 2019, McKinsey asked companies to prepare for protected sectors of healthcare, pharmaceuticals,
the possibility of a recession. Of course, we had no and technology, companies are seeing moderate
idea then that the COVID-19 pandemic would be the declines in revenue. Heavily affected sectors
trigger, nor that the recession would cut as deeply have experienced revenue declines of between
as it has. But it was clear then that the foregoing 25 percent and 45 percent. These include
growth cycle was already of unusual duration. The transportation and tourism, automotive, and oil
pace was slowing, furthermore, and the potential and gas—sectors containing some of the largest
for shocks was greater than for renewed growth. In employers in Europe and the United States.
the same article, we discussed what top-performing
companies had done in the previous downcycle, the We recognized that this downturn was driving
financial crisis of 2008–09. We looked at 1,500 stress into the economy at a much faster rate than
public companies in Europe and the United States, was experienced in the financial crisis of 2008–09.
analyzing performance on a sector-by-sector basis. To measure the extent and speed of the damage,
Companies in the top quintile of their peers through we wanted a sounder guide than stock-market
that crisis were dubbed the “resilients.” performance. An investigation of the companies in
our database using the “Altman Z-Score” yielded
Once economic and business results of the second promising results. This measurement was developed
quarter of 2020 became known, we began to hunt in 1968 by Edward I. Altman, now a professor
for the clues that were contained in nearly 1,500 emeritus of Finance at New York University’s Stern
earnings releases across Europe and the United School of Business. It is an equation originally
States. This article seeks to understand whether designed to predict the probability of corporate
the shape of the next class of resilients is visible bankruptcy. A company’s Z-Score goes up if it has a
in the data, and what lessons this would hold for well-established ability to grow margins (measured
companies within each sector. as EBIT1/assets) while increasing revenues
(measured by revenue/assets) and maintaining
optionality (measured by retained earnings/assets).2
The present downcycle: Six times faster
than the previous one We calculated the Z-Scores for approximately 1,500
Today, we are in the middle of the deepest European and North American companies in our
recession in living memory. As pandemic-triggered database for both the last downcycle (2008–09)
lockdowns took hold around the world in early 2020, and the current one. We used three categories
3
economies contracted quickly. The International in the results: “good standing,” “gray zone,” and
Monetary Fund and World Bank foresee a global “experiencing stress.” 4 The Z-Scores revealed that
contraction in economic output in 2020 of in the financial crisis of 2008–09, 30 percent of
around –5 percent; the Organisation of Economic companies moved to a higher-stress category by
Cooperation and Development estimates an even 2009, compared with where they were in precrisis
worse result, at –7.6 percent. At any rate, the drop 2007. Only 3 percent of observed companies
will far exceed the last global contraction, which was improved their standing. By comparison, in 2020, 25
–1.7 percent in 2009. percent of companies had moved to a higher-stress
category and 3 percent improved. The dynamics
The distress has hit all industry sectors, some of 2009 and 2020 differ in one glaring respect: in
harder than others. Yet even in the relatively the last recession, this movement occurred over 18
1
Earnings before interest and taxes.
2
Our research used a common form of the Z-Score, whose weighted determinants are as follows: Z = 1.2X1 + 1.4X2 + 3.3X3 + 0.6X4 + 1.0X5,
where X1 = working capital/total assets, X2 = retained earnings/total assets, X3 = earnings before interest and taxes/total assets, X4 = market
value equity/book value of total liabilities, X5 = sales/total assets, and Z = overall index. Edward I. Altman, “Predicting financial distress of
companies: revisiting the Z-Score and ZETA® models,” Leonard N. Stern School of Business, July 2000, stern.nyu.edu.
3
Some companies were excluded from results because data or financial reports were unavailable at the time or because they were extreme
industry outliers.
4
These were the titles of Professor Altman’s original categories except for “experiencing stress”; we substituted that title for his original,
“headed for bankruptcy,” since our research is not focused on bankruptcy.

months, while in the present crisis, the economy planning cycle. Wise planners will prepare for a
has arrived at about the same point in three months’ number of outcomes, including a further drift in
time—six times faster (Exhibit 1). present conditions or a worsening downturn. In
our view, however, they must also be open to the
appearance of more positive trends and ready to
Fast and deep—but for how long? shift quickly to a growth stance. This means building
Our recent conversations with business leaders optionality balanced with tangible, trigger-based
suggest that the high level of external uncertainties— growth bets into their plans.
political, social, and epidemiological—will likely be
with us well into 2021. This will be true whether or Leaders can do this by taking an owner’s view
not a COVID-19 vaccine becomes available during of their business, comparing it to their peers’
that time. New challenges can also be expected, rather than their own past performance. Peer
such as when governments pull back on the levels benchmarking can more readily become the starting
of fiscal stimulus that might have been nourishing point for developing a strategy to achieve full
green shoots of recovery. business potential. Companies need to know: What
are tomorrow’s resilients doing today to achieve
Leaders can thus assume dynamic business “escape velocity” when the time comes?
conditions through 2021 as they begin this year’s
Web <2020>
Exhibit 1
<COVID-Resilients>
Exhibit <1> of <4>
Corporate stress
Corporate stress is
is now
now at
atthe
thesame
samepoint
pointas
asititwas
wasininthe
the2009
2009trough,
trough,arriving
arriving
in only months versus two years.
in only months versus two years.
Corporate stress by Altman Z-Score, % ● Took on stress ● Stayed roughly same ● Reduced stress
2009 Q1–Q2 2020
Experiencing Gray Good Experiencing Gray Good

stress zone standing stress zone standing
Good 6 27 67 100% Good 8 25 68 100%

standing standing
Gray 38 55 7 100% Gray 41 55 5 100%

2007 zone 2019 zone
Experiencing 92 7 1 100% Experiencing 94 6 1 100%

stress stress
(n = 967) (n = 1,300)
● In 2 quarters, 2020 recession has caused stress equal to that in 2008–09 recession
● Companies in good standing or gray zone in 2019 were experiencing stress by 2020
Note: Figures may not sum to 100%, because of rounding. For 2020 vs 2019 analysis, companies without reported financials for Q2 2020 were excluded. For
2020 vs 2019 and 2009 vs 2007 analyses, financial institutions, utilities, and some other companies, including those with Z-Scores of >10 or <–10, were
excluded. Good standing: Z-Score >3.0; gray zone: Z-Score 1.8–3.0; experiencing stress: Z-Score <1.8.
Source: S&P Capital lQ; McKinsey analysis
The emerging resilients: Achieving ‘escape velocity’ 7

Finding tomorrow’s resilients optional investment opportunities).5 Our research
In this crisis, business leaders sometimes take clearly suggests that coming out of the trough
solace in the relative ebullience of the stock market of the last recession, the top performers had
or the fact that peers are suffering from the same achieved balanced improvements in all three of
issues that they are. A quick look back tells us, these measurements of organizational health—
however, that stock markets are poor predictors of irrespective of whether they had spikes in any one of
success during a recession. The companies that led them. We have concluded that to be counted among
equity markets during the recessionary trough of the new resilients, companies must find this balance.
2009 did worse by the end of the cycle relative to the
companies that made up the middle tier (Exhibit 2). Accordingly, in the last recession, the companies
whose Z-Scores fell the most between 2007 and the
The Altman Z-Score turns out to be a better 2009 trough of the recession provided the lowest
directional indicator of post-downturn market shareholder returns in 2011. The companies whose
performance than does the market itself. The Z-Scores improved the most were the most likely to
Z-Score helps highlight three outstanding attributes provide the best returns as the economy emerged
of resilience: margin improvement, revenue from the recession (Exhibit 3).
growth, and optionality (retained additional
Web <2020>
<COVID-Resilients>
Exhibit 2
Exhibit <2> of <4>
The Altman
The AltmanZ-Score
Z-Scoreisisaa better
better leading indicator
indicator of
of company
company strength through
through
a crisis than is stock-market performance.
stock-market performance.
Excess shareholder return, 2007–11, %
Companies grouped by market performance (TSR¹) in Companies grouped by Altman Z-Score movement,
the trough of the 2007–09 financial crisis (Q1 2009) 2007–09
20 20
10 10
0 0
–10 –10
–20 –20
Top Quintile Quintile Quintile Bottom Top quintile Quintile Quintile Quintile Bottom
quintile by 2 3 4 quintile by Altman 2 3 4 quintile
TSR in Q1 Z-Score,
2009 2007–09
¹Total shareholder return (TSR) for Q1 2009 was calculated as an average of medians for each industry sector of ~1,000 companies in total; excess shareholder
return over the 2007–11 period was derived by subtracting the median of TSR for each industry sector with actual TSR for each company.
Source: S&P Capital lQ; McKinsey analysis
5
Working capital and market equity value were part of Professor Altman’s original score; for the purposes of our research we included the
former determinant as part of optionality and recognized that the latter, market value, is externally driven and ultimately a product of the
other factors.

Learning from the emerging resilients — Revenue. The emerging resilients seem to be
In every sector, we identified the top 20 percent of powering their margin advantage primarily
companies that have driven the highest increases in through revenue rather than costs. The revenue
their Z-Scores through the 2020 recession. We then gap between emerging resilients and the rest is
compared their performance with that of the rest. around 16 percent in this cycle, whereas the gap
This is what we found: was 10 percent in the last cycle.
— Margins. The gap in margins between the — Optionality. The emerging resilients—and
emerging resilients and the rest of their peer companies overall—seem to be leaving less
group is striking. The typical emerging resilient optionality on the table today compared with
in 2020 has increased the EBITDA6 margin by what happened in the last cycle. Retained-
5 percent while the rest have lost –19 percent earnings growth for emerging resilients is 11
by this measure, a gap of nearly 25 percent. The percent today, whereas it was 30 percent at
difference is much greater than the EBITDA- the time of the 2009 recessionary trough. For
margin gap was among the resilients in the nonresilients, the optionality measurement is
last recession. This would suggest that today’s 1 percent in this cycle, while it was 6 percent in
margin leaders will dominate their sectors more the last.
firmly coming out of this recession.
Web <2020>
Exhibit 3
<COVID-Resilients>
Exhibit <3> of <4>
Resilient
Resilient companies
companiesdemonstrate
demonstratebalanced
balancedperformance
performanceininmargin,
margin,growth,
growth,
and optionality.
Change in EBITDA1 margin, growth, and optionality, resilients vs nonresilients,2 in last and current recessions
Margin: EBITDA margin Growth: revenues Optionality: profits retained for reinvestment
2007–09, % Q2 2020 vs Q2 2019, %3
RESILIENTS NONRESILIENTS EMERGING EMERGING

RESILIENTS NONRESILIENTS
29
11
6 7
4 5
–1 1
–5
–13
–16 –17
¹Earnings before interest, taxes, depreciation, and amortization.

²Resilients in the last recession (2007–09) are defined as those companies in each sector in the top 20% in excess total return to shareholders (TSR); nonresilients
are defined as the remaining 80%. Excess TSR is calculated by subtracting the median TSR for each sector from the actual TSR for the period of 2007–11.
3
For the current recession, emerging resilients are defined as those companies in each sector in the top 20% on the Altman Z-Score (for Q2 2020 vs Q2 2019);
emerging nonresilients are defined as the remaining 80%.
Source: S&P Capital IQ; McKinsey analysis
6
Earnings before interest, taxes, depreciation, and amortization.

Exhibit 4 demonstrates the relative performance meaningful glimpses of the possibilities. Faced with
of the emerging resilients in 2020 and the resilients a global health crisis requiring physical distancing
in 2009. and other restrictions, companies shifted quickly to
remote operating models.
By sector, we discovered that the emerging
resilients are more likely to demonstrate consistent, In a matter of weeks, companies provided the
balanced performance across a number of metrics, workforce with new flexibility and skills where
as opposed to having a leadership spike in one and needed while maintaining or even increasing
lagging performance in the others. This brings us productivity. They massively expanded digital and
to our final insight: tomorrow’s resilients are more online capacities to maintain customer relationships
likely to be the companies that are driving value- and deliver goods and services remotely and
added growth while balancing optionality, rather efficiently. They reconfigured supply chains to drive
than those that focus most of their attention on greater resilience. And they set higher standards
maintaining operating margins, at the expense of for diversity and inclusion, providing a much needed
other proportionate measures. leadership stance on making social change happen
through better corporate citizenship. Imagine what
companies might be able to do in 2021.
Zeroing in on what matters
Z-Score insights can help leaders take an ownership Let’s start with the companies in the top quintile
view and think more clearly about what their of their sectors according to the Z-Score. They are
organizations can achieve—especially by freeing already creating the conditions that allow them to
themselves of unnecessary traditional limitations. generate value-added growth while maintaining
In this recession, we have already been afforded optionality. They are therefore best positioned to
Web <2020>
Exhibit 4
<COVID-Resilients>
Exhibit <4> of <4>
Balanced performers
Balanced performers across
acrossmargin,
margin, growth,
growth, and
and optionality are more
optionality are more likely
likelyto
to
emerge as resilients than are top performers in only one metric.
emerge as resilients than are top performers in only one metric.
Composite ranking of company grading on margin, growth, and optionality
Share of Probability of being in
total, % emerging resilients, % Margin Growth Optionality Typical grade¹
9 59 A A A Top performer (A in at least 2 metrics)
(B in all metrics; A in 1 metric

11 39 B B B Balanced
and B in at least 1 metric)
(A in 1 metric and C in at
24 23 A C C Mixed or spiky
least 1 metric)
(B or below in all metrics,

56 9 B C C Underperformer with C in at least 1 metric)
¹A: top 20%; B: top 20–40%; C: bottom 60%.

realize their full potential. For these companies, first their organization, so that they may provide
on the planning agenda is setting high aspirations for more flexibility to the workforce while executing
2021. These can be defined by bold moves to drive operations at full speed. The experience of most
rapid revenue growth, portfolio reallocation, value- sectors demonstrates that companies which
creating M&A, and revamped technology spending. execute faster tend to outperform.
Companies that are behind the top Z-Score

performers in their sectors need to discover what is
holding them back. They may be overemphasizing Companies’ experiments with creating new
cost cutting or pursuing a strategy of growth at postpandemic operations models are yielding some
all costs. They might be overprioritizing investor interesting results. Digital platforms are allowing
payouts at the expense of their organizational some companies to share skills across operations,
health. They may be spreading their efforts thinly providing support in ways that were very difficult
across many priorities instead of focusing tightly on before. The same approach is also allowing
driving margins and productivity. Leaders should workers to enjoy more opportunities while creating
also consider rethinking their supply chains end to an effective postpandemic operating model
end, especially to improve resilience. that solves for speed and rapid decision making.
These are the next-horizon powers that will drive
Depending on their standing, lagging companies productivity and propel the emerging resilients into
may need to focus their efforts on different the next wave of growth.
drivers of growth. Almost universally, however, all
companies will need to continue strengthening
Cindy Levy is a senior partner in McKinsey’s London office, Mihir Mysore is a partner in the Houston office, Kevin Sneader
is McKinsey’s managing partner and is based in the Hong Kong office, and Bob Sternfels is a senior partner in the
San Francisco office.
The authors wish to thank Sumit Belwal, Jeffrey Caso, Martin Hirt, Peeyush Karnani, Jagbir Kaur, Kevin Lackowski, and
Sven Smit for their contributions to this article.

Resilience in a crisis: An
interview with Professor
Edward I. Altman
One of the leading researchers in corporate financial health discusses
what executives can do to help their companies endure the financial
stresses of crisis times.
12
Professor Edward I. Altman of the Stern School of That was the path, in my view, that gave GM its main
Business, New York University, is a leading expert chance of survival. They were really on the brink
in credit and debt. He has written or edited two at that time, having hemorrhaged $2 billion per
dozen books and more than 160 articles on finance, month for several months. I was not very popular
accounting, and economics. He is also the creator of at that hearing. Congress did not want to hear my
the Altman Z-Score, developed originally as a means “B word”—bankruptcy; they preferred the other
of predicting bankruptcy probabilities. McKinsey one, bailout. The House voted for a bailout, but the
researchers successfully used the Z-Score to test Senate voted against it. President Bush eventually
company resilience through a crisis.1 We spoke with bailed out GM and Chrysler under the funding that
Professor Altman about how executives can best Congress had given for financial institutions (using
face financial stress in times of crisis. GMAC as the entry point).
McKinsey: The Z-Score has had a variety of But the bailout didn’t work. Six months later, under
practical applications. Do any stand out as the Obama administration, GM filed for bankruptcy
particularly helpful? Have any applications of the and received about $50 billion in debtor-in-
model surprised you? possession loans, exactly as I had predicted should
happen. The rest is history. GM survived and is now
Professor Altman: I didn’t know of McKinsey’s use an investment-grade company. That status may
of the Z-Score to indicate resilience. Interestingly, be a stretch, but it is certainly a solvent company
you found it useful in gauging firm performance with operations globally, and much healthier today
before and after a crisis. Banks have used the because of going bankrupt, not despite it.
model in making lending decisions, and some use
it to complement their own internal-ratings-based Finally, an application that really surprised me is the
models for expected loss provisioning under the use of the Z-Score by managers to make strategic
Basel rules. It is also used by investors in making decisions. In 1981, I learned of a turnaround
bond or stock purchases. I was surprised, for strategy used by the CEO of a large manufacturer of
example, that several investment banks have used precision equipment in which he simulated business
the Z-Score as one of several criteria they apply to decisions like selling assets, reducing personnel,
customers. Some investment banks offer a basket consolidating locations, paying back some debt. He
of common stocks with the highest Z-Scores and plotted the effects of each simulated decision on
sell short the lowest. That came as a surprise—that the firm’s Z-Score. No action was taken that would
the Z-Score was generating profit for investment depress the Z-Score, at least in his estimation. And it
banks selling a structured product. was amazingly successful.
I used the model in my testimony in December 2008 McKinsey: Professor Altman, you have studied
before the US House Finance Committee, at the the credit market for years. What fundamental
onset of the financial crisis. The hearing would help changes have you observed? Today, we see many
determine whether General Motors and Chrysler alternative financing instruments, and high-yield
would receive government bailouts. The Z-Score bonds have gained steam as well. Would you
model showed very clearly that GM was heading for say that the Z-Score can account for such new
bankruptcy. I recommended against a bailout for GM developments? Has it proved timeless as a tool
and in favor of restructuring under Chapter 11. for measuring credit risk? Should we do anything
1
McKinsey’s results were published in an article by Cindy Levy, Mihir Mysore, Kevin Sneader, and Bob Sternfels, “The emerging resilients:
Achieving ‘escape velocity’,” October 6, 2020, McKinsey.com. The authors used a common form of Professor Altman’s Z-Score, with the
following weighted determinants: Z = 1.2X1 + 1.4X 2 + 3.3X3 + 0.6X4 + 1.0X5, where X1 = working capital/total assets, X 2 = retained earnings/total
assets, X3 = earnings before interest and taxes/total assets, X4 = market value equity/book value of total liabilities, X5 = sales/total assets, and
Z = overall index. Edward I. Altman, “Predicting financial distress of companies: Revisiting the Z-Score and ZETA® models,” Leonard N. Stern
School of Business, July 2000, stern.nyu.edu.
Resilience in a crisis: An interview with Professor Edward I. Altman 13

differently today, compared with what you were There are more B ratings than any other for
doing 50 years back? high-yield bonds—more Bs than double-Bs
or triple-Cs. And the probability of a B-rated
Professor Altman: Those are great questions. I company’s bond issue defaulting is about
would say most companies are riskier today than 28 percent in the first five years. So, 72 percent
they were back in the 1960s when I built the model. of Bs survive. And if you invest in a portfolio of
Amazing progress has been made in technology, Bs, assuming you receive interest compounded
in strategy, over those 50-plus years, but the over five years, you will do quite well, relative to
credit posture and structure of corporations have the risk-free rate—even given the default rate of
radically changed too. Back in the 1960s, and as 28 percent and the loss rate of about 20 percent
late as the early 1990s, maybe 100 companies in (adjusted for recoveries).
the United States were rated AAA, and probably as
many or more rated AA. Today, there are two AAA- I now use the bond-rating-equivalent technique
rated companies in the US: Microsoft and Johnson to adapt to the changes over time in the capital
& Johnson. And who knows how long those ratings structures of corporations. We look at the median
will last? score, by bond rating—AAA down to CCC—and
assign a bond-rating equivalent to each firm, based
An A rating is no longer the objective of companies. on its score. And then we assess the probability of
When I surveyed CFOs in the 1970s, as a visiting default given that bond-rating equivalent, using a
professor at Hautes Études Commerciales in Paris, mortality-rate approach, like an actuarial approach.
the A rating was their predominant choice. Today, That is the way I have adapted the original Z-Score
the preference is clearly for BBB. The reasons model, and that model, with its original coefficients,
are low interest rates, certainly, but the lower is still quite effective.
rating also makes it easier to use leverage to raise
earnings per share. Now there are other ways to You can go with the flow, in other words, making
raise earnings, as McKinsey and most CFOs well changes in rating equivalents over time, rather
know. But a tried-and-true method is to increase than building a new model each year or each five
leverage, especially where the cost of capital is years. The Z-Score was originally based on a small
low, and then invest in projects for which the return sample of comparatively small companies. Today,
will be greater than the cost of debt and hopefully companies are much larger, and the incidence of
better than the cost of capital. default for large companies is so much greater.
Already in 2020 more than 50 companies in the
You mention high-yield bonds—we can add United States with more than $1 billion in liabilities
leveraged loans and shadow banking and so forth. have gone bankrupt. Of course there were none
The amount of leverage in the system now is far of these “billion-dollar babies,” as I call them, back
greater than it was 50 years ago. Is the Z-Score in the ’60s. So it is striking that a model built on
model still robust enough to be used today as it smaller companies is still effective, generally, and
was then? The answer is yes. But I’ve learned some for much larger companies as well.
things over the years about the evolution of credit
risk. I no longer use the cutoff scores from 1968. At McKinsey: Speaking of bankruptcies, we observe
that time, a company needed a Z-Score above 3.0 to that companies continue to issue bonds—trillions
be designated as a safe company. Companies with of dollars worth in 2020. They are short of funds, as
a score of less than 1.8 were considered distressed demand has dried up, and they are locking in the
and likely to go bankrupt. Today, the cutoff score is low interest rates as well. But the great volumes of
much lower—about zero. A score of 1.8 is actually debt are eroding companies’ credit health. Do you
above average now for B-rated companies—and the expect filings for bankruptcy protection to rise in the
dominant junk bond out there is a B-rated company. months to come?

Professor Altman: I was worried about a potential One is that companies are buying back their
debt bubble before the pandemic. I was in the debt, reducing the amount of debt in their capital
minority then because the economy was doing well, structure, using a lot of the cash that they raised
bankruptcies were few, and defaults in the high- over these past four or five months, since April of
yield market were below the historical average. But this year. Second is the issuance of new equity. I am
I saw a lot of vulnerability. Not only for companies surprised this has happened so quickly. But both
going bankrupt but also for the triple Bs, which were IPOs and established companies (with secondary
so popular, to be downgraded as fallen angels into equity issuances) are beginning to do this. In my
the high-yield and junk categories. Well, things of opinion, the sooner the better.
course changed in March.
The easiest way to reduce your debt-equity ratio,
Because of extraordinary government support as McKinsey well knows as strategists in the
around the globe, companies with low Z-Scores corporate-finance area, is an equity-for-debt swap.
are surviving. In some countries, it is even verboten, And the best time to do that is when the stock price
impossible to go bankrupt. The bankruptcy code is is high. You raise new equity at a very attractive
suspended in Germany and some other countries, rate and then, instead of investing in a new plant
except where fraud was involved. Italy and other and equipment, you buy back debt with it. Now the
countries have applied a moratorium on interest debt comes at low interest rates, so equity-for-debt
payments, a measure which reduces bankruptcies. swaps might be less attractive for some companies.
But most have a target capital structure in mind, at
But the reduction in bankruptcies is temporary, least I believe so. And such a swap is one way to get
in my view. We will have a second wave once back to it, if you are overweighted in debt.
government supports are reduced. I remain
concerned about a debt bubble. Record amounts For companies that cannot buy back debt because
of new bonds and loans are being issued, both they don’t have the cash, or those unable to
investment grade and noninvestment grade. issue new equity at attractive prices because
Companies are doing this to raise cash as a reserve their performance has been poor—these are the
against problems stemming from the pandemic. companies that I believe are going to default in
Not all can do this—only those with reasonably increasing numbers in 2021, but probably not before
good credit profiles. However, even companies then. Other forecasters agree with me on this,
that have been downgraded from investment including investment banks and rating agencies.
grade to high yield are eligible for support from the
Federal Reserve, for example, in purchasing in the McKinsey: As you know, some economists see
secondary market of their bonds. This has given things the way that you just laid out, while others are
investors the confidence they need to buy the bonds less concerned about the buildup of debt right now.
even if they think that the issuing company is going Given the stressed economic environment, what
to suffer during the pandemic. Because the price advice do you think the Z-Score offers to executives
will be supported—as long as they don’t default, of today, as they approach the 2021 planning period?
course. So the market is bifurcated: the haves are
issuing debt and the have-nots are not. Professor Altman: One of the interesting
applications of the model is as an early-warning
There are zombie firms out there—companies system. Executives of companies tend toward a
artificially kept alive by banks and nonbanks. biased view of their strengths and weaknesses,
What can companies do to keep a debt bubble overestimating the former and underestimating
from building and to avoid potentially defaulting the latter. If they see problems on the horizon, they
themselves with overwhelming amounts of new think they can handle them. They may not realize the
bonds and loans? I see two positive developments. seriousness of a situation until late in the day. Once

the crisis hits, then they begin to react. If leaders are dramatically. The S&P, where technology
open-minded, however, they can use the Z-Score as companies have an outsize role, and the Dow as
an objective model. It will show where the company well, where they don’t. And bond prices have also
stands in terms of a bond-rating equivalent or a zone rebounded dramatically.
of distress. Applied early enough, this approach can
help executives take action—selling assets, cutting Puzzled as we may be, we economists and financial
back on debt, for example. analysts need to have a view on why the markets
have been buoyant. Of course, very low interest
In this pandemic, some companies—high-tech rates play a part. Where else will you put your
companies and big banks in the United States, money? In a safe? In government bonds? Not very
for example—have actually thrived. But many attractive, unless you believe the market is headed
companies are in survival mode and preparing for a real fall soon. The US Federal Reserve and
for that second wave. Banks are preparing with other central banks have said that interest rates will
respect to capital provisioning, because they are remain low for quite a while. And so the outlook for
regulated, and they know they should be doing the bond market is not very rosy. A second reason
so. Most companies are not regulated. I think a I think is that many people are spending more
Z-Score or similar technique could help them see, time following the market and investing. They are
unambiguously, how they are deteriorating during focused now on safeguarding their money or making
this pandemic. It might also show that they will profits—because they are at home, can’t travel, are
recover when the economy recovers. Or maybe unemployed, or whatever. Day and retail traders
they will realize that they were deteriorating before have been an important force in this market. Many
the pandemic began, if they look at their Z-Scores individual and institutional investors, furthermore,
for 2018, 2019, 2020. At any rate, they will see their believe that the economy is going to rebound
vulnerabilities to financial distress. I would hope that dramatically and feel that the time is right to buy
companies use the Z-Score in that fashion. I know cheap stocks.
that investors are.
Nevertheless, many investors have been losing
The McKinsey study shows that resilient companies in this stock market. Many funds are down, even
can be identified as those whose Z-Scores decline though the stock market is up overall. The average
less in a crisis. Scores for nonresilient companies investor is probably down in their own portfolio—
are affected more negatively. You are not the except for those perhaps who picked some of the
only ones to have discovered this: as I mentioned, zooming companies like Zoom or Tesla or the tech
some investment banks have products that giants. But will stock-market growth continue if
depend on the Z-Score for their investment (and economic recovery lags? I am being cautious in
divestment) choices. my own portfolio, taking into account the potential
for another big downturn in the financial markets.
McKinsey: Can you give us your view on the This could be triggered by one or more factors—
apparent disconnection between the stock market continued spread of the virus, delayed or ineffective
and the real economy? One much discussed factor vaccines, or a lagging recovery in the real economy.
is the overrepresentation of technology companies Investors could lose patience with companies.
on the markets compared with their weight in the
real economy. McKinsey: I’d like to finish with a question about
how business executives might best use the
Professor Altman: I am as surprised as anyone Z-Score. It’s the product of several weighted
that the stock market is doing so well when the real variables, including earnings, margins, stock
economy is not. Noneconomic as well as economic price, optionality. Should executives steer toward
and financial reasons play into this. Forecasts improvements in particular metrics or look to strike
show overall GDP contractions for most economies a balance among them?
in 2020. And yet, the stock market has rebounded

Professor Altman: A balance. Companies need an important factor. And of course, stay away from
a multivariate approach, maintaining or improving borrowing, especially short-term borrowing, when
performance on a number of metrics. Key drivers in a vulnerable position.
in the Z-Score are total assets and total liabilities.
Companies concerned about their future could McKinsey advises CEOs all the time, and likely
therefore seek to concentrate assets. Consolidate well understands this issue. When a company
where you can while reducing investment in fixed encounters major problems, the executives whose
assets if your situation is deteriorating. That would decisions led to the situation have a hard time
be part of a prudent strategy. It would raise cash turning it around themselves. They can only be
needed, either for new investments (in products that effective if they can take an objective view toward
are at an earlier point in their life cycles) or to pay their own past, and act without bias. Very hard to
back some debt. Companies are doing that also, to do. At such times, companies need an adviser or an
reduce vulnerability should conditions worsen. interim CFO or CEO to make the hard choices. CEOs
But it’s hard. Reducing exposures to protect could help themselves by recognizing that they can’t
yourself in case things don’t improve—that is do this alone. They need a clearly objective model.
not part of executive psychology. Executives I have always said that there is help out there, but
think about how to improve earnings or market whether leaders can embrace help in times of crisis—
share. They don’t want to think about reducing that is the question.
exposures by selling assets. Companies also
need to better understand their liquidity positions. McKinsey: That is golden advice. Thank you very
Inventories that are not selling well now should not much, Professor Altman.
be stockpiled in anticipation of better times in the
future—unless, of course, companies have good Professor Altman: Thank you.
reason to be very confident. So, working capital is
Edward I. Altman is the Max L. Heine Professor of Finance, emeritus, at the Stern School of Business, New York University,
and director of research in credit and debt markets at the NYU Salomon Center for the Study of Financial Institutions. This
interview was conducted by Jeffrey Caso, an expert in McKinsey’s Washington, DC, office; Peeyush Karnani, a senior expert
in the New York office; and Mihir Mysore, a partner in the Houston office.

Meeting the future:
Dynamic risk
management for
uncertain times
The world is changing in fundamental ways, leading to
dramatic shifts in the landscape of risks faced by businesses.
by Ritesh Jain, Fritz Nauck, Thomas Poppensieker, and Olivia White
© Cokada/Getty Images
18
Beyond the profound health and economic management maturity varies across industries
uncertainty of our current moment, catastrophic and across companies. In general, banks have the
events are expected to occur more frequently in most mature approach, followed by companies in
the future. The digital revolution, climate change, industries in which safety is paramount, including
stakeholder expectations, and geopolitical risk will oil and gas, advanced manufacturing, and
play major roles. pharmaceuticals. However, we believe that nearly all
organizations need to refresh and strengthen their
The digital revolution has increased the availability approach to risk management to be better prepared
of data, degree of connectivity, and speed at for the next normal. The following discussion
which decisions are made. Those changes offer describes the core of dynamic risk management and
transformational promise but also come with outlines actions companies can take to build it.
the potential for large-scale failure and security
breaches, together with a rapid cascading of
consequences. At the same time, fueled by digital The core of dynamic risk management
connectivity and social media, reputational damage Dynamic risk management has three core
can spark and spread quickly. component activities: detecting potential new
risks and weaknesses in controls, determining
The changing climate presents massive structural the appetite for risk taking, and deciding on the
shifts to companies’ risk-return profiles, which will appropriate risk-management approach (Exhibit 1).
accelerate in a nonlinear fashion. Companies need to
navigate concerns for their immediate bottom lines Detecting risks and control weaknesses
along with pressures from governments, investors, Institutions need both to predict new threats and
and society at large. All that, and natural disasters, to detect changes in existing ones. Today, many
too, are growing more frequent and severe. companies maintain a static and formulaic view of
risks, with limited linkages to business decision
Stakeholder expectations for corporate behavior making. Some of these same companies were
are higher than ever. Firms are expected to act caught flat footed by the COVID-19 pandemic.
lawfully but also with a sense of social responsibility.
Consumers expect companies to take a stand on In the future, companies will require hyperdynamic
social issues, such as those fueling the #MeToo identification and prioritization of risks to keep pace
and Black Lives Matter movements. Employees with the changing environment. They will need to
are increasingly vocal about company policies and anticipate, assess, and observe threats based on
actions. Regulator and government attention is disparate internal and external data points. Dynamic
reflecting societal concerns in areas ranging from risk management will require companies to answer
data privacy to climate change. the following three questions:
An uncertain geopolitical future provides the — How will the risk play out over time? Some risks
backdrop for such pressures. The world is more are slow moving, while others can change and
interconnected than ever before, from supply chains escalate rapidly. Independent of speed, risks
to travel to the flow of information. But those ties can be either cyclical and mean reverting or
are under threat, and most companies have not structural and permanent. Historically, most
designed robust roles within the global system that firms have focused on managing cyclical, mean-
would allow them to keep functioning smoothly if reverting risks, like credit risk, that go up and
connections were abruptly cut. down with macroeconomic cycles. Historically,
the fundamental long-term economics of
Companies require dynamic and flexible risk business lines have held firm, requiring only
management to navigate an unpredictable future tweaks through the cycle. Credit risk in financial
in which change comes quickly. The level of risk- services is an example of such a risk. However,
Meeting the future: Dynamic risk management for uncertain times 19

Web <2020>
Exhibit 1
<RiskManagement>
Exhibit <1> of <2>
Companies require
Companies require dynamic
dynamicandandflexible
flexiblerisk
riskmanagement
management to
to navigate
navigate an
an
unpredictable future
unpredictable future in
inwhich
whichchange
changecomes
comes quickly.
quickly.
3 core components of
dynamic risk management
Detect risks and

control weaknesses
Ability to anticipate, predict, and

observe threats rapidly and
accurately based on disparate
internal and external data points and
to assess risk magnitude, risk-impact
duration, and internal-control
effectiveness
Delimit risk appetite Decide on risk-

management approach
Ability to set limits on risk
taking dynamically, accounting Ability to decide promptly if risk
for business's values, strategy, requires immediate or more
risk-management capabilities, prolonged response, design and
and competitive environment undertake appropriate response or
mitigation, and institute feedback
loop to track response
effectiveness
the traditional principles of trajectory and and society at large—and what that means
cyclicality of risks are increasingly becoming to them. The COVID-19 pandemic has had a
less relevant. The global economic shock caused direct impact on most companies but has also
by the COVID-19 pandemic has demonstrated meaningfully shifted the global economy and
that many companies were not prepared for societal terrain. Companies should consider
events with profound and long-lasting impact whether they have the controls, mitigants, and
that could fundamentally change how business response plans in place to account for worst-
is conducted. case-scenario, systemic risks. For example, as
companies house more personal data, the risks
— Are we prepared to respond to systemic associated with data breaches become more
risks? In today’s world, risk impact can go well systemic, with the potential to impact millions of
beyond next quarter’s financial statements to customers globally. These firms need to consider
have longer-term reputational or regulatory proactively how to protect against and react
consequence. Institutions must also consider to such breaches, including by working with
whether the event triggering the risk has broad external stakeholders, such as customers, law-
implications for their industry, the economy, enforcement agencies, and regulators.

— What new risks lurk in the future? Companies will digital capabilities, competitive landscapes, and
need to cast nets wide enough to detect new and global trends. For example, many companies
emerging risks before they happen. Traditional that categorically refused to use the cloud five
risk-identification approaches based on ex post years ago are migrating to cloud-based storage
facto reviews and assessments will not suffice. and software solutions today, driven by improved
Most institutions have not had historical losses technology and security. Geopolitical instability
linked to climate change, and many have not has the potential to increase counterparty and
encountered significant reputational blowback currency risk considerations for the travel and
from being on the wrong side of a social issue. infrastructure industries when considering
Institutions will need to work across business and engineering, procurement, and construction
functional divisions to maintain forward-looking, contracts for megaprojects lasting several
comprehensive taxonomies of the fundamental years. The COVID-19 pandemic has sparked
drivers of their risks. To get a real-time view of pharmaceutical companies to consider afresh
those drivers, companies should look to internal which risks they are willing to take to develop
performance metrics, external indicators, and and produce treatments quickly.
qualitative views of what business leaders
see in their day-to-day work. Scenario-based — Should we avoid any risks entirely? Companies
approaches and premortems also play a critical will want to draw some clear lines in the
role by letting leaders play out what might go sand: no criminality; no sexual harassment of
wrong before it does. employees. But for many risks, the lines are not
clear, and each company will need a nuanced
Determining risk appetite perspective built on a strong, objective fact base.
Companies need a systematic way to decide which For example, will risk drivers such as climate
risks to take and which to avoid. Today, many change render risks in certain businesses
institutions think about their appetite for risk in fully untenable (for example, developing real
purely static, financial terms. They can fall into the estate in certain coastal regions)? Or should
simultaneous traps of being both inflexible and the reputational risk of being caught in the
imprudent. For example, companies that do not middle of highly charged environmental and
take sufficient risk in innovating can lose out to social-responsibility issues drive a company out
more nimble competitors. But at the same time, of certain business segments altogether (for
companies that focus on purely financial metrics example, in the way some retailers made the
can unwittingly take risks—for example, with their decision to stop selling guns)? Companies will
reputation by continuing a profitable business need to develop views on such questions and
process that runs counter to societal expectation. update them continuously as their environments
and corresponding fact bases evolves.
In the future, companies will need to set appetites
for risk that align with values, strategies, capabilities, — Does our risk appetite adequately reflect our
and the competitive environment at any given time. control effectiveness? Companies are more
Effective enterprise risk management will help them comfortable taking the risks for which they have
dynamically delimit risk taking, directly translating strong controls. But the increased threat of new
financial and nonfinancial principles and metrics into and severe nonfinancial risks challenges status
a concrete view of what the firm will and will not do quo assumptions about control effectiveness.
at any given time. Companies will need to be able to For example, many businesses have relied on
answer the following three questions: automation to speed up processes, lower costs,
and reduce manual errors. At the same time,
— How much risk should we take? Rapid changes the risks of large-scale breaches and violations
can quickly uproot companies’ risk profiles. of data privacy have increased dramatically,
They will need to adjust their risk appetites to heightening during the COVID-19 crisis as
accommodate shifting customer behaviors, digitization accelerates substantially across many

industries. With less risk of manual errors but in the evolving world, firms will need to build
greater risk of large-scale failures, institutions will crisis-preparedness capabilities systematically.
need to adjust their risk appetites and associated As the COVID-19 crisis has demonstrated,
controls to reflect evolving risk profiles. companies with well-rehearsed approaches to
managing through a crisis will be more resilient
Deciding on a risk-management approach to shocks. Preparation should involve identifying
Firms need to decide on how to respond as they the possible negative scenarios unique to an
detect new risks or control weaknesses. Today organization and the mitigating strategies to
many rely on linear, committee-based governance adopt before a crisis hits. That includes periodic
processes to make decisions about risk taking, simulations involving both senior management
slowing their ability to act. and the board. Companies should maintain and
periodically update detailed crisis playbooks.
In the next normal, however, institutions will need Their strategies should include details on
to make risk decisions rapidly and flexibly, laying when and how to escalate issues, preselected
out and executing responses, whether immediate crisis-leadership teams, resource plans, and
or prolonged, about how to avoid, control, or accept road maps for communications and broader
each risk. The decisions should actively engage stakeholder stabilization.
leaders from across an organization to determine the
mitigation and response efforts that have worked — How can we build true resilience? Resilient
well in the past, as well as those that have not. In companies not only withstand threats, but they
that way, the organization can develop the ways it emerge stronger. Companies can learn from
manages risks in today’s world. Companies will have every actual risk event and control breakdown,
to be able to answer the following questions: honing risk processes and controls through
a dynamic feedback loop. On a grander scale,
— How should we mitigate the risks we are firms also have the chance to turn the fallout
taking? Historically, many companies have from true crises into competitive advantage,
relied heavily on manual controls and on human as the COVID-19 crisis is demonstrating. For
assessments of control effectiveness. That example, some companies providing vacation
approach can generate excess, costly layers rentals realized that they would need to do more
of controls in some areas while leaving gaps than provide amenities and hygiene measures.
or insufficient controls in others. Today, the art They have started offering tailored customer
of the possible in defending against adverse experiences, including games, virtual cooking
outcomes is rapidly evolving. Automated classes, and remote nature tours, built on an
control systems are built into processes and understanding of customer microsegments.
detect anomalies in real time. Behavioral These companies have started to differentiate
nudges influence people to act in the right themselves from their competitors and are
ways. Controls guided by advanced analytics positioned to emerge more resilient, even
simultaneously guard against risks and minimize within a very hard-hit sector. Companies
false-positive results. should prepare to ensure five types of
resilience: financial, operational, organizational,
— How would we respond if a risk event or reputational, and business-model resilience.
control breakdown occurs? In the event of a Business-continuity, financial, and other plans
major control breakdown, companies need to can provide buffers against shock. But true
be able to switch quickly to crisis-response resilience also stems from a diversity of skills and
mode, guided by an established playbook experience, innovation, creative problem solving,
of actions. Most companies have done little and the basic psychological safety that enables
to prepare for crises, seemingly taking the peak performance. Those characteristics are
attitude that “it won’t happen here.” However, helpful in good times and indispensable when

quick, collaborative adaptation is needed for an competitive landscape. The COVID-19 pandemic
institution to thrive. has had a similarly cross-enterprise impact on
nearly every company. It should be an objective
of dynamic risk management to provide an
Five actions to build dynamic enterprise view.
risk management
Today, many firms see enterprise risk management 2. Establish agile risk-management practices
as a dreary necessity but hardly a source of The increasingly volatile, uncertain, and dynamic
dynamism or competitive advantage. It can suffer risk environment will demand more agile risk
from being static, siloed, and separate from management. Companies will need to tap into
the business. But dynamic and integrated risk people with the right skills and knowledge in
management, which includes the ability to detect real time, convening cross-functional teams and
risks, determine appetite, and decide on action in authorizing them to make rapid decisions in running
real time, is growing ever more critical. Leaders the business, innovating, and managing risk.
can take five actions to establish the necessary
capabilities (Exhibit 2). Building teams and decision bodies dynamically
requires the ability to understand quickly the nature
1. Reset the aspiration for risk management of the risk at hand, including its significance and
To meet the needs of the future, companies need how quickly it may play out. This helps determine
to elevate risk management from mere prevention who needs to be involved and how people should
and mitigation to dynamic strategic enablement work together. One fintech company, for example,
and value creation. This requires clear objectives, runs daily huddles to discuss customers, bringing
such as ensuring that efforts are focused on the together a cross-functional team of business and
risks that matter most, providing clarity about risk risk leaders and other subject-matter experts to
levels and risk appetite in a way that facilitates review new customer complaints. This enables
effective business decisions, and making sure that executives to review funnel metrics for the day side
the organization is prepared to manage risks and by side with customer complaints and helps teams
adverse events. triage and remediate those complaints promptly,
avoiding larger issues down the road.
In practice, risk managers should engage in a
productive dialogue with business leaders to gain Decisions themselves should receive appropriate
an in-depth understanding of how the business transparency, but managers should not get bogged
thinks about risk day to day and to share the risk down in excessive bureaucracy. Companies can
capabilities they can bring. Businesses typically formulate a clear, principled view of what sorts
approach decisions with a reasonable risk-versus- of decisions require committee review versus
return mindset but lack key information to do this execution by single responsible parties. In some
effectively alone. For example, business units often cases, previously unforeseen issues and risks that
do not have a full systematic understanding of the have the potential to evolve rapidly may require
full range of risk drivers or a clear view of how a special, fast-track decision-making mechanisms.
stressed environment could affect the company. One organization does regular crisis-preparedness
exercises and has developed relevant playbooks
More broadly, businesses typically also lack that assign decision-making power if needed,
an enterprise-wide view of how a risk might depending on the type of issue.
unfold. For example, climate risk may affect most
aspects of some companies’ businesses, from 3. Harness the power of data and analytics
the impact of physical climate risk on operational Companies can embrace the digital revolution to
facilities and supply chains to market repricing of improve risk management. Automation technologies
carbon emissions to shifts in market demand and can digitize transaction workflows end to end,

reducing human error. Rich data streams from advanced analytics to predict major component
traditional sources, such as ratings agencies, and failures. The company improved safety and
nontraditional sources, such as social media, reduced its total failure cost for rolling stock by
provide an expanding and increasingly granular view 20 percent. Companies can also use natural-
of risk characteristics. Sophisticated algorithms language processing to build real-time, digital
enable better error detection, more accurate dashboards of internal and market intelligence,
predictions, and microlevel segmentation. enabling more effective risk detection, including in
customer complaints, employee allegations, internal
One global pharmaceutical company adopted communications, and suspicious-activity reports.
advanced analytics to help it prioritize clinical-trial
sites for quality audits. The company used a model 4. Develop risk talent for the future
to identify higher-risk sites and the specific type of To meet the demands of the future, risk managers
risk most likely to occur at each site. The company is will need to develop new capabilities and expanded
now tightly integrating its analytics with its core risk- domain knowledge. Strong knowledge of how the
management processes, including risk-remediation business operates provides a critical foundation by
and monitoring activities of its clinical operations supporting true understanding of the landscape
and quality teams. The new approach identifies of risk. This enables risk professionals to provide
issues that would have gone undetected under its better oversight and more effective challenge while
old manual process while also freeing 30 percent of also acting as effective counselors and partners as
its quality resources. their company navigates the risk landscape.
Another area in which advanced analytics can Risk managers will also need strong understanding
capture significant value is in the predictive of data, analytics, and technology, which are driving
detection of risk. One railway operator applied shifts in how most companies operate—a trend only
Web <2020>
Exhibit 2
<RiskManagement>
Exhibit <2> of <2>
Dynamicand
Dynamic andintegrated
integrated risk
riskmanagement,
management, which
which includes
includes the
the ability
ability to
to detect
detect
risks, determine appetite,
risks, determine appetite, and decide on action, is growing ever more critical.
decide on action, is growing ever more critical.
5 actions to establish capabilities needed for dynamic risk management
Reset aspiration Establish agile Harness power of Develop risk Fortify risk culture
for risk risk-management data and analytics talent for future
management practices
Move risk from Authorize cross- Digitize transaction Develop new Build true risk-culture
prevention and functional teams workflows; use data to capabilities and ownership in front
mitigation to to make rapid expand view of risk expanded domain line; hold executives
dynamic strategic decisions in characteristics; deploy knowledge to accountable for
enablement and business, algorithms to enable support full cultural failings; link
value creation innovation, and better error detection, understanding of risk culture with daily
risk management more accurate risk landscape business activities
predictions, and and outcomes
microsegmentation

accelerated by the COVID-19 crisis. This is true for difficulties and have more engaged and satisfied
how data and digital interfaces are affecting firm customers and employees.
processes, how companies are employing artificial
intelligence to support day-to-day decisions, Companies with strong risk cultures share several
and how the digital revolution is shaping risk essential characteristics. Most important, true
management itself. ownership and responsibility for risk culture
sits with the front line, with executive-level
To put this all together, risk managers will need to accountability for cultural failings. To be truly
develop agile capabilities and mindsets, allowing lived, culture must be linked with the day-to-
them to identify opportunities to convene day business activities and outcomes of an
stakeholders and contributors across functions institution. At the same time, someone needs to
rapidly and generate quick solutions. People will be responsible for coordinating the definition,
need the leadership and personal capabilities to tap measurement, reporting, and reinforcement of risk
into colleagues with the right skills and knowledge culture—for example, within a risk function, a COO
in real time. organization, or HR. Without an enterprise-wide
view and vocabulary, it is not possible to effect true,
5. Fortify risk culture coordinated cultural change. Finally, attention to
Risk culture refers to the mindsets and behavioral risk culture must be ongoing. Strong culture takes
norms that determine how an organization maintenance and requires reinforcement.
identifies and manages risk. In moments of high
uncertainty—such as those we are living through One fast-growing technology company announced
during the COVID-19 pandemic—risk culture is of a culture transformation as the CEO’s top priority. It
exceptional importance. Companies cannot rely on selected 30 culture leaders from across the company
reflexive muscles for predicting and controlling for to lead the effort. The initiative mobilized around one-
risks. A good risk culture allows an organization to fifth of its staff through workshops aimed at helping
move with speed without breaking things. It is an managers make risk-informed decisions and creating
organization’s best cross-cutting defense. a new risk culture and mindset.
Beyond today’s travails, a strong risk culture is a

critical element to institutional resilience in the
face of any challenge. In our experience, those The world is facing both uncertainty and rapid
organizations that have developed a mature risk change. For companies, risk levels are rising—as
culture outperform peers through economic cycles are the expectations of employees, customers,
and in the face of challenging external shocks. At shareholders, governments, and society at large.
the same time, companies with strong risk cultures Against this backdrop, we believe companies need
are less likely to suffer from self-inflicted wounds to rethink their approach to risk management, to
in the form of operational mistakes or reputational make it a dynamic source of competitive advantage.
Ritesh Jain is an associate partner in McKinsey’s New York office, Fritz Nauck is a senior partner in the Charlotte office,
Thomas Poppensieker is a senior partner in the Munich office, and Olivia White is a partner in the San Francisco office.

A fast-track risk-management
transformation to counter
the COVID-19 crisis
An accelerated transformation to enhance efficiency and effectiveness
will enable risk organizations to deal with the pandemic while addressing
rising regulatory and cost pressures.
by Javier Martinez Arroyo, Marc Chiapolino, Matthew Freiman, Irakli Gabruashvili, and Luca Pancaldi
© Artpartner-images/Getty Images
26
Before the coming of the pandemic, banks More specifically, to win in the next normal, the
had been reducing the complications and costs risk-management function must make itself more
that arose over the years as they dealt with efficient and effective—something high-performing
escalating regulations and emerging risks by adding risk organizations have already done. We have
policies, processes, and people to their risk and prioritized six specific moves risk organizations
compliance functions. must make:
Then COVID-19 happened and threatened to — Redesign underwriting to streamline processes

complicate things all over again. and add automated ones.
When banks shut branches and corporate offices, — Enhance monitoring.

this altered how customers interact with them,
forcing changes to long-held risk-management — Optimize and automate reporting.
practices. Activities that typically happened in
person were no longer possible, such as credit- — Improve processes for reporting financial crimes.
committee meetings to approve underwriting for
a new corporate client, or office visits by potential — Streamline the market-risk operating model.
small borrowers to verify their creditworthiness or
sign loan documents. — Make other changes by taking a big-picture
look at risk management’s overall organization,
The banks’ risk-management functions, which governance, and performance management.
act as a second line of defense between frontline
employees who work directly with customers and These changes are often part of a larger
the department’s backstop internal risk-audit transformation that can take years to implement.
teams, also had to adjust the way they operate. Yet some risk-management functions have adopted
For starters, they had to manage employees who the practices we’ve outlined much more quickly—in
would now work from home and to prepare for the some cases, in only three months. When these
pandemic-triggered problems of small-businesses changes are successful, we estimate that they can
and other customers. They also had to adopt new improve efficiency and effectiveness enough to raise
practices to monitor existing risks and guard against the productivity of specific activities by 40 percent
new ones, including cyberrisks triggered by the or more. Banking-sector risk organizations that had
pandemic. Such changes, we estimate, could raise been relatively efficient before implementing these
the operating expenses of risk functions by 10 to moves can use them to raise their productivity
30 percent. That’s reason enough to make by 15 to 25 percent. Less efficient bank risk
processes as efficient and effective as possible. organizations can raise it by 30 percent or more.
McKinsey had previously found that risk managers

can improve their operations by digitizing and Roadblocks to improving
applying advanced analytics to a variety of risk management
department functions and by optimizing the Well before the pandemic, risk organizations had
organization, among other changes. Those to deal with the external pressures of increased
directives still hold. Our latest research shows that industry regulation, and internal pressure to cut
to address the business problems COVID-19 has costs. Around the world, both the depth and breadth
created and to mitigate the cost and regulatory of banking regulations have increased. The reasons
pressures risk organizations still face, they must include the shift to digital channels and tools, a
roll out digital and advanced analytics more greater reliance on third parties and the cloud, and
aggressively and tie these moves to tactical the threats that all these pose to the strength and
improvements in governance. integrity of risk functions. On top of that, bank
leaders working to make their organizations more
A fast-track risk-management transformation to counter the COVID-19 crisis 27

competitive expect the risk function to contribute to defense roles—already account for up to half of a
overall cost-cutting efforts. bank’s employees and costs. Risk-organization
staff in the second line of defense account for
COVID-19 has added to those challenges. Risk approximately 2 to 3 percent of the total number
managers must understand the pandemic’s impact of bank employees, not including compliance and
on credit and market portfolios to mitigate the financial-crimes personnel. Although our research
effects on their own operations. They’ve had to track shows that scale is the single most important driver of
emerging threats to the newly remote workforce, to efficiency, we have also found that the size and cost
current and potential borrowers, and to other bank of multiple risk activities do not correlate directly with
customers. They’ve implemented government- scale (Exhibit 1). For these activities, the different
directed moratoriums on loan collections and abided operating models of banks explain the variations.
by other local or national measures adopted in
the pandemic’s wake. Those actions have cut into Lower costs don’t necessarily make a bank’s
top-line revenues at a time when banks are adding risk operations less effective. In fact, a McKinsey
expensive new risk-management practices. analysis found that banks with the strongest risk
operations have 10 to 15 percent fewer full-time-
But coping with the new requirements doesn’t have equivalent employees than their less effective
to mean adding staff. Risk-management activities— counterparts do (Exhibit 2).1
including resources in first-, second-, and third-line
1
As measured by 2019 Supervisory Review and Evaluation Process (SREP) ratings and corrected for the impact of scale.
Web <2020>
<RiskManagement>
Exhibit
Exhibit <1>1 of <6>
Some risk-managementactivities
Some risk-management activitiesappear
appeartotobebemore
morefixed
fixedand
andsuitable
suitablefor
for
economies ofscale.
economies of scale.
Total cost of risk management by activity and size of bank
MORE VARIABLE
Credit decisioning
400
Fully variable activity²
Operational risk
The larger the
Risk-function management bank, the higher
300 the proportion of
Cost of risk- Model risk management risk-management
management cost in the activity
activities, as a percentage
index¹ Enterprise risk management of all bank
full-time
Credit data, analytics, and reporting equivalents
200
Credit-risk-model development
Risk technology
Fully fixed activity²

100
50,000 100,000 150,000 200,000 MORE FIXED
Number of full-
time equivalents
¹To ensure comparability across functions, total cost of risk organization was rebased to 100 for each function for a bank with 50,000 full-time equivalents to
capture marginal increase over institutions’ size. Noise deriving from initial size of each function was removed to observe correlation between overall institution size
and function size.
²Same proportion of risk-management cost for banks of all sizes.
Source: McKinsey Global Risk Benchmark, 2019

Six actions that improve risk- retail companies and small and medium-size
management productivity enterprises (SMEs)—want to know immediately if
Risk functions can face their old and new they qualify for a loan and when they can access the
challenges, without increasing their size or costs, if funds. That didn’t change when COVID-19 hit: risk
they operate more efficiently and effectively. Banks functions must still meet customers’ expectations
have a number of options. They can deploy some of even while dealing with them remotely.
the moves outlined below relatively quickly to make
themselves more efficient and effective while also Credit underwriting already accounts for a
adapting their risk-management practices to the substantial part of the total resources of the risk
COVID-19 environment (Exhibit 3). organization—an average of 30 percent (and up to
50 percent) of its employees. Adding staff therefore
1. Redesign underwriting isn’t the answer. In fact, our research indicates that
Assessing a borrower’s creditworthiness is a the workforce at the most efficient organizations
long, labor-intensive process that’s prone to tends to be substantially smaller than it is at the
inefficiencies, which make it ripe for improvement. least efficient ones.
The desire of borrowers for more transparency
into the underwriting process has exacerbated the In the next normal, the ability to speed up
existing complexities. Customers—in particular, underwriting turnaround times will become an
important differentiator. Risk teams that had
Web <2020> already digitized underwriting before the pandemic
Exhibit 2
<RiskManagement> responded more successfully under the lockdown.
Exhibit <2 of <6>
By 2021, we expect others to follow suit, pushing
Banks with
Banks withmore
moreeffective
effectiverisk
risk
up the adoption of digital channels for credit
operations are
are also
also more
more efficient.
efficient. underwriting by 5 to 15 percent.
Correlation of risk-operation size and SREP¹
evaluations for Tier 1–3 banks, %² Banks have three primary avenues to improve
the efficiency and effectiveness of their credit-
underwriting processes:
3.5
20%
3.0
2.8 — Adopt straight-through processing (STP) for
10–15% when
adjusted for credit-underwriting workflows. Upgrading to
scale impact³ digital from manually inputting data, through data
spreading or other means, could help reduce end-
to-end workflow costs by up to 40 percent. STP
applications include tools that prepopulate credit
forms with data from clients or internal or external
databases as well as incorporate delegation and
structure information.
Tier 1 Tier 2 Tier 3

— Automate underwriting for retail and SME
¹SREP: Supervisory Review and Evaluation Process. customers. Using software to calculate the
²Risk-operation size: risk-operation full-time equivalents (FTEs) vs total-bank FTEs;
risk-operation FTEs exclude compliance, anti–money laundering, and risk-IT creditworthiness of a small business by standard
functions. Pillar 2 requirements for European Banking Authority (EBA) and Pillar 2A
requirements for UK; SREP evaluation used as proxy for risk-function criteria, rather than having staff make these
effectiveness, as internal risk-governance framework is 1 of 4 pillars of SREP
process. Tier 1: <1.75% for EBA and <2% for Bank of England Prudential decisions, could raise margins by 5 to 10 percent.
Regulation Authority (PRA); Tier 2: 1.75–2% for EBA and 2–2.5% for PRA; Tier 3:
>2% for EBA and ≥2.5% for PRA. Sample size of 10 EU and UK banks. Software could also improve (by 10 to 25 percent)
³Adjusted for size using correlation inferred from McKinsey Global Risk Benchmark,
2019. an underwriting department’s ability to correctly
Source: Bank of England; individual Pillar 3 reports; “Supervisory review (SREP),”
European Central Bank, 2019, bankingsupervision.europa.eu predict whether an SME is a good credit risk.
Banks that have already automated the function
might consider increasing underwriting thresholds—
for example, to $500,000, from $250,000.

Web <2020>
Exhibit 3
<RiskManagement>
Exhibit <3> of <6>
Risk-management functions
Risk-management functionscan
cantake
takeaction
actionin
insix
sixareas
areasto
torealize
realizeproductivity
productivity
gains of 30 percent
percent or
or more
more in
in a matter
matter of
of months.
months.
Productivity opportunity, % difference between top and median performers
Redesign Enhance Optimize Optimize Streamline Improve

underwriting¹ monitoring² and automate financial- market- organization,
reporting³ crime detection risk operating governance, and
model performance⁴
~50
~30 ~30
~25
~20
~15
Potential productivity improvements
Redesign Enhance Optimize Optimize Streamline Improve

underwriting¹ monitoring² and automate financial- market- organization,
reporting³ crime detection risk operating governance, and
model performance⁴
• ~10–25% • ~40% • ~50% • ~40% increase • ~50% • ~30%

improvement in portfolio-level reduction in in know-your- reduction in reduction in
accuracy of decisions data-reporting customer (KYC) data errors complexity
underwriting supported errors, reducing process accuracy and exceptions
predictions by advanced need for manual • Increased
through analytics corrections • ~50% decrease • ~20% awareness
advanced and improving in KYC documents reduction of risk
analytics • ~15–20% monitoring and process steps in data effectiveness
reduction in quality and pricing and efficiency
• ~5–10% manual data • ~80% discrepancies through
credit-margin entry through improvement between front monitoring
growth through natural-language in accuracy of line and risk
instant credit processing anti–money
decisions laundering alerts
¹Includes credit decisions.
²Includes credit-risk portfolio management and enterprise-risk-management (ERM) risk review and tracking.
³Includes credit, market, operational, and ERM reporting.
⁴Includes management and overhead for all risk types.
To mitigate the increased potential for fraud documents instead of 50 and reserve the more
that typically accompanies changes in this intensive scrutiny for less prominent or smaller
area, automated banks must also improve enterprises. Other methods to rework corporate
their controls. underwriting processes include defining credit
limits by company type or industry (rather than
— Simplify corporate-credit underwriting. Banks on a deal-by-deal basis) and creating a special-
can streamline underwriting that cannot be case system to handle the most complex or
automated, because of the counterparty’s size urgent requests.
or the complexity involved, by reducing the
credit-application documentation and analysis 2. Enhance monitoring
required. For large, well-established, or public The widespread economic fallout from COVID-
companies, risk managers could review a dozen 19 has forced risk managers to rethink how and

what they monitor to evaluate risks, including Some of these AI-based monitoring tools can
creditworthiness and the ability to repay loans. The trigger real-time alerts based on sector-level
virus’s spread and reactions to it continue to shift, indicators, such as point-of-sales systems. To
often quickly. These developments have helped estimate the impact of new information on
some industries and hurt others—boosting the sector-wide rating scores, these tools may
revenues of grocery chains, for example, while also use machine-learning models (such as
cutting into restaurant sales. They have also hyperparameter random-forest modeling)
affected segments within industries differently, so tailored to specific industries or clients. In
risk managers have to monitor trends at a more addition to analytics engines, digital-monitoring
granular level. On top of that, risk managers need suites typically include smart-workflow
to account for the actions that governments are capabilities that focus analytic work on areas
taking to help constituencies respond to the virus. where human judgement is necessary, such as
Many of these actions, including moratoriums on parameter changes in the models that are not
payments for mortgages and business loans, affect associated with a high level of confidence.
the environment for credit.
— Monitor portfolios in a more granular way.
Before the pandemic, risk-monitoring activities Risk functions typically use back testing and
accounted for about 15 percent of risk-management internal ratings–based models to evaluate the
costs. Banks traditionally executed a not soundness of their credit portfolios. Because
insubstantial portion of these activities manually, the pandemic has had such a profound impact
so they are ripe for change. Risk departments on the global economy, which continues to
can adopt a range of digital systems and tools to shift unpredictably, the typical indicators of
automate risk-monitoring tasks: creditworthiness have been affected. Risk
functions that in the past may have analyzed
— Digitize counterparty-level credit-monitoring 20 to 30 economic sectors may need to review
tools. Risk functions can program advanced ten times that number of industry subsectors
analytics into early-warning systems to improve to understand how they are faring in the
reviews of earnings releases, real-time financial crisis. Some institutions have gone as far as to
news, transaction data to find information subdivide the restaurant industry, for example,
that could affect a client’s credit outlook. into 15 subsegments, the better to distinguish
We estimate that algorithms could support between top and bottom performers and predict
40 percent of counterparty-level credit- nonperforming loans. Instead of analyzing the
monitoring decisions. Banks that have already beverage industry, therefore, banks may need to
implemented these techniques reduced their review what’s happening in soft drinks, bottled
credit losses by 20 to 30 percent, through water, soft alcohol, and hard alcohol, to name a
early detection of potential deterioration of few subsegments.
counterparty creditworthiness—while reducing
monitoring costs by 30 to 40 percent (Exhibit 4). 3. Optimize and automate reporting
Banking regulators have increased their reporting
— Digitize portfolio-level credit-monitoring requirements—for example, by asking for more
tools. Historically, risk-monitoring personnel and better data on risk practices and more closely
manually reviewed industry news to extract data scrutinizing these data. We estimate that as a
that could be used to make decisions about result, the risk functions of banks devote 10 to
the changing credit landscape of different 15 percent of their total resources to comply with
economic sectors. Risk departments that adopt such reporting requirements. Automation gives risk
applications using artificial intelligence (AI) and managers additional insights into the risk profiles
machine learning to track industry news and they must review to meet these requirements—but
developments could reduce related data entry without adding personnel to a low-value task. As
by up to 15 percent. circumstances and requirements change, automation
can also help managers adjust what reports cover.

Several moves could make risk functions more review reporting information directly, including
efficient and effective in this area: both high-level data and the underlying
information it’s based on. We estimate that self-
— Actively monitor reporting requirements. By service reporting, by itself, could cut the costs of
constantly tracking what regulators want and risk departments by up to 30 percent.
managers need, risk functions can manage the
risks their banks face and provide what’s required, — Improve data architecture and management.
without wasting resources sharing unnecessary It’s not unusual for banks’ risk data to reside
information. Some banks that have started to in several databases or other applications—
merge regulatory and internal reports have cut the result of mergers, expansion into new
the number of reports they produce in half. markets, divisions that use different systems,
or operations that span several countries or
— Offer self-service reports. Risk managers can continents. For such institutions, complying with
use self-service reporting tools to update or
Web <2020>
Exhibit 4
<RiskManagement>
Exhibit <4> of <6>
To reduce credit-risk
To reduce credit-risk losses
lossesand
andboost
boostmonitoring,
monitoring,banks
bankscan
cancategorize
categorize
financial flows to leverage transaction
financial flows transaction data.
data.
Small and medium-size enterprise (SME) transactions by category, % of total transactions
Inflows Outflows
Goods and services Goods and services

payments 50
payments 76
Internal self-transfers 14
100
Payments by check 7
Internal self-transfers 14
Other categorized 12
100
Payments by check 6 Uncategorized 4
Other categorized 3 Employees 6
Uncategorized 2 Government services 8
Credit loss, Cost of full-time equivalents for SME-credit

index (100 = 100%) monitoring, index (100 = 100%)
Traditional monitoring¹ Traditional monitoring¹
Transactional monitoring² Transactional monitoring²
–20% to –30% –30% to –40%

Note: Figures may not sum to 100%, because of rounding.
¹Traditional, bureau-based monitoring, using manual analysis.
²Enhanced monitoring and upgraded team setup, using transactional data.

reporting requirements may involve manually savings account. Risk functions that do so, we
culling data from these manifold sources. estimate, could reduce their financial-crime-
compliance spending by 10 to 20 percent and
— A data architecture that can pull information improve the accuracy of customer data by
from disparate databases into a central location 40 percent. In addition to costing less, algorithms
can not only alleviate the need for manual that read and extract data from verification
processes but also provide other benefits. As documents eliminate the possibility that
part of such an upgrade, risk functions could employees could be paid to falsify information. This
create reporting-competence centers for would also free up time that first-line bank staff
frontline and risk-management personnel in and internal audit teams could use for other work.
multiple business units or subsidiaries. We
estimate that automating and unifying data — Optimize AML alerts. All banks use AML alerts
architecture and management could cut risk- to flag unusual transactions that could signal
reporting costs by 10 to 20 percent and halve irregularities. But false positives are common—in
the number of reports that include errors. some cases, accounting for more than nine
Depending on how a bank is structured, these alerts out of ten. The use of advanced analytics
efficiency changes could take place within either to monitor transactions, often in parallel with
the operations or IT organization. existing rules-based tools and models, can
improve the accuracy of alerts and thereby reduce
4. Optimize processes for detecting the number of false positives to six or fewer out of
financial crimes ten (Exhibit 5). More accurate alerts can reduce
Since global regulators began to intensify financial- the need for manual interventions and free up
crime-compliance activities a decade ago, they’ve risk-management personnel for other tasks.
launched scores of enforcement actions and levied
$36 billion in fines around the world. An average — Streamline know-your-customer (KYC) processes
of 2 to 3 percent of a bank’s total staff therefore to meet local requirements. The customer
works in second-line financial-crime monitoring and documentation that risk functions must provide to
reporting efforts. For a global bank with 100,000 satisfy financial-crime-compliance requirements
employees, this means that 2,000 to 3,000 people vary from region to region. Many risk functions
could be tracking anti–money laundering (AML) and apply the same standards throughout the
another compliance processes. organization, creating unnecessary work and
expense. By adjusting monitoring and reporting
When COVID-19 measures forced banks to send to local requirements, risk functions can meet
their risk-management staffs home to work, it their obligations and reduce costs. That kind of
disrupted the face-to-face activities these streamlining could reduce the number of required
employees rely on to know their customers—still one KYC documents by 50 percent and speed up the
of the strongest ways to assess the risk of financial onboarding of new customers.
crime. But regulators are not giving institutions a
pass because of the pandemic, so risk organizations 5. Streamline the market-risk operating model
face the added burden of finding ways to assess, Some banks use dated or very complex operating
monitor, and report on financial-crime compliance models, data systems, and architectures to buy and
under remote working conditions. sell fixed-income equities or engage in other large-
market investment activities for clients. A front-to-
We see three ways to make these practices more back review of this data architecture and systems,
efficient and effective: as well as of the associated roles, responsibilities,
and processes, can result in significantly lower
— Automate customer onboarding. Risk costs and sizable improvements in risk management.
organizations could automate the collection and We see three important actions that market-risk
verification of the documents that prospective managers can take in such a review:
customers must present to open a credit or

— Use the same valuation models throughout and overcome the challenges that such an
the organization. Different functions not integration effort might encounter.
uncommonly use separate means or models
to estimate the worth of the same asset, and 6. Improve organization, governance,
that makes it hard or impossible to come up and performance
with a consensus value. Front-office staff may Over the past half-dozen years, risk and compliance
use one equity-derivatives valuation model to functions added resources, controls, and policies
calculate profit and loss (P&L) estimates and to contend with increased regulation and other
projections, while the risk department uses demands. Meanwhile, their budgets increased twice
a different model to determine regulatory as much as those of other bank functions.
P&L and key risk indicators. If the front office
and risk organizations use the same market, When a function expands so quickly, the big
counterparty-credit-risk (CCR), and liquidity picture of how it is performing can be obscured
models and systems, they can reduce data by daily demands. Policies or committees are
inconsistencies by 80 to 90 percent and created piecemeal, sometimes duplicating work
valuation-related reworks by 20 to 30 percent. done elsewhere. On top of all these problems, the
Risk management’s model-risk-management pandemic forced risk functions to set up new ways of
(MRM) function could challenge and validate working, including the addition of new (and often ad
these models and develop different ones only hoc) committees and policies to assess and monitor
when supervisors require them or if the models
truly diverge from front-office practices.
Web <2020>
— Integrate the system architecture of the Exhibit 5
<RiskManagement>
Exhibit <5 of <6>
front office and the risk function. In addition
to adopting the same valuation models, risk
Advanced analytics
Advanced analytics can
can help
help reduce
reduce
functions can use front-office data architecture false-positive results in anti–money
false-positive results in anti–money
to calculate P&L and risk. When data sources laundering alerts.
laundering alerts.
are centralized through integrating data
architecture, run-the-bank and change-the- Share of false-positive results by type
of anti–money laundering alert, %
bank technology costs and external spending
decline. Some banks that integrated these
>90
functions have become up to 20 percent more
efficient, though the extent of the improvement –30%
depends largely on a particular institution’s
operations and starting point. <60
— Integrate front-office and risk reporting.

Integrated reporting creates a single source
of truth that can minimize data reconciliations,
and improve the risk function’s efficiency and
effectiveness. Institutions can adopt different
organizational models: the integrated reporting
function can sit in risk, finance, the front office, Traditional Upgraded alerts, using
or operations. Banks that integrate reporting alerts advanced analytics
have reduced related costs by 40 percent or
more. But to get there, risk functions need
strong management to push for collaboration

Many banks do have multiyear
transformation projects in the works.
Yet risk managers can take a number
of steps that yield high-impact results
in far less time.
risks. The new structures sometimes overlap with testing, and monitoring. We estimate that if
ongoing work or obscure its importance. risk functions adopt both centers of excellence
and agile methodologies, they can increase the
To ensure that risk functions are structured in the efficiency of the centralized activities by 10 to
most effective way, they can examine four key 20 percent and save up to 20 percent of their
organizational elements: outsourcing costs. A number of the 20 largest
North American banks have already created
— Clarify roles and responsibilities for all three centers of excellence that report directly to a
lines of defense. Regulatory scrutiny of risk chief risk officer. Many of these groups focus on
practices led many institutions to add controls data, analytics, and reporting.
(and the jobs associated with them) haphazardly,
with limited clarity about who does what. Some — Rationalize risk governance and policies. To
banks switched oversight for technology and focus on what matters most, banks should
cyberrisk from the risk function to a technology consider streamlining their downstream
group and then back to the risk function—moves procedures and policies. Reducing the number
that not only sowed confusion about roles of committees, for example, can not only
and responsibilities but also created potential improve focus, accountability, and lines of
gaps in coverage and duplicate responsibilities. escalation but also save executives’ time. It’s
Banks can improve efficiency by mapping out not uncommon for midsize and large banks to
the duties of the front line, the risk organization, have thousands of risk and compliance policies
and internal audit departments to identify gaps, spawning dozens of procedures, which in turn
fix overlaps, and ensure accountability. A clearer influence processes and the design of controls.
organizational chart could result in cost savings If banks structure their policies to focus on the
of up to 5 percent. areas of highest risk, they can remove needless
red tape. We have seen institutions eliminate up
— Centralize shared resources and add agile to 30 percent of their policies while improving
practices. Risk managers can move these the quality of the rest, reducing costs and
haphazardly added activities and staff into efforts associated with policy administration
centers of excellence—both virtually and and management. Institutions undertaking
physically—which handle common activities such a transformation may find that they could
such as risk data and analytics, reporting, adjust or rewrite nearly all of their policies to

make them more clear, reflect their current risk neglect opportunities to fine-tune the way
appetite, or achieve the appropriate level of they work and thus to make themselves more
detail. The renovation of risk policies can start efficient and effective. We recommend that risk
with the establishment of design principles to organizations track their KPIs for credit risk,
understand the challenges and identify the end market risk, operational risk, and the like, as well
goals that policies are meant to achieve. as the related outcomes (Exhibit 6).
— Put a performance-management system in

place. Historically, risk organizations have How to update risk-management
monitored key risk indicators—for example, practices in the short term
the percentage of nonperforming loans or Transforming risk management across the six areas
performance against controls—but not their own we’ve described could take at least a year if a bank
key performance indicators (KPIs). They may adopted any traditional approach. Many banks do
not, for example, track how many credit files a have multiyear transformation projects in the works.
risk-function employee processes a day, how Yet risk managers can take a number of steps that
many models each validator manages, and the yield high-impact results in far less time. In this
way those figures trend over time. By failing to way, banks can make the entire risk organization
measure their own performance, risk operations upward of 30 percent more productive—including
Web <2020>
<RiskManagement>
Exhibit 6
Exhibit <6> of <6>
use key performance indicators to help ensure that

Banks can use that risk management
management
meets targets.
meets targets.
Sample risk categories and metrics to measure performance
Credit underwriting Detecting Monitoring Data Reporting Model development

and adjudication financial crimes and tracking and validation
Touch time for loans • Ratio of STR/ • Qualitative/ • Percentage • Number of • Number of models
• Auto SAR¹ filings to quantitative of time spent risk reports by tier/category
• Credit cards alerts breakdown of on low-value (eg, internal ratings,
• Personal lending KRIs² activities (eg, • Average stress test, internal
• Mortgage or home- • Ratio of alerts to sourcing, cost per capital needs)
equity line of credit STRs • Percentage of processing, report
• Commercial under- automated KRIs quality • Number of models
writing, up to $5 million • Average time to (gathered through assurance) • Average managed by
• Commercial under- clear alert system checks) cost per modeler
writing, up to $5 million • Number of report
adjudication • Ratio of nonalerts • Percentage of teams category • Number of models
• Wholesale to investigation controls tested performing managed by model
personnel within centralized data-related • Report validator
Straight-through utility activities frequency
processing • Know-your- • Percentage of
• Auto customer • Number of • Average models reviewed
• Credit cards personnel as required risk report per year
• Personal lending percentage of assessments length
•Mortgage (assisted total anti–money • Number of model-
lending) laundering • Percentage of fully risk corrective
personnel automated controls actions issued in
• Commercial, up to
past year
$2 million
¹Suspicious-transaction report/suspicious-activity report.

²Key risk indicators.

cost efficiencies of 40 percent or more in selected defines how the work will be done and who will do
activities—in as little as three months. it. In addition, they must determine if they have the
right tools for the work, the staff has the necessary
Analyze and prioritize activities that must change skills, and change-management and skill-building
To determine which aspects of operations would programs are required. Finally, they need to
gain from the kinds of changes we propose, look at establish regular check-ins and delivery milestones;
the risk organization’s cost base and workforce to provide support, coaching, and other kinds of help
uncover functions or processes that increase costs for the teams running the program; and map out how
unnecessarily and to benchmark your operations to measure outcomes, such as tracking the cost
against those of comparable institutions. Conduct reductions resulting from the changes.
workshops, observe people at work, and interview
risk-function managers and staff to understand how
work gets done and which practices could improve.
Risk-management functions increase the odds
These insights can serve as the basis for a list of of creating lasting change if the moves they make
actions and their expected short-term impact or are part of a well-conceived, well-executed plan,
productivity gains. Risk managers can use such a are supported by top leaders, and are part of a
list to decide which actions to take first based on broader shift in behavior across the organization.
the overall health or goals of the risk organization Organizations that have successfully navigated
or the bank. From there, they can create a full this path know that while it may not be easy, the
implementation plan. rewards of more effective—yet less expensive—risk
management are well worth the challenge.
Launch and execute priority actions
Once an implementation plan is in place, risk
managers have to create an infrastructure that
Javier Martinez Arroyo is a partner in McKinsey’s Paris office, where Marc Chiapolino is a partner; Matthew Freiman is a
partner in the Toronto office, Irakli Gabruashvili is a consultant in the New York office, and Luca Pancaldi is a partner in the
Milan office.
The authors wish to thank Philipp Härle, Holger Harreis, and Olivia White for their contributions to this article.

Risk culture
39 Strengthening
institutional risk
and integrity culture
46 When nothing is normal:

Managing in extreme
uncertainty
54 A unique time for chief

risk officers in insurance

Strengthening
institutional risk
and integrity culture
Many of the costliest risk and integrity failures have cultural
weaknesses at their core. Here is how leading institutions are
strengthening their culture and sustaining the change.
by Richard Higgins, Grace Liou, Susanne Maurenbrecher, Thomas Poppensieker, and Olivia White
© Aaaaimages/Getty Images
39
The COVID-19 pandemic has created a time of assumptions about risk that individuals hold within
unprecedented change for both public and private the organization; risk practices are the daily actions
organizations across the globe. Executives and that determine the effectiveness of risk management;
boards have had to move quickly to address threats contributing behavior comprises the collective
and seize opportunities, all while continuing to actions that build risk attitudes. Ideally, these actions
protect employee and customer health and safety will be systematic and deliberately intended to
and evolving to adopt new digital and work-from- strengthen individuals’ risk attitudes, with desired
home norms.1 risk behavior built into everyday functioning.
Risk and integrity culture refers to the mindsets and Concrete definition
behavioral norms that determine how an organization Companies that seek to understand risk culture
identifies and manages risk. In this challenging can best begin by establishing concrete, detailed
and highly uncertain moment, risk culture is more definitions. They should clearly spell out the specific
important than ever. Companies cannot rely on elements of risk culture to set aspirations and
reflexive muscles for predicting and controlling measure progress. For example, we define ten
risks. A good risk culture allows an organization to dimensions of risk culture, based on a wide range
move with speed without breaking things. It is an of experiences with companies across all major
organization’s best cross-cutting defense. industries, and incorporating close study of a range
of real-world risk-culture failings (Exhibit 1).
Beyond today’s travails, a strong risk culture is a
critical element to institutional resilience in the Systematic measurement
face of any challenge. In our experience, those Once risk and integrity culture is defined,
organizations that have developed a mature risk measurement can begin. Leading companies
and integrity culture outperform peers through assess themselves systematically, looking at
economic cycles and in the face of challenging mindsets, practices, and behavior.
external shocks. At the same time, companies with
strong risk cultures are less likely to suffer from self- This assessment is often based on interviews
inflicted wounds, in the form of operational mistakes among units and functions, then followed by a more
or reputational difficulties, and have more engaged comprehensive organization-wide survey.
and satisfied customers and employees.
The survey will typically include 20 to 30 questions
This article explores the steps involved in setting up that measure performance against the elements
an effective risk-culture program, when to launch of risk culture (covering mindsets, practices, and
such a program, and the factors we have found to be behavior) and will set the organization-wide
critical for long-term success. baseline. The team can complement results
with qualitative insights gleaned from follow-up
interviews to provide further detail on the particular
Understanding and measuring strengths or weaknesses revealed, and help
risk culture uncover their root causes.
The starting point for most organizations looking to
improve their risk culture is to diagnose the current Instead of using a dedicated risk and integrity
state. Organizations that have built strong risk and survey, many organizations falter by relying on a
integrity cultures seek to understand (and then combination of employee-engagement surveys,
address) three mutually reinforcing drivers: risk focus groups, and analyses of incidents and
mindsets, risk practices, and contributing behavior. near-misses to measure their risk culture. Each
of these tools can bring useful results when used
Risk mindsets can be understood as the set of with sufficient rigor. However, typical employee-
1
Aaron De Smet, Elizabeth Mygatt, Iyad Sheikh, and Brooke Weddle, “The need for speed in the post-COVID-19 era—and how to achieve it,”
September 9, 2020, McKinsey.com.

Web <2020>
<Strengthening institutional risk and integrity culture>
Exhibit
Exhibit <1>1 of <2>
Risk culture can

can be
be understood as
as having
having ten dimensions,
dimensions, covered
coveredunder
under
four topics.
four topics.
Acknowledgement Responsiveness
Confidence Openness Challenge Speed of response Level of care

An assured The degree to which Scrutiny of Perception of external Responsibility to care
understanding of management and the quality, changes and reaction about the outcome of
an organization’s employees exchange appropriateness, speed to innovation actions and decisions
exposure to risk bad news or learnings and accuracy of or change
without any false from mistakes others’ attitudes,
sense of security ideas, and actions
Transparency Respect
Communication Tolerance Level of insight Adherence to rules Cooperation

The degree to which Understanding of risk Identification Alignment of Consideration of
warning signs of both appetite and its linkage and understanding individuals’ risk broader organizational
internal and external to overall strategy of risks present in appetites to the consequences and
risks are shared and decision making the business organization’s impact on overall risk
appetite when any one
team acts or makes
decisions
engagement surveys contain only a few relevant risk culture. While maturity levels across different
questions and therefore do not usually uncover dimensions matter, outliers (both strengths and
enough insight to create an effective measure. weaknesses) or areas of change where a survey
These approaches, furthermore, do not provide is repeated over time tend to drive the greatest
a view over time or ready comparisons between insights for an organization. Differences among
organizational units. units, functions, geographies, and tenure levels can
also be illuminating.
We believe that a dedicated survey is an
indispensable tool for obtaining a broad measure In one example of this process, a government-
of a company’s risk culture. It is the only way to owned corporation held a series of town-hall
set a true initial baseline. A comprehensive survey meetings to share the results of its risk-culture
creates hard data, comparable across divisions, survey. The town halls were the first active
geographies, and roles; with repeated use, it communications on risk culture and demonstrated
traces trends through time. The results allow to employees a new openness. The comparative
fact-based conversations about risk culture, data shared showed divergent strengths
fostering engagement while deepening executive- and weaknesses, which stimulated strong
level understanding. interdepartmental conversations in what was a
traditionally siloed organization.
Sharing results
Once an initial baseline is developed, the results As a second example, a high-performing financial
should be shared with leadership teams and the institution created tailored readout packs for a series
broader organization. Transparent results are an of thoughtful discussions between the chief risk
important first step in increasing the focus on officer and the leader of each major line of business
Strengthening institutional risk and integrity culture 41

and function. The readout materials highlighted differences also emerged among business units.
areas of opportunity for each business and function, The CEO probed the comparative differences,
including dimensions where their risk culture was challenged executives to understand the causes of
weaker than the organization as a whole or where low scores, and explored ways for everyone to learn
results were at odds with stated strengths or goals and apply lessons from higher-performing business
of the leader. For instance, with one leader who had units. Coming out of the discussions, the team
taken pride in his organization’s openness to sharing agreed on focus areas and assigned responsibility
bad news, the conversation centered around weak for carrying out the improvements.
scores in this area in some geographies.
Designing and deploying tailored interventions
To lift risk culture, organizations move from
Addressing risk-culture shortcomings measuring and planning to taking action. A broad
With the help of measured risk-culture results, range of techniques can be summoned to inspire
companies can act to address weaknesses in change. Successful efforts are usually the result of
risk culture. The leadership team, with support several kinds of actions taken together. In
from the team coordinating risk-culture efforts, thinking about how to generate meaningful,
can use the strengths, weakness, and cultural lasting changes in risk and integrity culture,
differences identified to agree on a set of prioritized leaders can be guided by the “influence model”
interventions or intervention areas based on schematized in Exhibit 2. This model has proven
enterprise-wide and divisional aspirations. useful in ensuring that change programs draw upon
a breadth of approaches, and its use increases the
Some interventions will affect the entire chance of success for a transformation by three or
organization—for example, certain compensation four times.
or recruiting changes. These warrant group-led
approaches, and a dedicated team should be The effort to address risk-culture gaps usually
created or assigned to take charge of them. involves a balance of short- and long-term
interventions. Targeted short-term interventions
Many, however, will be specific to and driven by allow organizations to respond flexibly to changing
particular parts of the organization. For instance, needs while longer-term programs constantly
affected business units would take charge of reinforce core elements of desired risk culture.
work to redesign problematic product-approval Long-term interventions are often formal programs
processes; likewise, business-unit leaders like speak-up hotlines or training and compensation
might “localize” a groupwide focus on a topic like standards (based on risk criteria) that continually
accountability. Where possible, interventions or reinforce desired behaviors.
their application should be driven, and owned, by
the front line to ensure that cultural change is truly In an effective example of a long-term intervention,
lived locally and linked to day-to-day business one bank developed a program that both
activities and outcomes. Successes and lessons encouraged employees to speak up on risk issues
from these localized efforts can be shared across and increased the level of responsive actions. The
the organization by a central coordinating team. program includes an externally managed channel for
employees to register concerns, with the option of
The process of developing interventions end to confidential help from internal speak-up champions
end is well illustrated by the experience of one on navigating the process. The board receives
insurance company. The company explored the regular reports on both internal and external
results of an initial risk-culture survey at a top- complaints, with resolution rates and common
team offsite. The survey data allowed leaders to themes and trends.
move from discussions based on intuition to those
based on evidence. The leaders discovered that The following short-term initiatives are just a few
the organization was universally strong in some examples of how organizations have addressed
dimensions and universally weak in others. Clear gaps in risk culture:

— A government agency developed a short-term The role is charged with taking deliberately
program to increase its speed of response, contrarian positions and pressure-testing
which was identified as a major weakness. This proposed products on how well they served the
was done with walk-throughs of key processes, long-term interests of the customer and the bank.
which identified bottlenecks; components were
then redesigned as needed to speed up the — A pharmaceutical company sought to address
process and ensure future clarity on escalation a weak culture of challenge by training new
and resolution. and junior colleagues on how to constructively
question leadership decisions. To encourage the
— A bank discovered weaknesses in its approval best results, senior leaders acted as role models,
process for new products. Its investigation led to visibly promoting nonhierarchical decision making.
the creation of a dedicated challenger role, filled
by rotating members of the approval committee.
Web <2020>
<Strengthening institutional risk and integrity culture>
Exhibit 2of <2>
Exhibit <2>
The ‘influence
The ‘influence model’
model’ defines four dimensions of risk-culture-change
dimensions of risk-culture-change
programs, ensuring that a breadth of approaches
approachesare
areused.
used.
Influence model for risk-culture change
Capability building
Role modeling and leadership Contributing behavior Formal reinforcement mechanisms
Understanding and commitment
“I have the skills to behave “Systems reinforce “I know what I need to “I see my leaders
in the new way” desired change” change, and I want to do it” behaving differently”
Employees are coached to The organization appoints When things go wrong at a Leaders share risk
consider client needs plus senior leaders with the competitor’s, the company knowledge that supports
other business concerns right expertise to considers how to change decisions and actions
Employees receive training understand and manage its approach Leaders demonstrate
on available communication risks Internal communications appreciation when
channels, both formal and Systems and processes are prominently feature employees raise mistakes,
informal, to identify and in place to quickly identify success stories of change rather than avoiding the
escalate risks potential policy or guideline across different employee issue or penalizing the
Top management is breaches tenures employee
coached on communication The organization Workshops with a cross Leaders expect and
methods for discussing compensates and section of staff are used to encourage people to
risks promotes people to brainstorm improvement challenge their views and
encourage them to act in opportunities around risk decisions
the organization’s best Leaders systematically and
long-term interests effectively communicate
key risks faced by the
business as well as
mitigation approaches

Launching a risk-culture program devastating impact of other failures in the
Risk-culture programs can have multiple triggers. industry. The leaders methodically created formal
Leading companies take proactive steps to maintain mechanisms to support desired behavior, helping
strong risk cultures in normal times, in times of to ward off potential crises before the point of no
stress (such as under the COVID-19 crisis), and when return was reached.
they are undergoing transformations.
Maintaining risk culture under company
Proactively shaping risk culture transformation
Building and sustaining strong risk culture requires Many organizations are transforming their
proactive attention. In normal times, this means operations, particularly to become more digital
addressing risk culture before issues arise. Under and more efficient. The COVID-19 crisis has served
the stress of the COVID-19 pandemic, which to accelerate many planned change programs.
has disrupted the traditional mechanisms that Large transformations can themselves raise
reinforce an organization’s risk culture, this includes risk levels, as risk-management practices are
understanding how risk culture is evolving and then disrupted, core processes are redesigned, and
taking action to protect or improve it. Because of the teams and organizational structures shift. “Change
pandemic, people are working together differently, fatigue,” a species of anxiety that comes with a
often from home. In addition, many individuals and transformation, can contribute its own share of risk.
organizations are under added stress (including But transformations also afford organizations the
financial stress), increasing the risk of nearsighted opportunity to reset their model to their desired risk-
decision making and cultural problems. management culture. They must include programs
to promote desired behaviors, in transparent,
Once a crisis with roots in risk culture hits, existing organization-wide efforts, as opposed to siloed,
leadership, including boards, will find it difficult business-as-usual approaches.
to lead change as they themselves become
increasingly associated with the cultural problems. For example, one global manufacturing company
The problems tend to be seen as leadership failings undertook a major transformation in response to
in the eyes of the public, investors, and regulators. a series of product- and regulatory-compliance
incidents. Front and center were issues of culture,
By taking a preemptive look, leaders might see integrity, and compliance, which became the core
early signs of concern or inadequate processes for focus of the groupwide transformation.
understanding the state of risk culture. An initial
deep dive into the root causes of seemingly isolated In a second example, a bank undertook a major
incidents or complaints can be a starting point, transformation and restructuring effort, partly in
eventually expanded into a broader risk-culture response to COVID-19-triggered considerations.
review to build a comprehensive picture. Today, the The program included a dedicated cultural
preemptive look should also seek to understand the component with a specific risk-culture stream. As
impact the COVID-19 crisis is having on employees the transformation progressed, business units
and develop interventions to strengthen the culture incorporated risk-culture initiatives into their broader
by filling the gaps created by remote working. program of activities, ensuring risk-culture changes
became core elements of the new ways of working.
The effort might be triggered by the need to
understand whether an organization is vulnerable Getting started
to incidents experienced by peers, either before Whatever the original motivation for a risk-culture
or during the pandemic. By proactively driving program, a one- or two-year plan covering a range
this topic, leaders can avoid larger problems and of intervention types can begin with a small set of
demonstrate that they are part of the solution priority initiatives targeting key weaknesses. In
and not the problem. For example, a company addition to achieving progress in important areas,
in the advanced industries sector built a speak- these initiatives will create visibility and momentum
up program after leadership recognized the for the entire plan. An example campaign would be

one that encourages employees to speak up where 3. The case for change is visible and compelling.
they see risk concerns. The initiative might include The strengths and weaknesses of the prevailing
a confidential speak-up line, communications from risk and integrity culture need to be spelled out,
the top to set the tone on the importance of speaking supported by data. The vision for an enhanced
up, and, for a dedicated period, an explicit focus on culture and how it will benefit the organization
speaking up in team meetings. Results would be and individuals can then be articulated.
conveyed to the board in a report covering internal
and external complaints, whistleblower activity, 4. The effort is sustained over time. Cultural
overarching themes, and resolutions. This would change takes time, and gains must be regularly
serve as a first step and a gesture of commitment to reinforced. Successful programs combine
the larger effort of changing risk culture. periodic measurement of organizational risk
culture with a multiyear change program
encompassing short- and long-term initiatives.
Setting yourself up for risk-culture Too often organizations bring a burst of energy
success to the initial diagnostic but then fail to implement
Careful risk-culture definition, measurement, and initiatives or sustain the changes needed to
initiative work plans are not enough. Successful drive long-term improvement.
risk-culture programs share five essential
characteristics that leaders should put in place as 5. The C-suite holds leaders accountable for
part of their focus on risk culture: success. Risk-culture programs need someone
to provide overarching direction and drive, but
1. True ownership and responsibility for risk to succeed, leadership across the organization
culture sits with the front line. To be truly should be actively engaged. Business-unit
lived, culture must be linked with the day- owners in particular should champion initiatives.
to-day business activities and outcomes of Leaders need to show they are serious about
an institution. First-line leaders must feel change if they want their people to adopt
accountability for their role in supporting the new risk behaviors, which may themselves be
company’s risk culture. perceived as risky—for example, speaking up.
2. Dedicated ownership is assigned for

coordinating the definition, measurement,
reporting, and reinforcement of risk culture. As senior leaders navigate the complexity of the
These responsibilities should sit centrally—either current crisis, they must ensure the organization as
within enterprise risk management, with a risk a whole maintains its cultural health. Organizations
chief operating officer or an enterprise chief that nurture their risk and integrity culture will
operating officer, or within HR. It is helpful be better positioned to serve their clients, team
to have a central point, as too often varying members, and society effectively, and to avert risks
language is used to discuss culture within a bank. that could potentially prove catastrophic. By taking
Without an enterprise-wide view and vocabulary, the steps outlined above, institutions can prepare,
it is not possible to effect true, coordinated reap near-term rewards, and be ready for future
cultural change. uncertainties and challenges.
Richard Higgins is an associate partner in McKinsey’s Sydney office, Grace Liou is an associate partner in the Seattle office,
Susanne Maurenbrecher is an associate partner in the Hamburg office, Thomas Poppensieker is a senior partner in the
Munich office, and Olivia White is a partner in the San Francisco office.
The authors wish to thank Tom Martin and Ishanaa Rambachan for their contributions to this article.

When nothing is normal:
Managing in extreme
uncertainty
In this uniquely severe global crisis, leaders need new operating
models to respond quickly to the rapidly shifting environment and
sustain their organizations through the trials ahead.
by Patrick Finn, Mihir Mysore, and Ophelia Usher
© Maksim Tkachenko/Getty Images
46
In normal times organizations face numerous human-caused disasters. Effective action saved
uncertainties of varying consequence. Managers many; others spiraled downward.
deal with challenges by relying on established
structures and processes. These are designed to Existential crises subject organizations to
reduce uncertainty and support calculated bets both extreme uncertainty and severe material
to manage the residual risks. In a serious crisis, consequences; they are often new and unfamiliar
however, uncertainty can reach extreme levels, and and can unfold quickly. In business terms, the
the normal way of working becomes overstrained. present crisis more closely resembles economic
At such times traditional management operating crises of the past. In the financial crisis of
models rarely prove adequate, and organizations 2008–09, for example, many organizations were
with inadequate processes can quickly find simultaneously affected. Qualitatively, however, the
themselves facing existential threats. present crisis is far more severe.
Uncertainty can be measured in magnitude The COVID-19 pandemic and the resulting
and duration. By both measures, the extreme economic recession have affected most large
uncertainty accompanying the public-health organizations around the world. Managers
and economic damage created by the COVID-19 continue to scramble to address rapidly developing
pandemic is unprecedented in modern memory. changes in the public-health environment, public
It should not be surprising, therefore, that policy, and customer behavior. And then there is the
organizations need a new management model to economic uncertainty. The severity and speed of
sustain operations under such conditions. The the crisis is reflected in the International Monetary
magnitude of the uncertainty organizations face Fund’s (IMF) projections for US GDP growth. After
in this crisis—defined partly by the frequency and an estimated GDP expansion of 2.2 percent in
extent of changes in information about it—means 2019 (year-on-year), the US economy, in the IMF’s
that this operating model must enable continuous view, was expected to grow at a rate of 2.1 percent
learning and flexible responses as situations in 2020 (forecast of October 2019). With the
evolve. The duration of the crisis, furthermore, onset of the pandemic, the IMF quickly shifted its
has already exceeded the early predictions of many estimate into contraction, of –5.9 percent in
analysts; business planners are now expecting April 2020, revised to –8.0 percent in June. The
to operate in crisis mode for an extended period. latest estimate (October 2020) is less severe at
Leaders should therefore begin assembling the –4.3 percent, but this would still be the worst result
foundational elements of this operating model in many decades. The forecasting institution
so that they can steer their organizations under foresees the world economy shrinking at a rate
conditions of extreme uncertainty. of –4.4 percent in 2020, after having grown
2.8 percent in 2019 (estimate).1
Understanding extreme uncertainty
Due to the severity of this crisis, many organizations Uncertainty levels from recent global shocks do not
are in a struggle for their existence. An existential approach those of the present COVID-19-triggered
crisis puts at stake the organization’s survival in crisis. The IMF’s GDP contraction forecast for 2020
recognizable form. Readers can probably call to is more than double the estimated contraction
mind numerous individual companies that faced that took place in 2009, the worst year of the
such crises in the recent past. The crises may have earlier global financial crisis. As measured by
been touched off by a single catastrophic incident the Economic Policy Uncertainty Index, a metric
or by a series of failures; the sources are familiar— developed jointly by researchers at several US
cyber breaches, financial malfeasance, improper business schools, uncertainty on a daily basis
business practices, safety failures, and natural or has been elevated for nearly 200 days’ running.
1
World economic outlook, October 2020: A long and difficult ascent, International Monetary Fund, October 2020, pp. 141–42, imf.org.
When nothing is normal: Managing in extreme uncertainty 47

By contrast, commensurate uncertainty was cycle. Managers collectively decide on strategies,
experienced during the 2008–09 financial crisis budgets, and operating plans once a year and
a few times for a maximum of 27 consecutive days. then manage operations in accordance with those
The COVID-19 outbreak already accounts for seven goals and cost limits. Between annual-planning
of the ten highest-ever daily readings.2 Crises such cycles, amendments are few and usually minor.
as Hurricane Katrina or the Fukushima Daiichi The assumptions shape how managers engage
nuclear disaster cause high levels of uncertainty with each other: from the content of status reports
for individual communities or particular industries. to interdepartmental information sharing to the
Since the uncertainty is confined by industry or timing and structure of management meetings.
geography, the magnitude decreases steadily Recently, some organizations have adopted more
with time. In the present crisis, however, elevated agile techniques to make planning more flexible
uncertainty is globally pervasive, and events and responsive to outcomes from pilots or trials.
trigger compounding effects. The following exhibit However, the approach is rarely deployed in the
conveys a range of crises and their corresponding C-suite to manage the whole organization.
levels of uncertainty.
The COVID-19 crisis has undermined most of the
assumptions of the traditional planning cycle.
Why existing operating models fail Existing management operating models are
Extreme uncertainty on a global scale is rare; no longer supporting managers effectively in
however, existential crises at the organizational addressing the challenges this crisis presents. The
or community level are more frequent and thus revenue assumptions managers relied on for 2020,
provide lessons concerning which operating models often worked out to two decimal points, are not
succeed and fail during periods of uncertainty. relevant in an economy suddenly expected to suffer
Many organizations, including publicly traded a historic contraction. Meticulously prepared status
companies, operate on an annual-planning reports are now outdated before they reach senior
managers. Managers seeking more up-to-date
Web <2020>
information discover that existing processes are too
Exhibit
<Pub-CrisesExtremeUncertainty> rigid for a timely response.
Exhibit <1> of <1>
Duration and magnitude of a crisis are Managers thus find themselves working in ways
Duration
importantand magnitude of
determinants of uncertainty.
a crisis are unsuited to a highly uncertain environment. They
important determinants of uncertainty. know what they need: flexibility, the capability
to act collectively, quickly, and across the whole
Long
organization as challenges arise. They need also
to be able to work in this way over an extended
COVID-19
pandemic period. Some organizations have therefore begun
to experiment with new operating models that allow
Regional
war zones managers to work together. Some of the changes
Time
(duration)
Extreme have been successful and others have failed.
uncertainty
Overcoming challenges
Existential To increase the odds that a new operating model
crises
Short will be effective today, managers must ensure that
it addresses the problems of operating under highly
Low High
uncertain conditions. The COVID-19 operating
Source: McKinsey analysis environment requires that managers reexamine their
2
“US monthly EPU index,” Economic Policy Uncertainty, policyuncertainty.com.

The COVID-19 operating environment
requires that managers reexamine
their collective thought processes and
challenge their own assumptions.
collective thought processes and challenge their rate of transmission of COVID-19 (R0) are central
own assumptions. Failure to do so will create the to forming a view on the likely impact of the
risk of serious errors. Here are some of the pitfalls disease: even a tiny uptick in the reproduction
managers will likely encounter: number can create a dramatic increase in
the expected infection and mortality rates
— Optimism bias. Since managers and their and radically change expectations of likely
organizations have never seen anything like this government measures and consumer behavior.
crisis, existing heuristics learned from years
of management might not apply. One common — Wrong answer. In addition to the instability of
problem is that managers experience optimism information, leaders must also be sensitive to
bias, both individually and collectively. They will be the possibility that information they thought was
inclined to bring forward the date of an expected clear and certain could turn out to be wrong.
revenue rebound or minimize the duration of Managers cannot take their own assumptions
expected business closure. Simply, managers as facts, since new information could emerge
cannot or will not believe how bad the situation that invalidates them. Assumptions and
could get, and the organization ends up planning understanding need to be regularly revisited
for a much milder scenario than transpires. and revised as necessary, as part of the
organization’s practice of continuous learning.
— Informational instability. Information is unstable The operating model must be able to absorb
in the COVID-19 pandemic. Epidemiological data initial wrong answers and override them quickly;
are constantly shifting: infection and mortality organizations can even encourage managers to
rates, the proportion of asymptomatic cases, look for opportunities to update assumptions.
the intensity and effectiveness of testing, the
length of the infectious period, and the extent — Paralysis by analysis. Confusing and ever-
and duration of immunity after infection. The changing data can cause managers to delay
problem extends to poor or missing economic decisions as they search for more analytical
data whose reliability has been affected by the rigor. They may never find it, given the extent
speed and severity of change. Conventional of the crisis we are in. Delayed decision making
business strategy is most often based on is not advisable in a crisis as fast moving and
assumptions about a probable course of events. severe as the COVID-19 pandemic. Delay is
In today’s crisis, a single “most likely” planning in itself a decision, since taking no action has
scenario is unachievable. The sensitivity of consequences—for example, a continued,
statistical models to relatively small changes unchecked spread of the virus. Managers should
in assumptions on key variables creates even rather act on what they do know, and adapt their
greater hazard. For example, projections of the strategy as new information becomes available.

— Organizational exhaustion. In extreme likened to the Intergovernmental Oceanographic
uncertainty, organizations are usually unable Commission’s early-warning systems, which
to return to business as usual for a long time, rapidly relay data of approaching tsunamis to
sometimes years. This exposes managers potentially affected communities.
and their teams to the risk of exhaustion in the
face of constant and apparently never-ending — Integrated nerve center. Once an alarm
change. A crisis may galvanize a company’s has been triggered, leaders must have an
senior managers and employees in its initial organizational structure in which a common
phase. But once that adrenaline fades, understanding of the crisis can be developed
continuing uncertainty becomes enervating. quickly and decisive actions taken with
At worst it can take a toll on managers’ mental authority. Such a structure could be part of the
and physical health, causing major harm to organization’s ready-made crisis-management
organizational effectiveness, from a decline in plan, but leaders must prepare for the possibility
responsiveness to a deterioration in the overall that preconceived structures may be unsuitable
quality of work. in an existential crisis. They must therefore
create a new operating model if the situation
requires one. The organization needs an
A suitable organizational structure integrated nerve center to oversee a holistic
When determining how their organization should crisis response. Within that structure, leadership
respond to extreme uncertainty, managers need must identify an inner core: a small group of
to estimate the magnitude and expected duration managers who have the judgment and internal
of the crisis. At the onset, a timely and centralized credibility to lead the response. Once identified,
organizational response—“crisis mode”—should these leaders need to be given decision-making
be activated. Then leaders need to switch to authority throughout the crisis, including the
an operating model that will be sustainable but top-level support needed to make the “big bets.”
appropriately reactive to continuing uncertainty over A recent example of rapid and radical response
months or even years. A celebrated example is the was the National Basketball Association’s
way the New York City Fire Department handled the decision on March 11 to suspend play for the
aftermath of the September 11 attacks. It had to shift season. This action was one of the earliest high-
its operating model from one based on immediate profile operational changes taken in the United
response to one that could handle continuing fires States in response to COVID-19.
at the World Trade Center site and sustain recovery
activities for months. — Transparent operating principles. At the
outset managers need to define the high-level
Activating crisis response approach that will guide their actions during
The earlier managers determine that they are in a the crisis. The approach should be spelled out
crisis, the faster and more effectively organizations in a set of operating principles made available
can respond. Effective response is enabled by throughout the organization. These transparent
several fundamental elements. principles will guide decision making throughout
the crisis and provide standards against which
— Early-warning system. A fundamental operating management actions can be measured. One
principle in normal times is for senior managers example of such transparency can be seen in
to develop an understanding of the kinds of Airbnb’s response to the consequences of the
events that might trigger a crisis. This will allow pandemic for the company—a massive drop
them to establish appropriate monitoring and in revenue and significant layoffs. CEO Brian
early-warning systems. Such systems can be Chesky wrote an honest letter to the staff

explaining in detail the measures being taken to how it might evolve, and establish and execute
ensure the company’s survival and the ways in appropriate actions.
which the travel business was being reshaped
in the crisis. The cycle of learning and redesign must recur with
frequency sufficient to ensure that responses
Operating in crisis mode: Discover, design, execute reflect the evolving situation. Managers must
Rapidly moving events demand speedy decisions doggedly question established assumptions,
but also a wholesale change in the organization’s especially the ideas adopted under conditions of
managerial modus operandi. The operating cadence extreme uncertainty. The organization cannot treat
in which managers meet, discuss, and take action any assumptions as sacrosanct. Organizations
needs to match the evolution of the crisis. This does should accept that they will be wrong and celebrate
not imply a simple speedup of existing processes to learning quickly from experience.
accommodate the information needs of managers.
Rather, it means creating entirely new procedures. To make informed decisions, managers need
specialized knowledge and should actively seek
Extreme uncertainty turns an organization’s expert advice. Experts can contribute to better
operating imperatives on their heads. It demands decisions by filling gaps in existing management
continuous learning and constant review of knowledge. For example, managers need external
assumptions. Instead of establishing a plan and advice—from epidemiologists—to assess the course
ensuring the organization sticks to it, as in more of the COVID-19 pandemic. Likewise, civil-society
normal times, managers must understand and organizations can have experts who can provide
respond continuously to dynamic and wrenching valuable alternative perspectives on such important
change. Rather than making periodic reviews matters as racial bias, diversity, and the importance
of a static plan, they need to meet for iterative of female leaders. Internal expertise is also valuable
decision-making sessions structured around three in crisis times. Managers should reach deep into
imperatives: discover, design, execute. Managers their own organization for frontline insights—such as
must work together to diagnose the current those that a customer-service representative could
situation, consider its practical implications, explore provide on customer experience.
Instead of establishing a plan and

ensuring the organization sticks to
it, managers must understand and
respond continuously to dynamic
and wrenching change.

The organization should also systematically chain disruptions, inventory shortages, and shifting
challenge proposed solutions. One established demand across channels. Today companies face
way to do this is to create a “red team” of experts economic instability as well as secondary incidents
to pressure test managers’ decisions, identifying created by extreme uncertainty. To manage an
potential weaknesses or overly optimistic extended recovery period, management structures
assumptions. This type of exercise has been very and processes have to shift to a long-term,
successful in enabling more robust solutions. sustainable operating model.
Leading companies, including Microsoft and IBM,
perform regular exercises in which red teams test One way of thinking about this problem is to
cybersecurity infrastructure, for example. imagine that a major fire strikes a company’s
headquarters. Once the fire itself is extinguished, a
Unprecedented crises frequently require leadership different set of challenges emerges, from damage
to take unprecedented actions—bold, speedy assessment to restarting operations. The shift from
actions that would feel risky in normal times. A crisis mode to recovery of sustainable operations
historic case in point is Johnson & Johnson’s 1982 is more an evolution than a transformation. As
decision to recall 31 million bottles of the painkiller it reshapes its overall strategy and goals, the
Tylenol after some product samples were found to organization needs to maintain its integrated
have been laced with cyanide. The swift, decisive nerve center, as crisis circumstances may require
action saved this valuable product and enhanced reactivation. However, the nerve center would no
the company’s reputation. longer own day-to-day activities. Decisions and
actions can increasingly return to their traditional
As they focus intensely on making fast practical owners such as business units. The operating
decisions, managers must also be prepared to cadence established in crisis mode will not return
shift course if the situation changes. Actions, to normal, but it will likely moderate. Teams might
furthermore, need to be prioritized. First must scale back to meeting weekly from daily but need to
come actions to mitigate the worst-case scenarios maintain the flexibility to ramp back up as needed if
for the organization. Low-cost (“no regrets”) actions something occurs.
can also be taken quickly, to address issues that
could arise in any of several potential scenarios. In The issues to monitor will change, but the
an existential crisis, managers must feel comfortable importance of monitoring and early warning
making conscious decisions and taking deliberate remains critical. In the COVID-19 crisis, for example,
action. Otherwise, events will take their course, employees continue to work from home in many
decisions will be made by default, and organizational countries. For this reason, IT departments must
control will be lost. remain extraordinarily vigilant in monitoring for
cyberattacks. Furthermore, when the time comes
A sustainable model for employees to return to their offices, testing and
The global COVID-19 pandemic is in its tenth month, monitoring processes will have to be in place. When
a protracted period defined by extreme uncertainty. infection is detected, quarantine and treatment can
Depending on their industrial sector and geography, thereby quickly follow. The experiences of Korea
organizations have experienced different forms of and China well illustrate the importance of country-
uncertainty at different times over the course of level monitoring and quick response in the recovery
the crisis—with falling consumer demand, supply- of public health and the economy.

Whether operating in crisis mode or in recovery managers and organizations. The radically changed
mode, leaders still need to prioritize actions. circumstances call for new forms of leadership,
Resilient organizations should be able to begin new ways of working, and new operating models.
looking for opportunities once the worst of the crisis Crisis-tested managers will develop a tolerance of
is past. Our research indicates, for example, that ambiguity, a quickened operating cadence, and a
more resilient companies shifted to M&A quickly culture of constant refinement, review, and revision.
after the 2008–09 financial crisis, using the cash Management structure and processes need to be
saved during the crisis to purchase new assets. adapted, too, as the crisis unfolds, to ensure the
organization is sustainable and can take advantage
of new opportunities.
Extreme uncertainty—defined in terms of novelty,

magnitude, duration, and the rapid pace of change—
generates a difficult operating environment for
Patrick Finn is a senior partner in McKinsey’s Detroit office, Mihir Mysore is a partner in the Houston office, and
Ophelia Usher is an expert in the Stamford office.

A unique time
for chief risk officers
in insurance
Amid rising economic uncertainty, leading insurers are looking to their
CROs to do even more than manage risks.
This article was a collaborative effort by Kevin Buehler, Marco Carpineti, Erwann Michel-Kerjan,
Fritz Nauck, and Lorenzo Serino, representing views from McKinsey’s Risk Practice.
© DNY59/Getty Images
54
As COVID-19 continues to threaten lives, and product leaders are contemplating future
communities, and industries around the world, insurance solutions—including public–private
insurers face profound disruptions. Uncertainty insurance partnerships—that would enable insurers
abounds. No one knows when the crisis will truly to remain relevant to their customers.
end, when safe vaccines will be used at scale, or
whether they will stop the pandemic for good. Its Our research shows that the industry’s returns to
ultimate impact on public health and the global shareholders since the beginning of the year were
economy will be measured in the months and years down by 19 percent at the end of October 2020. In
to come. mid-June they had been down by 23 percent—the
sharpest drop in recent memory and deeper than
Underwriters are struggling to calculate their those recorded in many other industries (Exhibit 1).
exposure to pandemic-generated vulnerabilities.
Economists are trying to anticipate the direct and With regard to current business impact, insurers
indirect impact of massive new government debt. will experience pressure on retention rates and
Managers are wondering how long people can margins as customers shop for lower prices. The
work productively from home and maintain healthy impact on claims will vary by line of business: auto
organizational and risk cultures. And in a long- claims may decline because people are driving less
lasting low-interest-rate environment, strategists at the moment, but homeowners’ claims could rise as
Web <2020>
<RiskInsurance>
Exhibit 1 of <2>
Exhibit <1>
Market capitalization hasdeclined

capitalization has declinedacross
acrosssectors
sectorsinin 2020,
2020, with
with significant
significant
variation in
in the
the extent of
of the
thedeclines.
declines.
Shareholder returns in 2020 by industry,¹ % (Jan–Oct 2020)
Commercial Pharmaceuticals Advanced Logistics and trading
aerospace electronics
35 Chemical and
agriculture Retail
Automotive
Healthcare payers and assembly
Food and High
Financial services tech
beverage
Electric power and natural gas
Apparel, fashion, and luxury
Defense Media
Real estate
0
Oil Banking
and gas
Basic materials Consumer services
Business services Healthcare supply

and distribution
Conglomerates Consumer durables
Telecom
Health facilities and services Medical technology
Insurance
–35 Air and travel carriers Transport and infrastructure Personal and office goods
0 10 20 30 40 50 60 70
Market capitalization, $ trillion

¹Weighted average; shareholder returns calculated in local currency; width of bars is starting market capitalization in US dollars; data set includes global top 5,000
companies by market capitalization in 2019, excluding some subsidiaries, holding companies, and companies that have since delisted.
Source: S&P Capital Insights; McKinsey analysis
A unique time for chief risk officers in insurance 55

CROs are engaged in the most difficult
decisions, providing top management
with perspectives and guidance on
strategic business risks.
policyholders work from home. Investment income and assure the chief executives and boards that
will continue to suffer as interest rates stay low, and companies are achieving a proper risk-management
life and annuity carriers will be hardest hit. We also balance. In approaching heightened risk levels,
believe that the pandemic’s full impact on economies CROs aim to limit the downside danger but also
around the world will be felt through 2022. enable the business to make the necessary risk–
reward trade-offs to capture the upside. It is a
The pandemic-related challenges intersect with delicate balance.
cost-reduction and efficiency pressures. These were
intense before the pandemic struck, as discussed For a long time—and especially as a consequence
in McKinsey’s recent state-of-the-industry reports of the financial crisis of 2008–09—the CRO role
on P&C¹ and on life.² Legacy IT systems and, in in financial services was regarded as a necessary
some cases, lagging digital capabilities are growing response to regulatory pressure, to provide required
impediments, as the COVID-19 environment controls and guardrails. Today, the importance of
pushes many more customers toward digital-first the CRO role has outgrown this conception, and that
relationships. Insurers, reinsurers, and brokers that is a good thing. Many CROs are working with CEOs,
made bold moves into digital years ago are now executive teams, and boards, stepping forward in
harvesting the benefits of their investments. Others this crisis and taking the opportunity to shape the
need to catch up in a hurry. future of the organizations they serve. Over the past
few months, we have been listening to leaders of
Given the profound uncertainties and their varying insurers of all sizes around the globe—CEOs, board
impact across business lines, insurers must commit members, CFOs, HR heads, as well as CROs. One
strongly to risk-oriented, structured decision- insight that has emerged is that the CRO role as
making approaches. We believe it is time for chief risk manager has continued to evolve. CROs are
risk officers (CROs) to step up to this challenge. With engaged in the most difficult decisions, providing
their help, the industry can reinvent itself to stay top management with perspectives and guidance
relevant to customers and attractive to investors. on strategic business risks—when to take them and
for which expected financial, organizational health,
and reputational rewards.
The CRO and the evolution of the
insurance industry Unsurprisingly, therefore, leading insurers are
CROs for leading insurers are playing a critical role investing more in their risk-function capabilities.
in the present risky and uncertain environment. At a recent CRO roundtable with 25 leading North
They have risk oversight of activities conducted American insurers, 95 percent of the participants
by the first line (business and corporate functions) indicated that demand for the services of the risk
1
Sylvain Johansson, Andy Luo, Erwann Michel-Kerjan, and Leda Zaharieva, “State of property & casualty insurance 2020: The reinvention
imperative,” April 2020, McKinsey.com.
2
“Life insurance and annuities state of the industry 2018: The growth imperative,” October 2018, McKinsey.com.

function will increase next year. At this critical and develop strategic implications, CROs should
juncture, CROs should join top management to set develop advanced stress-testing for profit and
and implement a strategy for capturing value in the loss (P&L) and the balance sheet (for example,
next three to five years. A new CRO role is evolving: investment portfolios). The program should be
scenario-based and refined through iteration.
— from using static, backward-looking risk- Carriers around the world, from employee-benefit
measurement tools to developing state-of-the companies to global multiline insurers, have
art capabilities, such as scenario planning, developed analytical tools to rebase revenue
dynamic stress testing, and advanced analytics expectations using detailed economic data.
— from focusing only on financial risk to taking Some risk leaders are gaining new insights into
a more holistic view of the risk landscape, market dynamics in metropolitan statistical
including nonfinancial risk: the new focus areas by combining customer projections with
includes cyberrisk, technology risk, fraud risk, epidemiological and economic scenarios. This
model risk, people risk, and compliance risk, but can help improve the accuracy of projections of
also wider external risks, including climate risk customer default or renewal rates: projections can
and geopolitical risk become more precise with stronger links between
— from performing a limited-control function to risk identification, economic scenarios, and overall
counseling the CEO and board in developing company strategy.
and executing a sustainable growth strategy
supported by a balanced risk appetite 2. Review the investment strategy. Pressure on
industry performance is coming from several
sources, including equity-market volatility, the
The CRO’s contribution to a low-interest-rate environment, and sometimes
sustainable growth strategy the repricing of assets associated with climate
This is an important moment for chief risk officers. risk. The squeeze is felt on insurers’ balance
Most insurance companies are rethinking their sheets, product profitability in life insurance,
strategies and need the knowledge and skills of and investment-management fees for savings
CROs to navigate the perils of unprecedented times. products. Given these pressures, CROs will need
To support a sustainable growth strategy under to ensure that the investment strategy is reviewed
stressed conditions, CROs can start by maximizing and realigned according to the results based on
the risk organization’s existing capabilities. New economic scenarios and resulting risk capacity
capabilities are also needed as CROs help their and risk appetite.
companies embrace a holistic view of risk, including
financial and nonfinancial risks. The following Addressing the nonfinancial-risk profile
actions are essential and consistent with the new Here are measures to strengthen cyberrisk
CRO leadership paradigm. practices, address fraud and other operational risks,
and adapt and remediate models.
Managing risk through COVID-19 uncertainties
It will be necessary to develop high-frequency 3. Strengthen cyberrisk practices. The new
stress tests and business-plan forecasts and to working environment has increased network
review investment strategies. exposures to cyberrisk. As employees use personal
devices for work, for example, they can become
1. Develop high-frequency stress tests and more vulnerable to phishing. Traffic volumes
business-plan forecasts. To reveal vulnerabilities

are rising sharply on virtual private networks as leading indicators to help executives gain a more
employees work from home, straining IT systems accurate view of risks and make better-informed
and personnel; sensitive data and systems must decisions. That gives them a significant advantage
be protected against access through insecure during the pandemic crisis.
networks or devices. CROs must take account
of these new strains and vulnerabilities, and 6. Adapt and remediate models. The CRO should
strengthen cybersecurity and cyber practices lead a full review of critical models used across
across the organization. Many insurance companies the organization since they could have been
have completed comprehensive assessments compromised in this changed environment. The
of their systems and information assets—for assessment should include the rapid triage and
example, the likelihood that any component will be remediation of models most affected by the
compromised. CROs must prioritize and reprioritize pandemic. The associated economic downturn
assets as needed, protecting critical assets and has triggered significant step changes that are
closing critical control gaps as they appear. often not accounted for in the original assumptions
made several years ago, when these models
4. Pay more attention to fraud. Fraud and were designed. The persistent low-interest-rate
financial crime³ seem to be on the rise as a result environment—and potentially negative-interest-
of the new remote-working environment and the rate environment—must also be factored in. The
economic downturn, a situation recalling the spike CRO should manage remediation on a risk-based
in insurance fraud during the financial crisis of timeline and ask the business to develop new
2008–09. As CROs strengthen essential controls models as needed.
and the technology infrastructure, they should
also push to improve analytics capabilities for Building the insurance organization of the future
fraud. The necessary moves could include building CROs should partner with senior management to
an identification engine capable of ingesting vast revisit the risk appetite and strategy, transform risk
amounts of claims data, accurately sizing and culture, build reputational resilience, and improve
analyzing drivers of current losses, and quickly insights about systemic risks.
identifying high-risk claim reimbursement.
7. Partner with senior management to revisit the
5. Address other operational risks. Rising levels risk appetite and strategy. By becoming thought
of digital interaction and remote work have also partners with top management, CROs can help
changed companies’ overall operational risk steer the organization, identifying and selectively
profiles, which CROs must monitor and assess committing to strategic opportunities. They can
accurately. They can then build tools to mitigate also engage in dialogue with regulatory agencies to
these and other nonfinancial risks and quickly better anticipate the regulatory landscape. CROs
address emerging concerns. In a recent McKinsey have a key role to play in shaping the risk appetite.
survey of North American carriers, participants The CRO should work closely with the CEO, the
discussed their latest approaches to nonfinancial CFO, and the heads of businesses to help cascade
risk. One large global life insurer, for instance, it through the whole organization, calibrate it as part
launched an ambitious review of its nonfinancial- of the new sustainable growth strategy.
risk metrics and upgraded them in key businesses,
covering the entire nonfinancial-risk taxonomy in 8. Transform the risk conduct and culture
great detail. Before the pandemic, the company framework. In the current environment, companies
had begun to shift its reportage from lagging to have to make decisions quickly—too quickly,
3
Salim Hasham, Shoan Joshi, and Daniel Mikkelsen, “Transforming approaches to AML and financial crime,” September 2019, McKinsey.com.

sometimes, for existing governance and guardrails. More sophisticated stress testing to
An appropriate framework for risk conduct and discover business vulnerabilities
culture creates a safe environment for speaking For many financial institutions, including insurers,
up about dangers, fosters adherence to company annual investment and product planning was
values, and therefore helps risk leaders make completed before the economic impact of the
sustainable decisions quickly. As CROs work COVID-19 pandemic was universally apparent. In
with top management to develop the future performing stress tests on the impact of market
organization, they should partner with HR heads stress on solvency, most insurers used short-term,
to transform the risk culture.⁴ Many insurers have next-budget-cycle timelines. Now, deep into the
already begun to assess current risk culture and pandemic, insurers understand that the economic
to identify opportunities for improvement by recovery path is uncertain and performance may
making employees aware of present and emerging change widely during the next two- or three-year
risks and giving them the skills to protect both period, and even beyond. The changing probabilities
policyholders and the organization. Risk culture concerning the duration of the work-from-home
can be measured and actions taken to enhance it model and restrictions on travel and retail activity,
where improvements are most needed. for example, make it clear that more than short-term
planning is required. In this context, companies must
9. Build reputational resilience. The pandemic go beyond their normal stress-testing regimens.
is creating unprecedented challenges to
organizational culture. In the work-from-home To understand how rapidly evolving economic
model, maintaining that culture and transmitting conditions will affect their portfolios, leading
it to new hires can be more difficult. Furthermore, insurers are using stress-testing tools accompanied
as companies address their customers’ changing by continued close monitoring. They are looking
needs, they must take into account the heightened beyond regulatory compliance and building the
public scrutiny and societal impact of the ongoing data and capabilities needed to test scenarios
crisis. The CRO must therefore ensure that robust rapidly and to support responsive decision making
governance is in place, and work to strengthen risk according to the changing outcomes. New analytics
culture and organizational resilience. skills and tools are needed, which for most insurers
would complement existing capabilities in scenario-
10. Significantly improve the company’s insights based assessments of assets and liabilities. They
about systemic risks. The pandemic is a reminder can be developed using existing resources and
that low-probability, high-consequence events capabilities present in the risk organization, in a
do indeed happen. Pandemic scenarios were coordinated effort by the CEO, CFO, CRO, and the
heretofore mostly considered as extreme cases heads of businesses.
in advanced modeling exercises. That no longer
works. With the right mandate from the rest of Insurers need to think through scenarios with
the organization, the central risk function could varying timelines and sequences of events and
become a center of excellence to protect insurers by how they intersect with different types of stress
developing and defining better insights on systemic testing—for liquidity and capital, business strategy,
risk. The center of excellence could also identify and climate and catastrophic events. This holistic
issues—climate change and geopolitical risks, for assessment will give CROs a wider view of the
example—that call for innovations to keep insurers uncertainties and therefore support effective
relevant in a fast-changing risk landscape. risk management. Exhibit 2 shows how more
4
Richard Higgins, Grace Liou, Susanne Maurenbrecher, Thomas Poppensieker, and Olivia White, “Strenghtening institutional risk and integrity
culture,” November 2020, McKinsey.com.

sophisticated stress tests can account for many economic data—using detailed, location-specific
factors affecting P&Ls over longer time horizons. analytics, since the dynamics of economies will
probably differ widely from one city to another. The
The new orientation also requires a shift in the models should use relevant business-sensitivity
stress-test horizon from one year to a three- or metrics (such as policy renewals or new sales)
four-year period. The objective is rapid design to estimate the impact of different scenarios
and testing of a wide range of scenarios exploring on business performance and to act on those
different company vulnerabilities. The method estimates. Insurers can use these exercises to
involves the development of more sophisticated reallocate capital quickly across the product lines
econometric models—statistical analysis of and markets where it can be put to best use.
Web <2020>
<RiskInsurance>
Exhibit 2 of <2>
Exhibit <2>
Stress testinglinks
Stress testing linksscenarios
scenariostotothe
thekey
keyprofit-and-loss
profit-and-loss factors
factors of of underwriting
income.
underwriting income.
Sanitized auto-insurance dashboard example, impact of factors on P&L metrics
Severe adverse Adverse Favorable Uncertain Hypothesis on approach

Regression-driven
Factor, value (variation vs Impact on prioritized
prepandemic baseline) metrics (prevaccine) Judgement-driven
Factors Prevaccine, Postvaccine, % New- Retention, New- Claim Claim

for personal 6–18 18–36 retention, policy cancellation policy frequency severity
auto months months cancellation growth premium premiums
Exposure GDP/ X1% X2% Fraud,

(buy the car) unemployment enhanced
propensity to
Disposable Y1% Y2% claim
income
Vehicle Z1% Z2%

sales
Frequency Distance N1 N2
(driving driven
accidents)
Driving N/A N/A
behavior
Severity (pay Change in car XX% XX%

the claim) value
Repair cost, XX% XX%

lead time
Combined change on metric
Underwriting-earning impact TBD TBD TBD TBD TBD TBD

Many of these capabilities require significant involvement, insurers should return to developing
business expertise and may now lie in the realm of process-automation and artificial-intelligence
business planning and strategy. However, risk teams programs. The CRO can help speed up these
have the unique analytical and data capabilities advances and free colleagues to focus more keenly
to support such modeling. These broader stress on the risks requiring experience and judgment.
tests will also help CROs develop a view of potential
emerging business risks and set the company’s
strategic direction.
The insurance industry is undergoing significant
change to remain relevant in a changing risk
The CRO role in increasing efficiency environment that is now evolving even faster as
and effectiveness result of the pandemic. We believe that the gap
Operational efficiency and effectiveness between companies that embrace and act upon
have always been vital in insurance, and the these changes, make bold moves, and capture the
pandemic has made them more important than resulting value and those that do not will continue
ever. CROs can lead or contribute to efforts to to widen. Experience suggests that if companies
address the challenges—for example, by shifting adapt quickly to the crisis and emerge stronger in
governance or strengthening the most critical the first year, they will continue to lead for the next
controls. Partnering with the first line, CROs five. The pandemic has certainly elevated the risk
can work to minimize the burden of controls, function’s strategic role. CROs now have a unique
without compromising the effectiveness of risk opportunity to seize the moment.
management. On a deeper level, and with CRO
Kevin Buehler is a senior partner in McKinsey’s New York office, where Marco Carpineti is a consultant and Lorenzo Serino is a
partner; Erwann Michel-Kerjan is a partner in the Philadelphia office, and Fritz Nauck is a senior partner in the Charlotte office.
The authors wish to thank Abhishek Anand for his contributions to this article.

Extraordinary
risks
63 The disaster you could
have stopped: Preparing for
extraordinary risks
72 How the voluntary carbon

market can help address
climate change

The disaster you
could have stopped:
Preparing for
extraordinary risks
Ignoring high-consequence, low-likelihood risks can be damaging
to an organization, but preparing for everything is impossibly costly.
Here is how leaders can make the right investments.
by Fritz Nauck, Ophelia Usher, and Leigh Weiss
© John Fairclough/Getty Images
63
The COVID-19 crisis is dramatically highlighting organizations and policy makers discussed the
the potential impact of high-consequence, low- danger on the global stage. Many organizations
likelihood risks. Low but never zero: that is the accounted for it in their enterprise-risk-management
probability of risks such as a viral epidemic (ERM) frameworks as a high-consequence, low-
ballooning into a pandemic that costs millions likelihood event. Some organizations, especially
of lives and shuts down economies across the in the healthcare and travel sectors, even had
globe. The chances of an extraordinary regional firsthand experience with the SARS pandemic in
catastrophe, whether naturally occurring or 2003. Nonetheless, companies were by and large
human-caused, are similar, as are the disastrous unprepared for COVID-19. More than 50 billion-dollar
effects. A severe earthquake, a massive oil spill, or companies have filed for bankruptcy in 2020 in the
a nuclear accident can result in heavy loss of life, United States alone. As Exhibit 1 shows, furthermore,
ecological damage, and financial loss for countries the pandemic’s adverse economic effects have
and companies. varied widely by industry sector.
The relative improbability of such events well Some high-consequence, low-likelihood risks have
illustrates the decision makers’ dilemma: which to do with business strategy, such as those posed by
of them should their organizations plan for? The the digital disruption; operational risks are another
danger of a pandemic was not unknown. Health category and include serious quality-control failures
Web <2020>
PreparingForRisk
Exhibit 1 of 3
Exhibit 1
The impact of the COVID-19 pandemic in the United States varies widely by
The impact
industry of the COVID-19 pandemic in the United States varies widely by
sector.
industry sector.
Year-over-year change in real GDP for selected industries, 2Q 2019 to 2Q 2020,1 %
Accommodations Arts,
Finance and Transportation and food entertainment,
insurance Construction Retail and warehousing services and recreation
0
–7
–9
–23
–45
–60
Note: As of October 2, 2019.

1
Indexed to 4Q 2019.
Source: Bureau of Economic Analysis

in manufacturing. Missed opportunities are another low-likelihood event, as potential losses were averted
equal source of extraordinary risk. Opportunities and a large opportunity was captured.
to adopt disruptive innovation can bring companies
to crucial moments of truth, when movers gain
significant market advantage over hesitant peers. Big risks that matter
Amazon, for example, moved to help third parties The number of potential high-consequence,
build e-commerce sites, leading to Amazon Web low-likelihood risks is far too great for corporate
Services (AWS). Now, through AWS, Amazon has decision makers to plan for all of them. Indeed,
around 30 percent of the cloud-computing market.¹ the abundance of possibilities is one reason why
Our work on resilient corporations demonstrated some companies don’t plan for any of them. The
that those able to do more than just hunker down first strategic requirement that is often missing
in an economic crisis—retaining the wherewithal to when addressing these risks, therefore, is the
invest in new opportunities—will emerge from it in a identification of the risks that matter. This action,
strengthened position. known as risk ID, is an important part of robust ERM.
It means differentiating risks that could hurt the
Some organizations have even built business business from risks that could damage or destroy
models around taking advantage of low-likelihood the company.
opportunities (such as those in pharmaceutical
pipelines). The models allow for fast movement when Some organizations have concluded that such
a high-consequence risk or opportunity occurs. existential risks are unknowable. This is an
Missing a high-consequence opportunity can lead to error, in our view. By far, most existential crises
ultimate demise just as ignoring a risk can. that companies have faced in recent years were
identified in advance by experts—from oil spills to
A recent article in the McKinsey Quarterly described chemical disasters to nuclear accidents.
the decisions by boards or management teams to
ignore or act on these high-consequence, low- The threats behind these high-profile incidents were
likelihood risks as “big bets.” That characterization is known and recognized in advance by industry and
based on the broad scope of a decision and the size government specialists. They were “predictable
of its impact.² When it comes to extraordinary risks, surprises,” as Michael Watkins and Max Bazerman
the decisions are also governed by the unfamiliarity described in an eponymous article in the Harvard
and infrequency of these risks. These consequential Business Review.⁴ Predictable surprises meet three
decisions are not highly visible parts of the CEO’s criteria: first, they are the result of risks decision
public agenda, unlike more familiar big bets such makers know are possible, even if unlikely—such as
as mergers and acquisitions. For example, the a 500-year flood. Second, leaders feel confident
decision by Nokia’s mobile-phone division to develop that if the risk materializes, the event will have a big
a response to potential supply-chain disruptions impact on the whole organization. Third, predictable
was not even discussed by investors. This decision surprises require organizations to respond.
allowed the telecommunications company to act
fast to find alternative chips suppliers when a fire Sometimes, but not always, these risks are
disrupted the normal supply. The move led to Nokia identified in ERM frameworks, where they are
expanding its share of the global market and boosting categorized as high consequence, low likelihood.
profits significantly.³ The big bet in supply-chain The predictable surprises found here can include
resiliency doubly paid off in this high-consequence, epidemics, pandemics, cyberattacks, hurricanes,
1
Ron Miller, “How AWS came to be,” Tech Crunch, July 2, 2016, techcrunch.com.
2
A aron De Smet, Gregor Jost, and Leigh Weiss, “Three keys to faster, better decisions,” McKinsey Quarterly, May 2019, McKinsey.com.
3
Amit S. Mukherjee, “The fire that changed an industry,” InformIT, October 1, 2008, informit.com.
4
Michael Watkins and Max Bazerman, “Predictable surprises: The disasters you should have seen coming,” Harvard Business Review, April
2003, hbr.org.
The disaster you could have stopped: Preparing for extraordinary risks 65
floods, financial fraud, economic recessions, oil the whole company is situated along the vertical
spills, and other catastrophes, whether natural axis and the decision makers’ level of certainty
or human-caused. Decision makers should about the impact is situated on the horizontal axis.
prioritize these potential threats, making big bets High placement on the vertical axis means that
on those that would precipitate an existential the company’s existence would be threatened if
crisis for their organization. this risk occurred—or the company would miss a
massive opportunity. Low vertical-axis placement
Understanding the potential impact of such events means that the impact or opportunity would be
is the first step for decision makers in reducing the limited or isolated. The vertical axis allows senior
chance that a particular event results in an existential decision makers to distinguish risks that require
crisis. The likelihood does not matter for these board- and CEO-level attention from those that can
risks—they are all unlikely, according to traditional be managed at a lower level. These risks will vary
ERM programs. Once scored by ERM, they all land in significantly by company and industry sector. For
the same low-likelihood corner. However, the impact example, the impact of COVID-19 is varied according
on the organization does matter. Not all the risks are to a company’s ability to conduct operations and
equal: some would create an existential crisis while serve customers with employees working remotely.
others would not. Thus decision makers need a way
to distinguish among these high-consequence, low- A risk placed to the right on the horizontal axis
likelihood risks. means that decision makers are relatively certain of
its scope and intensity; leftward placement signals
doubt about the risk’s reach and impact. Using
Identifying the most important risks the horizontal axis, decision makers recognize
To identify and define the most important risks, we the differences between familiar risks with known
recommend using a two-by-two risk grid (Exhibit impact and risks that they are still investigating.
2). In this plan, the potential impact of an event on The placement of low-certainty risks will shift as
decision makers learn more about the potential risk.
Exhibit 2
Organizations must
Organizations mustplan
plan for
for predictable
predictablesurprises—events
surprises — events that
that would
would pose
pose an an
existential crisis.
existential crisis.
High-consequence, low-likelihood risks can be plotted according to scope and certainty of impact
Whole company,
High certain impact:
predictable
surprises
Scope of
impact
Risk threshold
Low
Low High
Level of certainty
about impact

Potential risks are ranked in relation to each can damage a financial institution by undermining
other, rather than on an absolute scale. This customer confidence. Reliable service provision
approach allows decision makers to separate into could be at the core of a company, especially where
distinguishing categories risks that are traditionally customers have a switching option. Decision makers
grouped together in ERM frameworks. The identify core elements by the essential role they play;
technique could be used by an insurer, for example, without them, the business would disappear.
to create differentiated products by applying deeper
segmentation to populations formerly categorized Once the core is established, decision makers can
as high risk. identify the high-consequence, low-likelihood
risks that would adversely affect the core, locating
Risks placed in the upper-right corner are the high- the risks along the vertical axis of the grid. Risks
consequence, low-likelihood risks that everyone that would not affect an organization’s core
agrees would pose an existential threat to the are less likely to create an existential crisis. By
company. These can then be addressed with the big focusing on the core, decision makers are making
bets and they might move lower down on the vertical their organization’s strategy crystal clear. Those
axis as a result. Big bets to address these types of organizations with clear strategies are nearly three
risks can take many forms—financial, operational, or times more likely than others to lead in their sector.
strategic. Energy providers, for example, sometimes Those that make good decisions faster, that is, are
divide their organizations into several legal entities more likely to outperform industry peers.
so that a catastrophic loss in one physical location
would not result in a collapse of the entire enterprise. In one category of existential risk are catastrophic
operational failures, such as those caused by natural
Despite big-bet actions, the potential impact of disasters, accidents, negligence, and cyberattacks.
certain risks may not diminish. As long as a process Reputational risk events can also set off existential
is in place for quickly identifying and addressing crises; these may be the result of operational failures,
an emerging event, the company will survive and cyberattacks, data breaches, or fraud and other
may also thrive (as Nokia did). Decision makers can forms of financial malfeasance. Decision makers
also move risks up or down on the vertical axis as can look along their ERM frameworks for the most
they learn more about potential impact. The same common risk segments: health and safety, reputation,
risk could have widely different impact on different operations, strategy, compliance, and financial.
companies (see sidebar, “Different companies,
same risk, different impact). It is also important to consider other risk
segmentations to avoid missing critical risks—
internal risks arising from the business model,
Risks and the core of the organization for example, versus external risks, such as those
Decision makers locate potential risks, such as a potentially arising from global economic conditions.
pandemic, on their own grid after defining their Other useful risk pairs to consider are adversarial
core business and identity and understanding what risks such as an activist investor or cyber- or
impact a risk would have on this core. The core of the terrorist attacks, versus nonadversarial risks
company could include products and services, the such as natural or human-caused disasters and
loyalty of a customer segment, public perception, accidents. High-consequence, low-likelihood
brand identity, and legal requirements that must be risks that could cause existential damage might be
met. For example, technical failure of a particular found in any of these categories. The impact will of
part can adversely affect the reputation of a course depend on the company’s established core
manufacturer’s entire product line; high-profile fraud and many other variables.
Different companies, same risk, different impact
The exhibit demonstrates how pairs of with several sources of raw materials and fashion items that are stable from year
companies with much in common and some several manufacturing sites. Electronics to year. The other sells trendy fashion
differences would assess the same risk on company B has a leaner supply-chain items that have a life cycle of eight weeks,
the risk grid. model. If the two companies are assessing after which they lose their customer
the risk of a pandemic, electronics appeal. Imagine these two companies are
The first scenario shows two electronics company B is at greater risk of a whole- assessing the risk of a labor strike in the
companies with the same value proposition company disaster, and the greater risk is major US port they share where their items
and different operating models. They shown in the risk grid. arrive from Asia. If the clothing items of
make the exact same product for the same trendy fashion company C are stuck in a
customers. The main difference between Scenario two shows two retail companies port for months, the items become virtually
them is their supply chain. Electronics with different business value propositions. worthless. Customers are not interested
company A has a resilient supply chain One sells traditional men’s and women’s in last quarter’s fashions. The traditional
Web <2020>
PreparingForRisk
Exhibit
Exhibit 3 of 3
The same
same risk
risk will
will have a different
different impact
impacton ondifferent
differentcompanies,
companies,depending
dependingon culture, supply
on culture,
chain, supplyand
financials, chain,
otherfinancials, and other characteristics.
characteristics.
Crisis scenarios for pairs of companies in three sectors
Weak attribute Stable attribute Strong attribute
Scenario 1 Scenario 2 Scenario 3

Same business value Different business Same business value
proposition, different value proposition proposition, different
operating model organizational culture
Trendy Traditional
Electronics Electronics fashion fashion Automaker Automaker
company A company B company C company D E F
Customer loyalty
Brand identity
Supply-chain resilience
Psychological safety1
Inventory durability
Financial stability
Certainty of impact High High Medium Medium Medium Medium
Impact on whole company Medium High High Medium High Medium
1
The freedom to raise mistakes and problems without fear of repercussions.

fashion company’s items can still be sold freedom to take risks and where failure because no one wants to be the person
because their styles are more enduring. is seen as an opportunity to learn and to share bad news. Imagine these two
The risk assessment varies, as shown on improve. Their relatively flat organizational companies are assessing the potential
the corresponding risk grids. structure and culture of personal of a major quality-control problem. Both
ownership passes bad news up the chain companies are fairly certain that such a
Finally, the third scenario shows two auto of command when necessary. In contrast, risk exists. Automaker E is much more
manufacturers with similar business value automaker E has a hierarchical structure concerned about the impact of that risk on
propositions and different organizational with a risk-averse culture of finger-pointing the company because it is much less likely
cultures. Automaker F has a culture of and blaming others. When mistakes are to be reported if it is discovered.
empowered employees who are given noticed, they are usually papered over,
Organizations can sometimes survive existential their risk grid based on the size and certainty of their
crises, though with diminished value. But crises impact on the company’s core value.
and missed opportunities can also cause an entire
organization to fail. It is therefore important Avoiding bias in your risk grid
for decision makers to consider all types of high- When identifying the risks of greatest consequence,
consequence, low-likelihood risks. By measuring decision makers need to avoid optimism bias—a
the impact on the core, they can differentiate view that tends to see more positive outcomes than
among them, illuminating the particular issues that the evidence warrants. Confirmation and anchoring
are of highest importance to the organization. bias also reduce predicted impact—through
assumptions that future threats will recapitulate
Conducting a ‘premortem’ for risk events those of the past.
The premortem exercise is a technique decision
makers can use to identify which predictable Biases can be partly neutralized by a healthy
surprises would have serious consequences on organizational culture in which people are
their organization. It involves a thought exercise rewarded for speaking up, sharing dissenting
in which the core value proposition is assumed to ideas, and listening to others’ voices. For such
have been damaged or destroyed. Decision makers a culture to thrive, people must feel completely
then consider all the possibilities that could have secure in sharing their views. Without that personal
led to this, with help from risks experts who have security, important risks might go undiscovered.
been warning about the potential for such events. Whistleblowers, furthermore, must be protected
Missed opportunities should also be considered. A and their concerns investigated—especially when
diversity of perspectives and the quality of debate the risks in question are those that could cause
are essential conditions for making high-quality, physical harm—such as catastrophic accidents
big-bet decisions quickly. To obtain perspectives due to product-safety failures.
of sufficient diversity, especially for external risks,
organizations sometimes need to bring in experts. Impact measurement
For example, an insurance company might bring The goal is to create a risk grid where the
in hydrologists and climate-change scientists to predictable surprises that could destroy the
consider how their exposure to flood risk might be organization are measured according to impact.
evolving. Once these “whole-company risks” have Their probability is not in question here, since
been identified, decision makers can plot them on all of these risks are considered low likelihood.
However, an organization’s confidence in its impact them; in another approach, leaders are chosen and
assessments does matter. Once the risks are assigned to explore these questions and monitor
mapped on the vertical axis (severity of impact), the organization for ideas. Whatever method an
decision makers must continue to probe them. organization chooses, the outcome should be a
range of potentially effective actions for decision
On the horizontal axis (certainty of impact), risks makers to consider.
positioned to the left (low certainty) could shift
position as more about them is learned. For those From the lists, leaders should identify actions that
risks situated farther to the right on this axis, their could reduce the impact of several risks at once.
higher certainty of impact signals to the board and Those that would reduce harm significantly in the
the CEO that mitigating these risks will require here and now can be taken as no-regrets moves;
investment (big bets). others can be designated as trigger-based decisions,
to be taken when certain conditions occur.
Taking action No-regrets moves might include the creation

Starting with the high-consequence, low-likelihood of a more resilient supply chain by allowing
risks of greatest impact—those in the upper-right single-source suppliers as an exception only. The
hand corner of the grid—the organization must introduction of multiple sources for a majority of
decide on what actions would reduce their potential items promotes resiliency while helping companies
impact to an acceptable level. What is acceptable manage working-capital costs. This example
will vary by board and management team, based aligns with a broader suite of resiliency solutions,
on many factors, including inherent risk within such as adequate capitalization for rainy days,
their industry and availability of resources. Decision strong stakeholder relationships, a culture of
makers recognize that many of these risks— people speaking up, and a crisis-response plan.
earthquakes, pandemics, recessions—are Creating more resiliency could be a big-bet option
outside the organization’s control. With such that decision makers might consider because it
risks, the objective is to reduce—below the strengthens an organization’s ability to withstand
existential threshold—their potential impact on risk events.
the organization.
Decision makers might also think about developing
To identify and decide on the most effective actions, leading indicators for predictable surprises. This
decision makers can assemble external and internal no-regrets move gives decision makers more
experts and cross-functional teams. A diverse time to respond to a threat, reducing its adverse
perspective and sharp, high-level discussion are impact. Leading indicators of financial fraud, for
needed for this task. Lists of potential actions can example, might be overly smooth profits or a rise
be generated and pared down as the teams discuss in the use of nondisclosure agreements (NDAs).
them. In one approach to this step, participants Other leading indicators can help detect significant
create lists of choice actions that if taken today arising opportunities.
could reduce risk down the road. Then they fast-
forward into six-month or one-year scenarios and Some actions are taken once the likelihood of a
identify a small decision that could have made particular risk event reaches a certain threshold
a big difference in protecting the core value of or trigger. A weather forecast, for example, with a
the organization. Alternatively, experts develop reasonable amount of certainty that a company’s
potential actions, and a “red team” pressure-tests operations are in the path of an oncoming hurricane

would trigger necessary countermeasures. Decision proposition, however, leaders can identify
makers should develop the appropriate actions and mitigate the risks that would threaten the
while ensuring that the triggers they choose provide whole company.
enough of a window for the actions to be effective.
The objective is to protect the company’s core value High-consequence, low-likelihood events
proposition. An example of an effective trigger and can fatally damage an organization. The
response would be a storm warning that sets in investments organizations make to protect their
motion actions to stop production on an offshore value propositions—and not miss significant
rig to prevent an oil spill. Obviously, trigger-based opportunities—can mean the difference between
decision making requires a monitoring process that extinction and survival. More than that, however,
alerts the organization when a trigger has occurred. these investments (big bets) can improve an
organization’s overall resiliency.
Protecting against extraordinarily rare events

may seem counterintuitive. The risks are many
and resources are finite. By defining the core value
Fritz Nauck is a senior partner in McKinsey’s Charlotte office, Ophelia Usher is an expert in the Stamford office, and Leigh
Weiss is a senior expert in the Boston office.
The authors wish to thank Aaron De Smet and Mihir Mysore for their contributions to this article.
How the voluntary carbon
market can help address
climate change
The voluntary carbon market is gaining momentum and plays an
increasingly important role in limiting global warming. Here’s how.
This article was a collaborative effort by Christopher Blaufelder, Joshua Katz, Cindy Levy,
Dickon Pinner, and Jop Weterings.
© Getty Images
72
As business leaders set increasingly ambitious standards such as Gold Standard and Verified
commitments to reduce global greenhouse-gas Carbon Standard (VCS)—credits can be issued.
(GHG) emissions, a market is developing that can The impact of a carbon credit can only be
help to achieve them by supplementing companies’ claimed—that is, counted toward a climate
efforts to reduce their own emissions. This is the commitment—once the credit has been retired
rapidly growing market for voluntary carbon credits. (canceled in a registry), after which it can no
longer be sold. A carbon credit is considered a
Carbon credits (often referred to as “offsets”) “voluntary carbon credit” when it is bought and
have an important dual role to play in the battle retired on a voluntary basis rather than as part of
against climate change. They enable companies to a process of compliance with legal obligations.
support decarbonization beyond their own carbon
footprint, thus accelerating the broader transition The proceeds from the sale of voluntary carbon
to a lower-carbon future. They also help finance credits enable the development of carbon-
projects for removal of carbon dioxide from the reduction projects across a wide array of project
atmosphere—delivering negative emissions, which types. These include, among others, renewable
will be needed to neutralize residual emissions that energy; avoiding emissions from fossil-fuel-
will persist even under the most optimistic scenarios based alternatives; natural climate solutions,
for decarbonization. However, while the voluntary such as reforestation, avoided deforestation, or
carbon credit market is currently experiencing agroforestry; energy efficiency; and resource
significant momentum, it is still relatively small. recovery, such as avoiding methane emissions from
The recently launched report by the Taskforce on landfills or wastewater facilities.
Scaling Voluntary Carbon Markets aims to create
a blueprint for solutions that could help overcome While most of the projects types that include
obstacles to its further growth. (For more about renewable energy, avoided deforestation, and
the taskforce, which McKinsey supports as a resource recovery focus on avoiding carbon
knowledge partner, please read our article "Scaling emissions, others, such as reforestation, focus on
voluntary carbon markets to help meet climate removing carbon dioxide from the atmosphere.
goals."¹) This article will explain how carbon credits This is a meaningful difference, illustrating the
work and how they can help in the global effort to dual role voluntary carbon credits can play in
address climate change. addressing climate change:
— In the short term, voluntary carbon credits

The dual role of voluntary carbon from projects focused on emissions
credits in addressing climate change avoidance/reduction can help accelerate
A carbon credit is a certificate representing one the transition to a decarbonized global
metric ton of carbon dioxide equivalent that is either economy, for example by driving investment
prevented from being emitted into the atmosphere into renewable energy, energy efficiency, and
(emissions avoidance/reduction) or removed natural capital. Avoiding emissions is typically
from the atmosphere as the result of a carbon- the most cost-efficient way to address
reduction project. For a carbon-reduction project atmospheric GHG concentrations.
to generate carbon credits, it needs to demonstrate
that the achieved emission reductions or carbon — In the medium to long term, voluntary carbon
dioxide removals are real, measurable, permanent, credits could play an important role in scaling
additional, independently verified, and unique (see up carbon dioxide removals (or negative
sidebar “Criteria for carbon credits”). If a project emissions) needed to neutralize residual
meets these criteria—as specified by independent emissions² that cannot be further reduced.
¹Christopher Blaufelder, Cindy Levy, Peter Mannion, Dickon Pinner, and Jop Weterings, “Scaling voluntary carbons markets to help meet climate
goals,” November 2020, McKinsey.com.
²Emissions that can only be eliminated at prohibitive cost or that cannot be eliminated with existing technology.
How the voluntary carbon market can help address climate change 73
Criteria for carbon credits
Carbon credits should represent emission reductions or carbon dioxide removals that are:
— real and measurable—realized and not projected or planned, and quantified through a recognized methodology, using
conservative assumptions
— permanent—not reversed; relating to projects with a reversibility risk such as forestry projects, which could suffer from fire,
logging, or disease; here, comprehensive risk mitigation and a mechanism to compensate for any reversals need to be in place
— additional—would not have been realized if the project had not been carried out, and the project itself would not have been
undertaken without the proceeds from the sale of carbon credits
— independently verified—verified by an accredited, independent third party
— unique and traceable—transparently tracked in a public registry and not double-counted
Additionally, it is important that appropriate safeguards are in place to ensure projects comprehensively address and mitigate all
potential environmental and social risks.
In a recent analysis, we found that at least 5 words, the target needs to be in line with the
gigatons of negative emissions will be needed level of decarbonization required to limit global
annually to reach net-zero emissions by 2050. warming to well below 2 degrees Celsius above
These could be realized through a combination preindustrial levels at a minimum—and ideally be
of natural climate solutions such as reforestation in line with a 1.5-degree pathway, which scientists
(for example, sequestering carbon in trees) and estimate would reduce the odds of initiating
nascent technology-based carbon capture, use, the most dangerous and irreversible effects of
and storage solutions such as direct air capture climate change. For setting such a target, the
with carbon storage (DACCS), and bioenergy Science Based Targets initiative has developed
with carbon capture and storage (BECCS). methodologies, which have been already adopted
Voluntary carbon credits can help finance the by more than 1,000 companies, including many
scale-up of these solutions. leading multinationals. To achieve the required
emissions reductions, companies can pull levers
such as improving energy efficiency, transitioning
The role of voluntary carbon credits in to renewable energy, and addressing value-chain
corporate climate commitments emissions.
A credible corporate climate commitment begins
with setting an emissions reduction target that As a next step, a company may commit to a
covers both a company’s direct and indirect GHG target that involves the use of voluntary carbon
emissions: if a company does not already have credits—either to compensate for emissions that it
an emissions baseline from which to set a target, has not been able to eliminate yet or to neutralize
creating one is a necessary first step. Aligning such residual emissions that cannot be further
a target’s ambition level with the latest climate reduced due to prohibitive costs or technological
science is widely seen as best practice. In other limitations. These types of targets come with

various designations (for example, carbon neutral, 2019, both in issuances and retirements (exhibit).
climate neutral, net-zero, carbon negative, climate Issuances were 138 million tons of carbon dioxide
positive) but they all typically involve a company equivalent—almost double the 2018 volume—
supplementing reductions achieved within its own and retirements 70 million, a 33 percent increase
carbon footprint by financing reductions elsewhere compared with 2018. This growth has been
through the purchase and retirement of voluntary driven by a combination of new corporate climate
carbon credits (see sidebar “Types of carbon commitments, such as those to carbon neutrality
targets”). By offsetting its remaining emissions and net zero, as well as so-called point of sale
in this way, a company can claim it is mitigating offerings of voluntary carbon credits, such as
its residual impact on the climate. Some, such as Shell’s carbon-neutral fuel, which is a bundled
Microsoft, have gone further by setting aspirations retail offering of gasoline and voluntary carbon
to make a net-positive impact on the climate. credits and airline-passenger offsetting programs,
which enable passengers to offset the emissions
Strong momentum, mainly driven of their flights through the airline’s website.
by new corporate commitments and
point-of-sale offerings Based on year-to-date volumes and an
Following three years of robust growth, the extrapolation in line with historical seasonality
voluntary carbon market³ reached a record high in patterns, we expect the market to set another
³We estimated the voluntary carbon market size based on five standards: VCS, Gold Standard, Climate Action Reserve, American Carbon Registry,
and Plan Vivo. We excluded ARB-eligible credits and Gold Standard–labeled Certified Emission Reductions (CERs) used for meeting compliance
targets.
Types of carbon targets
In the context of corporate target setting, “carbon neutral” refers to offsetting all unabated greenhouse-gas emissions through
the application of carbon credits to a given part of an organization’s footprint (for example, company-level, activity-level,
product-level), usually on an annual basis. The term carbon neutral is typically used to cover other greenhouse gases as well;
relevant standards, such as PAS2060, clearly specify carbon neutral’s scope as including carbon dioxide equivalent (CO2e)
emissions, beyond just carbon dioxide.
“Climate neutral” is often used interchangeably with carbon neutral, but it places more of an emphasis on covering greenhouse
gases beyond carbon dioxide. In addition, it can include climate impacts other than greenhouse-gas emissions, for example,
radiative forcing from aircraft contrails.
While the exact definition of “net zero” is still being debated, it is considered a forward-looking commitment requiring companies
to reduce their emissions and balance remaining (residual) emissions by a given target year. There is an emerging view among
stakeholders, including nongovernmental organizations and corporate climate leaders, that a credible net-zero target requires
reducing emissions in line with the latest climate science and neutralizing residual emissions (at net zero) using carbon dioxide
removals (not carbon credits from emissions avoidance/reduction projects).
Finally, both “carbon negative” and “climate positive,” which are used interchangeably, have not yet been clearly defined, but
they imply going beyond the targets described above to make a net-positive impact on our climate.
Exhibit
Thevoluntary
The voluntarycarbon
carbon market
market hashas grown
grown significantly
significantly in recent
in recent years. years.
Voluntary carbon market, millions of metric tons of carbon dioxide equivalent Issuances Retirements
200
150
100
50
0
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
(estimate)
Note: We estimated the voluntary carbon market size based on 5 standards: Verified Carbon Standard (VCS), Gold Standard (GS), Climate Action Reserve (CAR),
American Carbon Registry (ACR), and Plan Vivo. We excluded ARB-eligible credits and Gold Standard–labeled CERs used for meeting compliance targets.
Data were retrieved from aforementioned registries on December 2, 2020, for YTD volumes up until the end of November (ie, 150 million tCO2e of issuances
and 81 million tCO2e of retirements). We projected volumes for full-year 2020, based on extrapolation in line with historical seasonality (past 5 years), and did
not adjust for any COVID-19 related impacts on seasonality patterns.
Source: ACR; CAR; GS; Plan Vivo; VCS
record this year, with issuances and retirements Natural climate solutions (NCS), a category including
both growing by approximately one-third compared project types such as reforestation, avoided
with 2019. After years of declining prices (from deforestation, improved forest management, and
an average price of around $7 per ton in 2008 to agroforestry, have grown faster than any other
around $3 per ton in 2019⁴) due to supply outpacing project category and contributed significantly to the
demand, we expect average prices to go up in the voluntary carbon market’s growth trajectory. From
near to medium term, mainly due to strong demand 2016 to 2019, issuances within this category more
growth especially for higher-cost project types than doubled every year, on average—and in 2019,
such as reforestation and carbon dioxide removal NCS accounted for 53 percent of total issuances.
projects more generally (see sidebar “Issuances Meanwhile, retirements in this category have also
and retirements”). While still relatively small, the rapidly grown (close to 50 percent per year, on
voluntary carbon market is experiencing significant average). We believe this trend could be the result
momentum and its impact (and future potential) is of increased awareness of NCS’s potential (they
getting more and more attention. can deliver one-third of the emissions reductions
⁴According to the Ecosystem Marketplace.

Issuances and retirements
To analyze the voluntary carbon market, we focus on two metrics: issuances and retirements, which together give a good idea
of market dynamics. Issuance volume is a proxy for supply, as it represents voluntary carbon credits issued by a standard (for
example, Gold Standard, VCS) upon the successful verification of emission reductions or carbon dioxide removals realized by a
certified carbon-reduction project. Retirement volume is a proxy for demand, as it represents voluntary carbon credits bought
and canceled in a registry, preventing the onward sale of the certificates. Only upon retirement can the buyer in whose name
the credit was retired claim its impact (that is, count the credit toward a climate commitment).
needed to align with the Paris Agreement between the progress of the carbon-reduction projects in
now and 2030⁵), a growing focus on carbon dioxide their portfolio. Stakeholders also regularly raise
removal (of which NCS is the most cost-effective questions about certain types of projects, such
and technologically proven method), and buyers’ as those related to additionality in large-scale
preference for co-benefits beyond climate-change renewable-energy projects; biodiversity in the
mitigation, such as biodiversity and impact on context of afforestation projects planting non-
local communities. native species and/or monocultures; leakage and
insufficient local-community engagement in the
case of avoided deforestation; or permanence of
What’s next: Challenges and natural climate solutions more broadly (see sidebar
opportunities “Additionality, leakage, and permanence defined”).
To accelerate the voluntary carbon market’s growth
trajectory and realize its full potential, it will be While reputable standards have implemented
important to address some significant challenges. safeguards to address these issues, the
These include the need to strengthen impact combination of insufficient transparency and
and quality assurance, to align stakeholders on continued stakeholder skepticism has led buyers
the criteria for credible use of voluntary carbon to demand a further strengthening of impact and
credits as part of an overall climate strategy, build quality assurance. As a result, we expect innovation
new market infrastructure, and reduce regulatory in measurement, reporting, and verification
uncertainty. We believe that implementing practices to accelerate over the coming years.
innovative solutions to these challenges could
unlock further growth. The recently launched Aligning stakeholders on credible use of
Taskforce on Scaling Voluntary Carbon Markets voluntary carbon credits
aims to create a blueprint for these solutions. There is currently no consensus among
stakeholders on what it takes to use voluntary
Strengthening impact and quality assurance carbon credits credibly as part of an overall climate
While reputable standards such as Gold Standard strategy. Therefore, companies may have different
and VCS certify projects’ adherence to the interpretations of the role voluntary carbon credits
requirements of their respective methodologies, could play in their journeys toward net-zero. Key
buyers typically have limited transparency on points of discussion include the extent to which
⁵ Bronson Griscom et al., “Natural climate solutions,” Proceedings of the National Academy of Sciences, October 2017, Volume 114, Number 44,
pp. 11645–50, pnas.org.
Additionality, leakage, and permanence defined
A carbon-reduction project is considered “additional” when its impact (emission reductions and/or removals) would not have been realized
if the project had not been carried out, and that the project itself would not have been undertaken without the proceeds from the sale of
carbon credits. As technology costs continue to fall, a growing number of renewable-energy projects no longer need the proceeds from
the sale of carbon credits to be viable—a key reason why the criterion of additionality is particularly relevant in the context of renewable
energy projects. In response, standard bodies have started to phase out large-scale renewable-energy projects. For example, VCS no
longer certifies new, grid-connected renewable-energy projects unless they’re located in the least-developed countries.
Leakage occurs when a carbon-reduction project displaces emission-causing activities and produces higher emissions outside the
project boundary. For example, protecting a certain forest area may cause loggers to go elsewhere. Leakage risk can be mitigated by
strengthening project design as well as conservatively quantifying emission reductions and removals, making appropriate adjustments
for estimated leakage.
Carbon-reduction projects should realize permanent emission reductions and/or removals. Where projects have a reversibility
risk—such as forestry projects, which could suffer from fire, logging, or disease—comprehensive risk mitigation and a mechanism to
compensate for any reversals needs to be in place. It is common practice for standard bodies to include buffer provisions (requiring all
projects with reversibility risk to set aside a certain percentage of credits in a buffer or insurance pool). In the unfortunate event of a
reversal of emission reductions and/or removals (for example, due to fire or disease), credits from the buffer would be used to cover
the losses.
a company can rely on voluntary carbon credits could help increase liquidity and scale transactions,
versus reducing its own footprint; the type of credits provided that the quality of credits traded and
(for example, emissions avoidance/reduction versus integrity of market participants are ensured.
carbon dioxide removal) to use, and how their role
may evolve over time. There is a clear distinction Reducing regulatory uncertainty
between the role of voluntary carbon credits today The negotiations over the Paris Agreement’s Article 6,
and that which they will play when a company has all which introduces a new international carbon
but fully decarbonized its footprint and needs only market/mechanism, are ongoing. As a result, the
to neutralize its residual emissions. implications of Article 6 for the voluntary carbon
market are still unclear. Should voluntary purchases
Building new market infrastructure of carbon credits by private-sector actors help
Today, voluntary carbon credits are mainly traded countries achieve their post-2020 climate pledges
over the counter, resulting in limited transparency (which are referred to as nationally determined
on market data (for example, transaction volumes, contributions), or should they be incremental to such
price levels) and a paucity of reference data, which targets? Will governments continue to allow projects
was a key barrier to market growth in the past. to issue voluntary carbon credits? When is double-
Standardized, tradable products and contracts counting an issue, and how can that be avoided?

Reducing regulatory uncertainty may encourage decarbonization beyond their own carbon footprint
more buyers to make long-term commitments, and and help neutralize residual emissions by financing
developers to make large-scale investments. carbon dioxide–removal projects. To realize this
potential, significant practical effort is required
to address current challenges and scale up the
voluntary carbon market. Achieving that will create
Voluntary carbon credits could play a critical role significant benefits not just in the battle against
in helping the world attain a 1.5-degree pathway. climate change but also in preserving nature and the
They can both accelerate the transition to a lower- untold benefits it provides to humanity.
carbon future by enabling companies to support
Christopher Blaufelder is a partner in McKinsey’s Zurich office; Joshua Katz is a partner in the
Stamford office; Cindy Levy is a senior partner in the London office; Dickon Pinner is a senior partner in
the San Francisco office; and Jop Weterings is director of environmental sustainability, based in the
Amsterdam office.
The authors wish to thank Alexis Depiesse, Damien Mourey, and Julian Vennekens for their contributions to
this article.
Derisking
81 Derisking AI by design:
How to build risk management
into AI development
91 The next S-curve in

97 Applying machine learning

in capital markets: Pricing,
valuation adjustments,
and market risk
101 Derisking digital and

analytics transformations

Derisking AI by design:
How to build risk
management into
AI development
The compliance and reputational risks of artificial intelligence
pose a challenge to traditional risk-management functions. Derisking
by design can help.
by Juan Aristi Baquero, Roger Burkhardt, Arvind Govindarajan, and Thomas Wallace
© Getty Images
81
Artificial intelligence (AI) is poised to redefine how In a previous article, we described the challenges
businesses work. Already it is unleashing the power posed by new uses of data and innovative
of data across a range of crucial functions, such applications of AI. Since then, we’ve seen
as customer service, marketing, training, pricing, rapid change in formal regulation and societal
security, and operations. To remain competitive, expectations around the use of AI and the personal
firms in nearly every industry will need to adopt AI data that are AI’s essential raw material. This is
and the agile development approaches that enable creating compliance pressures and reputational risk
building it efficiently to keep pace with existing for companies in industries that have not typically
peers and digitally native market entrants. But they experienced such challenges. Even within regulated
must do so while managing the new and varied risks industries, the pace of change is unprecedented.
posed by AI and its rapid development.
In this complex and fast-moving environment,
The reports of AI models gone awry due to the traditional approaches to risk management may not
COVID-19 crisis have only served as a reminder that be the answer (see sidebar “Why traditional model
using AI can create significant risks. The reliance of risk management is insufficient”). Risk management
these models on historical data, which the pandemic cannot be an afterthought or addressed only by
rendered near useless in some cases by driving model-validation functions such as those that
sweeping changes in human behaviors, make them currently exist in financial services. Companies
far from perfect. need to build risk management directly into their
Why traditional model risk management is insufficient
Model risk management (MRM) in — Traditional MRM workflows are applications are very different from the
regulated industries such as banking is often sequential and require six to 12 traditional model types (for example,
currently performed by dedicated and weeks of review time after the model capital models, stress-testing models,
independent teams reporting to the chief development is complete, which delays and credit-risk models), and traditional
risk officer. While these firms have developed deployment. These workflows are not MRM approaches are not easily applied.
a robust MRM approach to improve the easily adapted to the agile and iterative
governance and control of their critical development cycles frequently used in — AI and machine-learning algorithms
models determining capital requirements and AI model development. are often embedded in larger AI
lending decisions, this approach is usually application systems, such as software-
not ideal for firms with different requirements — MRM is often focused more on as-a-service (SaaS) offerings from
or in less heavily regulated industries, for the traditional risk types (primarily financial vendors, in ways that are significantly
following reasons: risks, such as capital adequacy and more complex and more opaque
credit risk) and may not fully cover the than traditional models. This greatly
— MRM is typically based on a point-in- new and more diverse risks arising complicates coordination between
time model assessment (for example, from widespread use of AI such as those who review the model and
once every one to five years), which reputational risk, consumer and those who assess the application and
assumes that the models are largely conduct risk, and employee risk. platform (IT risk) or the vendor (third-
static between reviews. AI models learn party risk).
from data, and their logic changes — Some applications and use cases,
when they are retrained to learn from such as chatbots, natural-language
new data. For instance, a fraud model processing, and HR analytics, can
is retrained weekly in order to adapt to qualify as “models” under regulatory
new scams. definitions used in banking. But these

AI initiatives, so that oversight is constant and is becoming widespread and, in many institutions,
concurrent with internal development and external decentralized across the enterprise, making it
provisioning of AI across the enterprise. We call this difficult for risk managers to track. Also, AI solutions
approach “derisking AI by design.” are increasingly embedded in vendor-provided
software, hardware, and software-enabled services
deployed by individual business units, potentially
Why managing AI risks presents new introducing new, unchecked risks. A global product-
challenges sales organization, for example, might choose to
While all companies deal with many kinds of take advantage of a new AI feature offered in a
risks, managing risks associated with AI can be monthly update to their vendor-provided customer-
particularly challenging, due to a confluence of relationship-management (CRM) package without
three factors. realizing that it raises new and diverse data-privacy
and compliance risks in several of their geographies.
AI poses unfamiliar risks and creates new
responsibilities Compounding the challenge is the fact that AI risks
Over the past two years, AI has increasingly cut across traditional control areas—model, legal,
affected a wide range of risk types, including data privacy, compliance, and reputational—that are
model, compliance, operational, legal, reputational, often siloed and not well coordinated.
and regulatory risks. Many of these risks are new
and unfamiliar in industries without a history of AI risk management involves many design
widespread analytics use and established model choices for firms without an established risk-
management. And even in industries that have management function
a history of managing these risks, AI makes the Building capabilities in AI risk management from
risks manifest in new and challenging ways. For the ground up has its advantages but also poses
example, banks have long worried about bias among challenges. Without a legacy structure to build
individual employees when providing consumer upon, companies must make numerous design
advice. But when employees are delivering advice choices without a lot of internal expertise, while
based on AI recommendations, the risk is not that trying to build the capability rapidly. What level of
one piece of individual advice is biased but that, if MRM investment is appropriate, given the AI risk
the AI recommendations are biased, the institution assessments across the portfolio of AI applications?
is actually systematizing bias into the decision- Should reputational risk management for a global
making process. How the organization controls bias organization be governed at headquarters or on
is very different in these two cases. a national basis? How should we combine AI risk
management with the management of other risks,
These additional risks also stand to tax risk- such as data privacy, cybersecurity, and data
management teams that are already being stretched ethics? These are just a few of the many choices that
thin. For example, as companies grow more organizations must make.
concerned about reputational risk, leaders are
asking risk-management teams to govern a broader
range of models and tools, supporting anything Baking risk management into AI
from marketing and internal business decisions to development
customer service. In industries with less defined To tackle these challenges without constraining AI
risk governance, leaders will have to grapple innovation and disrupting the agile ways of working
with figuring out who should be responsible for that enable it, we believe companies need to adopt a
identifying and managing AI risks. new approach to risk management: derisking AI
by design.
AI is difficult to track across the enterprise
As AI has become more critical to driving Risk management by design allows developers and
performance and as user-friendly machine-learning their business stakeholders to build AI models that
software has become increasingly viable, AI use are consistent with the company’s values and risk
Derisking AI by design: How to build risk management into AI development 83

appetite. Tools such as model interpretability, bias mitigate them. Once the solution is in production, it
detection, and performance monitoring are built in is also important for organizations to understand
so that oversight is constant and concurrent with AI when updates to the solution are being pushed
development activities and consistent across the through the platform and to have automated
enterprise. In this approach, standards, testing, and processes in place for identifying and monitoring
controls are embedded into various stages of the changes to the models.
analytics model’s life cycle, from development to
deployment and use (Exhibit 1). It’s possible to reduce costly delays by embedding
risk identification and assessment, together with
Typically, controls to manage analytics risk are associated control requirements, directly into
applied after development is complete. For the development and procurement cycles. This
example, in financial services, model review and approach also speeds up preimplementation
validation often begin when the model is ready for checks, since the majority of risks have already been
implementation. In a best-case scenario, the control accounted for and mitigated. In practice, creating
function finds no problems, and the deployment a detailed control framework that sufficiently
is delayed only as long as the time to perform covers all these different risks is a granular exercise.
those checks. But in a worst-case scenario, the For example, enhancing our own internal model-
checks turn up problems that require another full validation framework to accommodate AI-related
development cycle to resolve. This obviously hurts risks results in a matrix of 35 individual control
efficiency and puts the company at a disadvantage elements covering eight separate dimensions of
relative to nimbler firms (see sidebar “Learning the model governance.
value of derisking by design the hard way”).
Embedding appropriate controls directly into the
Similar issues can occur when organizations source development and provisioning routines of business
AI solutions from vendors. It is critical for control and data-science teams is especially helpful in
teams to engage with business teams and vendors industries without well-established analytics
early in the solution-ideation process, so they development teams and risk managers who conduct
understand the potential risks and the controls to independent reviews of analytics or manage
Learning the value of derisking by design the hard way
A large food manufacturer developed an party review of the model, which uncovered that the company needed to undertake a
analytics solution to forecast demand for several problems with the model, including broader initiative to embed risk management
each of its products across geographies in a critical data leakage. The model had into model development to prevent this
order to optimize manufacturing, logistics, accidentally included a feature that captured and other issues from recurring. The
and the overall supply chain. The new model the actual demand. Once the feature was manufacturer began the effort by creating
showed higher accuracy compared with the removed, the model accuracy dropped below new roles within the group to perform model
company’s existing expert-based approach. the existing expert-based approach. review, defining roles and responsibilities
for model checks throughout the modeling
But before the model was deployed, the This revelation led to a complete redesign of pipeline, and implementing standards for
manufacturer initiated an independent third- the model architecture and the realization development and documentation of analytics.

Exhibit 1
Risk management by design embeds controls across the algorithmic model’s life cycle.
associated risk. They can move toward a safe and controls into their analytics-development processes
agile approach to analytics much faster than if (Exhibit 2):
they had to create a stand-alone control function
for review and validation for models and analytics — Ideation. They first work to understand the
solutions (see sidebar “An energy company takes business use case and its regulatory and
steps toward derisking by design”). reputational context. An AI-driven decision
engine for consumer credit, for example, poses
As an example, one of the most relevant risks of AI a much higher bias risk than an AI-driven
and machine learning is bias in data and analytics chatbot that provides information to the
methodologies that might lead to unfair decisions for same customers. An early understanding of
consumers or employees. To mitigate this category the risks of the use case will help define the
of risk, leading firms are embedding several types of appropriate requirements around the data and

methodologies. All the stakeholders ask, “What frequency. These requirements will depend on
could go wrong?” and use their answers to the risk of the use case, the frequency with which
create appropriate controls at the design phase. the model is used, and the frequency with which
the model is updated or recalibrated. As more
— Data sourcing. An early risk assessment dynamic models become available (for example,
helps define which data sets are “off-limits” reinforced learning, self-learning), leading firms
(for example, because of personal-privacy use technology platforms that can specify and
considerations) and which bias tests are execute monitoring tests automatically.
required. In many instances, the data sets that
capture past behaviors from employees and
customers will incorporate biases. These biases Putting risk managers in a position
can become systemic if they are incorporated to succeed—and providing a
into the algorithm of an automated process. supporting cast
To deploy AI at scale, companies need to tap an
— Model development. The transparency and array of external and unstructured data sources,
interpretability of analytical methods strongly connect to a range of new third-party applications,
influence bias risk. Leading firms decide which decentralize the development analytics (although
methodologies are appropriate for each use common tooling, standards, and other centralized
case (for example, some black-box methods will capabilities help speed the development process),
not be allowed in high-risk use cases) and what and work in agile teams that rapidly develop and
post hoc explainability techniques can increase update analytics in production.
the transparency of model decisions.
These requirements make large-scale and rapid
— Monitoring and maintenance. Leading deployment incredibly difficult for traditional risk
firms define the performance-monitoring managers to support. To adjust, they will need to
requirements, including types of tests and integrate their review and approvals into agile or
An energy company takes steps toward derisking by design
Companies in industries that have been to produce higher-quality coal. The a centralized inventory for all analytics
running analytical models for decades company set up an analytics center of use cases and related information (such
under the scrutiny of regulators, such as excellence (COE), which discovered that as developer and owners); establishing
financial services, often have a foundation thousands of analytics use cases had a tiering system to identify the most
for moving to a derisk-by-design model. been developed and deployed across the material models; creating standards for
organization without any clear oversight, model development and documentation;
Organizations in industries that have creating risks for human health and safety, defining and implementing requirements
adopted analytics more recently and are financial performance, and company for model review and monitoring for all
less regulated (at least in the area of model reputation. models; and defining model-governance
outputs) will need to build their capabilities processes, roles,and responsibilities for all
nearly from scratch. In response, the COE appointed a model stakeholders across the modeling pipeline.
manager to oversee the model-governance These changes helped the organization
One large North American energy rollout across the organization. The take a giant step toward embedding risk
company initiated a multiyear analytics manager’s team identified six key priorities: management into the end-to-end process
transformation in order to improve the implementing a process to identify of model development.
efficiency of current assets—for example, models as they are developed; creating

Exhibit 2
Bias is one important risk that can be mitigated by embedding controls into the model-
development process.
sprint-based development approaches, relying But monitoring AI risk cannot fall solely on risk
more on developer testing and input from analytics managers. Different teams affected by analytics
teams, so they can focus on review rather than risk need to coordinate oversight to ensure end-to-
taking responsibility for the majority of testing and end coverage without overlap, support agile ways of
quality control. Additionally, they will need to reduce working, and reduce the time from analytics concept
one-off “static” exercises and build in the capability to value (Exhibit 3).
to monitor AI on a dynamic, ongoing basis and
support iterative development processes. AI risk management requires that each team
expand its skills and capabilities, so that skill sets

in different functions overlap more than they do in — an agreed-upon documentation standard that
historical siloed approaches. Someone with a core satisfies the needs of all stakeholders (including
skill—in this case, risk management, compliance, developers, risk, compliance, and validation)
vendor risk—needs enough analytics know-how
to engage with the data scientists. Similarly, data — a single workflow tool to coordinate and
scientists need to understand the risks in analytics, document the entire life cycle from initial concept
so they are aware of these risks as they do their work. through iterative development stages, releases
into production, and ultimately model retirement
In practice, analytics teams need to manage model
risk and understand the impact of these models — access to the same data, development
on business results, even as the teams adapt to environment, and technology stack to streamline
an influx of talent from less traditional modeling testing and review
backgrounds, who may not have a grounding
in existing model-management techniques. — tools to support automated and frequent
Meanwhile, risk managers need to build expertise— (even real-time) AI model monitoring, including,
through either training or hiring—in data concepts, most critically, when in production
methodologies, and AI and machine-learning risks,
to ensure they can coordinate and interact with — a consistent and comprehensive set of
analytics teams (Exhibit 4). explainability tools to interpret the behavior
of all AI technologies, especially for
This integration and coordination between analytics technologies that are inherently opaque
teams and risk managers across the model life cycle
requires a shared technology platform that includes
the following elements:
Exhibit 3
The responsibilities for enabling safe and ethical innovation with artificial intelligence span
multiple parts of the organization.
1
Artificial intelligence/machine learning.

Getting started outlined earlier: ideation, data sourcing, model
The practical challenges of altering an organization’s building and evaluation, industrialization, and
ingrained policies and procedures are often formidable. monitoring. Controls should be in place at each
But whether or not an established risk function already stage of the life cycle, so engage early with
exists, leaders can take these basic steps to begin analytics teams to ensure that the design can
putting into practice derisking AI by design: be integrated into their existing development
approach.
— Articulate the company’s ethical principles
and vision. Senior executives should create a — Establish governance and key roles. Identify
top-down view of how the company will use key people in analytics teams and related risk-
data, analytics, and AI. This should include management roles, clarify their roles within
a clear statement of the value these tools the risk-management framework, and define
bring to the organization, recognition of the their mandate and responsibilities in relation
associated risks, and clear guidelines and to AI controls. Provide risk managers with
boundaries that can form the basis for more training and guidance that ensure they develop
detailed risk-management requirements further knowledge beyond their previous experience
down in the organization (see sidebar “Building with traditional analytics, so they are equipped
risk management into AI design requires a to ask new questions about what could go wrong
coordinated approach”). with today’s advanced AI models.
— Create the conceptual design. Build on the — Adopt an agile engagement model. Bring
overarching principles to establish the basic together analytics teams and risk managers
framework for AI risk management. Ensure this to understand their mutual responsibilities
covers the full model-development life cycle and working practices, allowing them to solve
Exhibit 4
Both analytics and risk professionals will need to complement their traditional skill sets with
sufficient knowledge of the others’ function.

Building risk management into AI design requires a coordinated approach
While AI applications can be developed efforts. This fragmentation created a host demonstrate that all AI risks were managed
in a decentralized fashion across an of challenges around key risk processes, through the development life cycle.
organization, managing AI risk should be including tracking and assessing
coordinated more centrally in order to be the risks of AI embedded in vendor The bank alleviated these issues by
effective. A major North American bank technologies, triaging and risk oversight establishing one multidisciplinary team
learned this lesson when it set out to of AI tools, building controls into AI model to define a clear target state of AI risk
create a new set of AI risk-management development involving multiple analytics management, build alignment across
capabilities to complement its existing groups, and operationalizing ethical stakeholders, clarify AI governance
risk frameworks. Intitially, multiple groups principles on data and AI approved by the requirements, and specify the engagement
began their own AI risk-management board. As a result, the bank struggled to model and technical requirements
conflicts and determine the most efficient training can build institutional knowledge of
way of interacting fluidly during the course of new model types. Teams with regular review
the development life cycle. Integrate reviews responsibilities (risk, legal, and compliance) will
and approvals into agile or sprint-based need to become adept “translators,” capable of
development approaches, and push risk understanding and interpreting analytics use
managers to rely on input from analytics teams, cases and approaches. Critical teams will need
so they can focus on reviews rather than taking to build and hire in-depth technical capabilities
responsibility for the majority of testing and to ensure risks are fully understood and
quality control. appropriately managed.
— Access transparency tools. Adopt essential tools

for gaining explainability and interpretability.
Train teams to use these tools to identify the AI is changing the rules of engagement across
drivers of model results and to understand the industries. The possibilities and promise are
outputs they need in order to make use of the exciting, but executive teams are only beginning to
results. Analytics teams, risk managers, and grasp the scope of the new risks involved. Existing
partners outside the company should have approaches to model-risk-management functions
access to these same tools in order to work may not be ready to support deployment of these
together effectively. new techniques at the scale and pace expected
by business leaders. Derisking AI by design will
— Develop the right capabilities. Build an give companies the oversight they need to run AI
understanding of AI risks throughout the ethically, legally, and profitably.
organization. Awareness campaigns and basic
Juan Aristi Baquero and Roger Burkhardt are partners in McKinsey’s New York office, Arvind
Govindarajan is a partner in the Boston office, and Thomas Wallace is a partner in the London office.
The authors wish to thank Rahul Agarwal for his contributions to this article.

The next S-curve in
How banks can drive transformations of the model life cycle in a highly
uncertain business landscape.
by Frank Gerhard, Pedro J. Silva, Maribel Tejada, and Thomas Wallace
© MirageC/Getty Images
91
The economic effects of the COVID-19 pandemic An optimized model landscape
have thrown into stark relief the significant As the economy begins to revive, organizations will
challenges facing banks’ financial models. Some likely be under budgetary stress. Differing priorities
models have failed in the crisis, an outcome that has will compete for fewer resources. Leaders will have
drawn attention to models generally. The causes of to make smart choices to realize model strategies,
the failure include not only COVID-19 effects but also investing efficiently and sustainably. Banks will
regulatory requirements and models’ increasing time likely seek to upgrade their modeling capabilities,
to market. Institutions are realizing that even models rationalize the model landscape, and streamline the
which have not been significantly affected by these processes for developing, monitoring, maintaining,
stresses are wanting in other ways. and validating models.
The present crisis is creating a moment in which Banks will have to manage trade-offs among
banks can rethink the entire model landscape and expected impact on capital, regulatory provisions,
model life cycle. The next S-curve for model risk costs to remediate issues, and capacity constraints.
management (MRM) includes new model strategies The objectives will be best served by avoiding
to address new regulation and changing business unnecessary complexity. As part of the effort to
needs. Models must become more accurate, so rationalize the model landscape, better models will be
banks need to recalibrate them more frequently and built—those that ensure regulatory compliance but
develop new models more rapidly. A sustainable are also more accurate and best serve the business.
operating model is needed, since monitoring,
validation, and maintenance activities must support Models will also be recalibrated and run more
the redevelopment and adjustment of models. The frequently. Some will be replaced by next-
solution will have to be designed to manage models generation models, an effort that will require
effectively over the long term. investment in technology and data initiatives to
serve the business. The development cycle for
The new strategy will require a top-down approach new models will be shortened, so that they can
to model development because the institution has to be deployed faster. To manage increasing costs,
be able to identify those changes that can be made banks will have to ensure that model development,
through overlays and those that need recalibration monitoring, and validation are performed efficiently.
and redevelopment. Once the model-development Banks also must demonstrate to regulators that
wave is complete, model validation, monitoring, and their model-management frameworks are robust
maintenance can be “industrialized”—conducted and that the impact of the crisis on models is being
in a methodical, automated manner, sufficient capably addressed.
for managing an increasing number of models.
High standards are needed for both model risk
management and regulatory requirements. The role of the model-risk-management
function
For the most part, quick solutions become Proactive MRM activities, aligned with both
unsustainable in the long run, for several reasons: business needs and risk-management objectives,
experience has shown that banks cannot rely on must be in place to prevent overgrowth of the model
expert judgment alone; many solutions address inventory. To ensure that the inventory is rational
temporary conditions (such as the effects of and effective, banks need to manage the model
government intervention or changes in customer landscape as a whole. They also need to ensure that
behavior); budgets are strained by the resources model quality is high. Gaining transparency to direct
needed to monitor, recalibrate, and develop or such efforts can involve deploying model workflow
redevelop the ever-increasing model inventory; and inventory tools, consistently applied model-
and finally, the short time periods in which the work risk-rating approaches, and regular monitoring of
must be done demand a more industrialized and model performance and use.
comprehensive approach.

The MRM function can support the bank by fully costs are justified, programs are run efficiently,
optimizing the portfolio of models. This support and models are well monitored and maintained.
goes beyond performing validation work and Such active collaboration eliminates work silos,
ensuring consistency across modeling and allowing the use of common elements across
monitoring practices. Model development is also the model life cycle. This minimizes friction and
in need of optimization and consolidation, since boosts efficiency.
development is usually fragmented across different
business units. — Capability building. The effort to build the model
strategy must be supported by a thorough
Hundreds of models now need to be adjusted, capability-building program. All model users and
developed, and recalibrated. There is a lesson in owners and the leaders of affected functions
this—the effective and efficient development of and business units need to be trained in the new
new models must result in models that are easy approach to MRM, so that they all understand
and inexpensive to maintain in the future. In taking their risk-management responsibilities. Given
stock of existing models, banks should seek to the current environment, defined by new
improve the quality of the best models while and complex technology and accelerating
decommissioning poor-quality, ineffective, and automation, an aware and responsive workforce
outdated models. is indispensable to strong model governance.
— Agenda setting. The MRM function should work

Sharing responsibility for model closely with the first line to set the agenda,
management identifying the models that are most important
Model management can no longer be primarily to the business and operations and defining
or even mainly the responsibility of the MRM the priority model activities. That requires
function, a fact that the COVID-19 crisis has a forward-looking view into how pandemic-
underscored. The responsibility must be with the related factors have affected or will affect
business stakeholders—those who use the models models. Those that are adversely affected will
and extensively rely on their outcomes. MRM has need recalibration or redevelopment.
to be approached as the collaborative work of
all three lines of defense. The second line—the — Active management of the model landscape.
MRM/validation function and the risk function— Managing the model landscape will be a joint
should enable a clear program for building MRM effort between first- and second-line teams.
capabilities among all business stakeholders and Model-risk managers will guide the efficient
model owners. Only through real collaboration can allocation of model-risk appetite by setting
banks ensure that effective controls are designed definitions for where models should be used,
and models are properly monitored. thresholds for materiality and complexity, and
precision requirements based on use cases. At
As responsibility for MRM is shared, so are its the same time, model developers will be given
benefits, and certain activities will undergo changes incentives to consolidate similar functions,
and adaptations. reduce model count and complexity, and
promote modularization and reuse of code.
— Validation. The MRM function and risk function
will still focus on validation practices, ensuring — An agile operating model. The function
that models are of good quality and model also needs to determine the best operating
risk is capably managed. But the business approach to manage delays in development
stakeholders and model developers are the and validation plans that were made before the
ultimate users of models. As such, they must pandemic. This would include a flexible project-
be responsible for ensuring that development management approach, with joint calendars
The next S-curve in model risk management 93

The big lesson for the new
MRM framework is that it
must establish standards and
standardize processes.
for both development and validation. New Crucially, banks must develop a model strategy for
organizational structures should be established the coming years that meets these demands in a
to ensure cross-functional teams, career- and cost-efficient manner.
knowledge-development opportunities, rotation
programs, and an effective location strategy. As model-life-cycle processes are reimagined, the
A multidisciplinary team, with representatives ultimate goal is to bring about strategic change. But
from business, development, technology, and flexibility is built into the process, so progressive
validation, can be used to break down siloes and efficiency gains, such as technical solutions, can
meet the needs of various stakeholders. be made to capture near-term benefits until more
fundamental strategic programs are completed. For
— Ownership. Most organizations that have been automation, processes need to be standardized.
successful in optimizing their model landscape This is accomplished through a complete review of
have established clear model ownership and process maps, applying lean fundamentals.
defined roles for those model owners. This ensures
that the model-life-cycle process is integrated MRM should become the agency driving model
across the organization, with stakeholders efficiency. Modeling teams and business
interacting in a coordinated manner. Where model stakeholders will need to work alongside risk,
ownership has not been established, strong including the MRM and model-validation teams.
focus should be given to onboarding programs to Together they can fully utilize MRM frameworks
ensure the business understands its model risk to manage the increasing number of models
management responsibilities. efficiently—including newly developed and
redeveloped models as well as the monitoring and
validation conforming to the increasing level of
Streamlining and automation standardization and automation. The big lesson for
This perfect storm of model-inventory revisions and the new MRM framework is that it must establish
development presents organizations with a unique standards and standardize processes. This work is
opportunity to act strategically. The requirement essential for streamlining and automation.
is clear: institutions need to streamline the entire
model life cycle, including ideation, development, The increasing number of models poses a significant
implementation, validation, and monitoring. The challenge. These models must be validated within
objectives are to avoid future bottlenecks, support budgets but without eroding quality. Banks should
business continuity, and improve institutional therefore ensure a high-quality, independent model
performance, while minimizing risk and cost. review that is also cost-efficient.

Finding efficiencies in the model during development by as much as 30 percent
life cycle by applying standard model principles, a
Banks can find efficiency opportunities throughout standard library of testing codes, automatic
the model life cycle (exhibit). To do this, they can testing, and other techniques.
assess and review their current model process
maps, rethinking the processes themselves. — Model validation. Banks have reduced the time
it takes to validate and produce the associated
Processes can be redesigned and automated report to comply with regulations and ensure
using standard digitization programs, generating business continuity, in some cases by as much
efficiencies in a range of areas: as 65 percent. The key drivers of the savings are
standardized tiering, automated test selection
— Model testing. Some firms have been able to and testing by model type, and automated
reduce the time it takes to perform testing population of documents and reports.
Exhibit
Significant savings result from optimizing the model life cycle, especially in
Significantprocesses.
validation savings result from optimizing the model life cycle, especially
in validation processes.
Opportunities for automation Automating model activities Automating documentation
Define business requirements

Lorem ipsum
Model Select methodology and redevelop models

development Automate model-parameter creation and analysis of outcomes
and review
No
Complete model documentation
Automate generation of sections of model documentation
Accepted in
Periodic validation
queue? Conduct completeness assessment
model
validation
Conduct validation
Yes Automate replication and performance testing
Model Complete model-validation report

implementation Automate generation of technical-validation report
and production
Prepare business-requirement documentation
Insert model in IT system and complete user testing

Ongoing
monitoring Model
performance Test model performance
deteriorated? Conduct regular, automated performance monitoring
Complete annual model review

Automate generation of specific sections of template
No
The next S-curve in model risk management 95

— Model monitoring. A predefined monitoring Proactive MRM owned by all lines of defense is
pack built around a library of key performance needed now—not only to meet new regulatory
indicators can reduce the time required to expectations but also to strengthen institutional
execute ongoing monitoring activities by as resiliency in this crisis and the next. It is also
much as 35 percent. needed to maintain and improve model efficiency.
A redefined MRM framework will include all
— Data-quality standardization and automation. stakeholders and cover the entire model life cycle.
Banks can reduce the workload for data- The model inventory will be reshaped to better
quality testing for models by 20 to 40 percent. support the needs of the business. Standardized
For both models in the pipeline and models processes will provide the foundation for the
being monitored, testing can use standard use of advanced analytical and digital tools and
libraries. With machine-learning techniques progressive automation.
and automation, banks can scan terabytes of
data without human intervention. With only gray Banks have to do all this while maintaining high
areas left to be addressed, the savings in time standards for MRM and regulatory compliance. A
and effort are significant. lot of ground must be covered in the coming months,
and given the depth of the present crisis, banks
The streamlining and automation of model-related should get started right away.
processes—from model development to validation,
monitoring, and maintenance—is thus an MRM
project integrated across the lines of defense.
Frank Gerhard is an associate partner in McKinsey’s Stuttgart office; Pedro J. Silva is a consultant in the London office, where
Thomas Wallace is a partner; Maribel Tejada is a senior expert in the Paris office.
The authors wish to thank Pankaj Kumar for his contribution to this article.

Applying machine learning
in capital markets: Pricing,
valuation adjustments,
and market risk
By enhancing crisis-challenged financial models with machine-learning
techniques such as neural networks, banks can emerge stronger from
the present crisis.
This article was a collaborative effort by Juan Aristi Baquero, Akos Gyarmati, Marie-Paule Laurent,
Pedro J Silva, and Torsten Wegner, representing views from McKinsey’s Risk Practice.
© Boris SV/Getty Images
97
When the COVID-19 outbreak became a global sufficient computational power are imperatives.
pandemic, the volatility of financial markets hit its Indeed, “speed” is of the essence.
highest level in more than a decade, amid pervasive
uncertainty over the long-term economic impact. In response, some leading institutions have started
Calm has returned to markets in recent months, but to incorporate advanced techniques into their
volatility continues to trend above its long-term quantitative armories. In pricing, an area that has
average. Amid persistent uncertainty, financial experienced a spike in recent activity, several banks
institutions are seeking to develop more advanced are applying machine learning (ML) to enhance
quantitative capabilities to support faster and more traditional models—for example, by calibrating
accurate decision making. parameters more efficiently. In particular, banks
have used neural networks, a type of ML focused on
As financial markets gyrated in recent months, nonlinear and complex data relationships. Advanced
banks faced particular problems calculating machine-learning techniques can do the following:
value at risk (VAR) across asset classes. Many
institutions experienced elevated levels of VAR — speed up calculations, reducing operational
back-testing exceptions, leading to higher costs and allowing real-time risk management of
regulatory-capital multipliers. Increases of as much complex products
as 30 percent were reported, prompting regulators
to apply exemptions in some cases. There were — animate more complex models that may
also challenges with valuation adjustments, as currently be unusable in practice, and unlock
derivatives faced snowballing collateral calls more accurate valuations
and increasing funding costs. Where credit-
value-adjustment (CVA) risks were excluded from — generate high volumes of synthetic but market-
market risk models, CVA hedges sat “naked” on consistent data, helping, for example, to offset
the balance sheet, leading to significant uplifts in the disruptive impact of COVID-19-related
exposures, and therefore in risk-weighted assets market moves
(RWAs). One large US dealer was hit with a loss of
$950 million stemming from a valuation adjustment One way to implement neural networks is to apply
(XVA) in the first quarter of 2020. Elsewhere, rising them to pricing, where they can “learn” how to price
gap risk in illiquid securities catalyzed painful fair- vanilla calibration instruments under a given (possibly
value losses—as high as $200 million in the case of complex) model, and then act as pricing engines for
a major Europe-based bank. new model calibration. The approach obviates one of
the most significant challenges associated with ML,
In an unpredictable environment, financial modelers which is parameter interpretability. In this case, there is
were required to come up with solutions but were no interpretability issue because the network uses the
often stymied by inadequate models or the need original model’s parameters. This means that there is
for huge computational power that was not always no ML “black box,” and the key calibrated parameters
available. Given the speed of response required, can be interpreted in the original model’s context.
models in some cases were rendered unusable. The
inevitable result was an increase in risk exposures Neural networks can also support future-exposure
and opacity from valuations, sometimes in absolute modeling for valuation adjustments (Exhibit 1).
value and other times relating to the reason for
specific model outputs. The network can be trained on established samples,
such as those relating to the evolution of risk factors
An imperative to act and corresponding cash flows for the products being
Since forecasting institutions expect the global modeled. The additional efficiency provided by the
economy to have contracted by about 5 percent in network makes for improved accuracy and faster
2020, banks should aim to optimize their trading processing (Exhibit 2). That saves banks from using
books and risk positions. This ambition requires time-consuming nested Monte Carlo approaches
more accurate and timely valuations. With those and less accurate analytical approximations or “least
priorities in mind, more advanced models and squares”—style regressions.

There are equally promising applications in real-time There is no blueprint for model development, and
portfolio valuation, risk assessment, and margining. individual businesses must solve for their own
pressing needs. However, the experience of early
movers suggests that reliable options for establishing
Three steps to deepening ML engagement a track record encompass three key steps:
Machine learning offers significant enhancement
for conventional quantitative approaches, through 1. Identify quick wins
its ability to interpolate across large data sets and While ML can help to improve numerous
streamline model calibration. Banks would benefit calculation processes, it is more useful in some
by deepening their ML engagement and testing contexts than others. The task for decision makers
new use cases. The uncertain macroeconomic is to identify potentially winning applications that
environment should act as a catalyzer to this will help create a positive track record. Likely
process and trigger banks to act. The emphasis candidates are models that consume large
initially should be on discrete applications rather amounts of time or computing power. ML can
than wholesale transformation. Use cases can later both speed the work of these models and lay the
be extended and expanded across the business. groundwork for scaling their application. Among
the applications that have begun to attract
Web <2020>
<Machine learning capital markets>
Exhibit
Exhibit 1 <2>
<1> of
Neural
Neuralnetworks
networkscan
cansupport
supportfuture-exposure
future-exposuremodeling.
modeling.
Artificial Machine Deep learning

intelligence learning and neural networks
Intelligence exhibited by machines, Major approach to realizing Branch of machine learning where
mimicking cognitive functions artificial intelligence by learning systems of algorithms, based on
that humans associate with from and making data-driven simulating connected neural units,
other human minds; cognitive predictions on data and experiences; mimic how neurons interact in
functions include all aspects of categories include supervised brain; uses large-scale neural
perceiving, reasoning, learning, learning, unsupervised learning, networks that can contain millions
and problem solving and reinforcement learning of simulated “neurons” structured
in layers; successful in many
different applications
Web <2020>
<Machine learning capital markets>
Exhibit
Exhibit 2 <2> of <2>
Neural
Neural networks
networks cancan enable
enable fast fast
and and accurate
accurate exposure
exposure calculations.
calculations.
Problem: Future-exposure modeling is main bottleneck in Solution: Neural-network approach proposed to achieve
current valuation-adjustment models; portfolio-valuation all 3 goals at same time:
and risk calculations must be fast, accurate, and consistent 1. Perform portfolio-valuation and risk calculations via
with FO1-pricing models, but typical approaches fail to neural networks
meet all 3 goals at same time 2. Train neural networks using simulated risk-factor paths
and pathwise-evaluated cash flows—no extra cost to
Nested Monte Analytical approximations/ generate training sample
Carlo method LSM2-style regressions 3. Use differential regularization to optimize accuracy for
Fast both pricing and risk while achieving fast training
Accurate
Consistent with
FO-pricing models
1
Front office.
2
Least-squares method.
Source: Danske Bank SuperFly Analytics
Applying machine learning in capital markets: Pricing, valuation adjustments, and market risk 99
attention are valuations of level-3 assets, XVA • acquire continuous feedback on how new
calculations, profit-and-loss attributions (“P&L applications can fit into the wider organization
explains”), adaptations for Fundamental Review of
the Trading Book (FRTB), and stress testing. 3. Roll out at scale
Over time, sprints, prototypes, and quick wins
A “discovery phase” of an ML transformation will have accumulated sufficiently to create
could proceed as follows: the conditions for a more sustained machine-
learning rollout. Assuming a critical mass of use
• Identify concrete cases based on accepted cases, quant teams should move to integrate ML
criteria, such as the complexity of models, into a wider range of activities. They may begin
exposure in books, or computational with the front office and extend into risk, finance,
bottlenecks. For example, complex, hard-to- compliance, and research.
value derivatives such as structured callable
trades could be good targets. A plan to scale up the machine-learning program
could include the following activities:
• Size the estimated impact and align various
stakeholder groups. • strategic execution of identified priority use cases
• Create an action plan, including the effort and • continuous exploration of additional areas where
time required for implementing the identified ML could be relevant, such as anti–money
use cases. laundering, know your customer, or cybersecurity
2. Build capabilities to embrace a culture • updating risk-management practices, such

enabled by machine learning as model governance and risk assessment, to
Machine learning has the potential to create monitor and control new risks introduced by ML
significant efficiencies in a range of activities.
However, financial institutions cannot maximize
the ML opportunity without acquiring the
necessary capabilities to build, maintain, and Machine learning has the potential to enable
apply ML-enabled models. They must also take institutions to do more in capital markets, to move
steps to help employees understand and exploit faster, and to move with greater accuracy. The
potential benefits so that ML is embedded in the working conditions created during the pandemic
culture of the organization. have accelerated reliance on digital access and
the data-driven environment. Given these factors,
This could be achieved by following through machine learning could easily begin to migrate into
with the earlier approach and establishing mainstream operations. With this in mind, firms must
and executing pilot programs to implement not delay in building their capabilities. They must
prioritized use cases. During these pilots, the experiment, develop use cases, and move quickly
following practices can be applied: to the production of machine-learning-enhanced
models. Those that create and execute a sensible
• build capabilities via learning on the job implementation strategy are likely to emerge from
the current crisis stronger, more assured of risk
• understand typical challenges and pitfalls and exposures, and better prepared for what lies ahead.
how to solve them
Juan Aristi Baquero is a partner in McKinsey’s New York office, Akos Gyarmati and Pedro J Silva are consultants in the
London office, Marie-Paule Laurent is a partner in the Brussels office, and Torsten Wegner is an associate partner in
the Berlin office.

Derisking digital
and analytics
transformations
While the benefits of digitization and advanced analytics are well
documented, the risk challenges often remain hidden.
by Jim Boehm and Joy Smith
© Mike_Kiev/Getty Images
101
A bank was in the midst of a digital transformation, across industries and around the globe to better
and the early stages were going well. It had understand the scope of the issue.¹ While the
successfully transformed its development teams benefits of digitization and advanced analytics are
into agile squads, and leaders were thrilled with the well documented, the risk challenges often remain
resulting speed and productivity gains. But within hidden. From our survey and subsequent interviews,
weeks, leadership discovered that the software several key findings emerged:
developers had been taking a process shortcut that
left customer usernames and passwords vulnerable — D
igital and analytics transformations are widely
to being hacked. The transformation team fixed undertaken now by organizations in all sectors.
the issue, but then the bank experienced another
kind of hack, which compromised the security — R
isk management has not kept pace with
of customer data. Some applications had been the proliferation of digital and analytics
operating for weeks before errors were detected transformations—a gap is opening that can only
because no monitors were in place to identify be closed by risk innovation at scale.
security issues before deployment. This meant the
bank did not know who might have had access to — T
he COVID-19 pandemic environment has
the sensitive customer data or how far and wide the exacerbated the disparity between risk-
data might have leaked. The problem was severe management demands and existing capabilities.
enough that it put the entire transformation at risk.
The CEO threatened to end the initiative and return — Most companies are unsure of how to
the teams to waterfall development if they couldn’t manage digital risks; leading organizations
improve application-development security. have, however, defined organizational
accountabilities and established a range of
This bank’s experience is not rare. Companies in effective practices and tools.
all industries are launching digital and analytics
transformations to digitize services and processes, McKinsey has developed approaches and
increase efficiency via agile and automation, improve capabilities to address the challenges implicit
customer engagement, and capitalize on new in these findings. They include a new four-step
analytical tools. Yet most of these transformations framework to define, operationalize, embed, and
are undertaken without any formal way to capture reinforce solutions; supporting methodologies
and manage the associated risks. Many projects have to accelerate frontline teams’ risk-management
minimal controls designed into the new processes, effectiveness and efficiency; and a cloud-based
underdeveloped change plans (or none at all), and diagnostic assessment and tracking tool. This
often scant design input from security, privacy, and tool is designed to help companies better identify,
risk and legal teams. As a result, companies are assess, mitigate, and measure the nonfinancial
creating hidden nonfinancial risks in cybersecurity, risks generated and exacerbated by digital and
technical debt, advanced analytics, and operational analytics transformations at both the enterprise
resilience, among other areas. The COVID-19 and product level.
pandemic and the measures employed to control
it have only exacerbated the problem, forcing Fortunately, to take advantage of these approaches,
organizations to innovate on the fly to meet work- most companies will not have to start from scratch.
from-home and other digital requirements. They can apply their existing enterprise-risk-
management (ERM) infrastructures. This is typically
McKinsey recently surveyed 100 digital and used for financial and regulatory risks but can be
analytics transformation leaders from companies modified to be more agile and adaptable to meet the
1
The McKinsey Global Survey on digital and analytics transformations in risk management, 2020. The 100 participants were a representative
sample of companies from all geographic regions; nearly 89 percent have annual revenue of at least $1 billion. The companies spend, on
average, 12 percent of their IT budgets on digital and analytics transformations.

risk-management demands of digital and analytics A broad set of new (and expensive) risks
transformations. Most companies appear to do little about the
nonfinancial risks generated and exacerbated
The advantages of digital and analytics by digital and analytics transformations. The
transformations are real but so are the risks (Exhibit 1). scope of these risks is broad. Digital and analytics
transformations are often deployed across
By understanding the insights from our research organizations, involving many departments and
and taking the approach outlined here, companies third parties. Soft factors such as skills, mindsets,
can achieve the value of digital and analytics and ways of working, as well as hard factors such
transformations while also safeguarding their as technology, infrastructure, and data flow are all
organizations and customers. Ultimately, companies being changed at once during such a transformation.
can inspire more productive relationships among
groups and foster a sustainable competitive Some traditional risks are more common to most
advantage for the company by preserving the impact projects—including those arising from budget
of their transformation activities for the long term. and schedule overruns, talent (employees and
Web <2020>
<Derisking digital and analytics transformations>
Exhibit
Exhibit <1>1 of <6>
Digital and analytics transformations

transformationsuse
usemachine
machineintelligence,
intelligence,automation,
automation,
and agile approaches
and agile approachestotoimprove
improveproducts
productsand
andoperations.
operations.
Approach to digital and analytics transformations
Transform the core business Transformation Build a new business

model
Transform enterprise technology and analytics systems
Transformation domains
Multichannel customer experience: Supply chain and procurement: Data transformation: unify data
redesign and digitize top customer digitally redesign and manage governance and architecture to
journeys end to end operations to improve safety, enable next-generation analytics
delivery, and costs
Digital marketing and pricing: Core-system modernization: achieve
revenue management, promotions- Next-generation operations: drive through refactoring or platform
dynamic B2B pricing, cross-selling step changes in efficiency through replacement
and upselling digitization, AI, advanced analytics,
and agile lean approaches Cloud and DevOps: migrate
Sales digitization: digital sales, applications to hybrid cloud and/or
remote-selling effectiveness Digital architecture: set up digital software as a service (SaaS) and
architecture combining application implement software development
New digital propositions: create programming interfaces (APIs), and IT operations (DevOps)
new revenue streams by building microservices, and containers
digital propositions, using next- Digital and analytics talent and
generation artificial-intelligence (AI) capabilities: acquire new talent
technologies to achieve cost savings and build capabilities at scale
Derisking digital and analytics transformations 103

third parties, including contractors, suppliers, of the staff was permitted to use unsecured
and partners), IT performance, and compliance personal devices to connect remotely, exposing
and regulatory issues. Yet digital and analytics the company to “bring your own device” attacks.
transformations also introduce new cyberrisks, Similarly, a bank found that employees were
data risks, and risks from artificial-intelligence printing documents on their home printers, thus
(AI) applications. Digital and analytics initiatives running corporate data through unsecured home
require more detailed data to be collected from a routers, which are notoriously vulnerable to
wider range of sources. These data are then used hackers. Another firm expressed concerns about
in different parts of the organization to generate employees having “smart home” listening devices
insights. The moving data create inherent risks that could record discussions during video calls in
in data availability, location, access, and privacy. executives’ home offices.
Sources of risk to operational resilience include new
IT services and migration to the cloud. Predictive Artificial intelligence is also poised to redefine how
analytical models could be biased or deviate from businesses work and is already unleashing the
the original focus of the initiative exposing an power of data across a range of crucial functions.²
organization to legal liability or reputational risk. But the compliance and reputational risks of AI pose
If not handled appropriately, such risks can lead a challenge to traditional risk-management functions.
to expensive mistakes, regulatory penalties, and
consumer backlash. The different concerns have arisen from the
rapid changes in the way we work now. Current
The business disruptions caused by the COVID-19 risk-management capabilities are falling short
crisis have compounded these additional risk layers. in addressing them, since the risks are new and
In a sense, the pandemic has set off the largest growing exponentially. A new risk-management
wave of digital and analytics transformations in approach is needed.
history, compressing transformations that would
have taken years into a few hectic months (or
even weeks), often with little advance planning. A snapshot of digital and analytics
Most organizations had some security policies transformation risk management
and training in place before the pandemic struck. The results of the McKinsey Global Survey permitted
Few, however, had established detailed policies or a holistic view of the risks facing digital and
training on how to safely set up a remote work space analytics transformations and how well companies
or think through other risks associated with the are managing them. Several salient points emerged
rapid acquisition and deployment of new tools. from participants’ transformation experiences.
One oil and gas company, for example, had to divide Transformations are becoming commonplace
its virtual private network to expand bandwidth across industries
so that all employees could have access to the Survey participants completed an average of six
corporate network from their homes. This caused transformations in the past three years, with a
slowdowns in patching on employee laptops, which range of objectives. More than 80 percent have
exposed the company to vulnerabilities commonly implemented at least one end-to-end customer
exploited by attackers. journey transformation, and 70 percent developed
new digital propositions and ecosystems.
A telecom company allowed its call-center staff Organizations are also changing their operating
to work from home, but it left specific policies up models to support the changes. Approximately
to team managers. The result was that 30 percent 80 percent of companies intend to shift up to
2
Juan Aristi Baquero, Roger Burkhardt, Arvind Govindarajan, and Thomas Wallace, “Derisking AI by design: How to build risk management into
AI development,” August 2020, McKinsey.com.

30 teams to work in agile ways in the next three transformations. Surprisingly, 14 percent have never
years; the remaining 20 percent are shifting more formally assessed the risks for these initiatives—a big
than 30 teams to agile. This means, of course, that oversight for established companies.
100 percent of the 100 companies we surveyed
intend to adopt or scale agile in the coming years. If Companies are unsure of how to manage
done well, this is very good news for risk managers, digital risks
given the inherent risk-mitigating structures and Unlike for financial risk management, in which
culture of early identification and remediation of companies tend to have established roles and
defects inherent in well-implemented agile teams. processes (such as model risk management),
companies in our survey do not have established
Risk management is not keeping pace roles, processes, or even consolidated understanding
Companies’ risk-management capabilities are of digital and analytics risk drivers. The biggest
lagging behind their transformation efforts. challenge leaders say they face in managing digital
Organizations are transforming far more frequently and analytics risks is simply identifying them. The
than they are updating their risk frameworks to challenge gives credence to the maxim, “You cannot
include new and exacerbated risks, and risk and legal manage what you do not measure.”
professionals often operate in separate siloes. Hence,
the risk infrastructure is not keeping pace with the Notably, the results show virtually no relationship
innovation. Overall, most respondents assess their between IT spending levels and overall risk-
risk-management maturity as average, but more management maturity for digital and analytics
than 75 percent have not conducted a formal, holistic transformations. Simply put, the challenges are not
risk assessment for half of their digital and analytics solved by budget size (Exhibit 2).
Web <2020>
Exhibit <2> of <6>
Exhibit 2
Risk-management maturity in digital and analytics is not related to IT spending.
Risk-management maturity in digital and analytics is not related to IT spending.
Average reported risk-management maturity by IT budget, scale 1–51
5
1
0–200 401–600 801–1,000 1,201–1,400 1,601–1,800
201–400 601–800 1,001–1,200 1,401–1,600 1,800+
IT budget, $ million
1
Question: At a company like yours, how mature are digital and analytics risk-management capabilities? Companies rated their risk-management capabilities
from 1 to 5, with 5 representing the most advanced in effectiveness and efficiency.
Source: McKinsey Global Survey on Digital and Analytics Transformations in Risk Management, 2020

Roles and responsibilities are insufficiently clear Leading companies apply a range of effective
Survey participants little agree on where practices and tools to manage risks
responsibility should lie for addressing digital Companies in our survey with the highest risk-
and analytics transformation risks. For almost all management maturity are more comfortable with
respondents, the chief information or chief data managing digital and analytics transformations.
officer leads digital and analytics transformation These companies are more likely to centralize or
activities; participants do not align, however, on the automate their risk-management functions, and
lead for identifying and mitigating the associated they report using an array of practices and tools
risks. For more than 40 percent of respondents, the to identify and reduce the risks of their digital and
task falls to the digital and analytics transformation analytics transformations (Exhibit 3).
leads themselves. Unfortunately, these individuals
often lack a detailed understanding of embedded Here are the most relevant approaches leaders cite:
risk factors and are given incentives to “get the
transformation done.” Even for those individuals — Reengineering processes and retraining
who do focus on risk management, responsibilities employees. Respectively, 74 and 69 percent
are perceived as ancillary and less of a priority than of respondents across industries and regions
project completion. cite these practices, making them the most
Web <2020>
Exhibit 3 of <6>
Exhibit <3>
Companies with higher

Companies with higher risk-management
risk-managementmaturity
maturityuse
useseveral
severaltransformation
transformation
practices and tools to manage risks.
practices and tools to manage risks.
Reported use of transformation practices by risk-management maturity level,1 % of respondents
100 100 Risk-management

maturity level
5
4
80 80 3
1–2
Average
60 60
40 40
20 20
0 0
Retrain Automate New Reengineer Redesign Did not
personnel processes tools processes organization use tools
Question: At a company like yours, how mature are digital and analytics risk-management capabilities? Companies rated their risk-management capabilities
1
from 1 to 5, with 5 representing the most advanced in effectiveness and efficiency.

Question: What levers would a company like yours use to identify and reconcile risks associated with digital and analytic transformations?

popular for managing digital and analytics — Automated feedback loops. The risk-maturity
transformation. These practices are especially scores of companies that have them are more
important for agile ways of working. When than 30 percent above the average.
implemented well, they can be critical to
derisking technology using agile methodologies. — Centralization. Companies with the highest
The agile approach permits companies to risk-management scores are more likely to track
automate, create new organizations, or deploy digital and analytics risks in a single, centralized
new tools with less effort, and has early source, rather than several sources.
identification and remediation of defects
inherent in its culture.
Pain points in managing digital and
— Formal risk assessments. Companies do not analytics transformation risks
conduct these assessments as broadly as Survey participants also describe their biggest pain
necessary; however, companies that do conduct points in identifying and mitigating risks.
them report an increase of 75 percent in their
understanding of risks from digital and analytics Understanding risks
transformations. Formal risk assessments also The top concern, which 48 percent of respondents
correlate to higher comfort levels in managing cite, was simply understanding the risks associated
those risks (+47 percent), and greater risk- with digital and analytics transformations (Exhibit 4).
management maturity (+33 percent). Many transformation leaders are essentially flying
Web <2020>
Exhibit
Exhibit 4 of <6>
<4>
The
The top
top risk-management
risk-management painpainpoint
pointisisin
inunderstanding
understandingthe
therisks
risksgenerated
generatedby
by a digital and analytics transformation.
a digital and analytics transformation.
Reported risk-management pain points,1 % of respondents
Issue with understanding risks and accountability Difficulty managing changes
Lack of sponsorship Problems with tools
Difficulty Not enough Difficulty Lack of Difficulty Unclear or no

understanding executive/stakeholder managing many overall view of training whole end-to-end
risks generated sponsorship teams making enterprise-wide or organization on accountability of
by transformation or buy-in decisions at speed function-wide risks new practices risk management
48 32 26 22 19 16
Difficulty Risk management No clear Lack of risk- Exposure of

Lack of managing changing slows down management organization sensitive data due
tools or tool regulatory business standards for involvement early in to transformation
standardization requirements processes nonfinancial risks development process changes
13 11 11 9 9 9
1
Question: In your most recent digital and agile projects, what were the top five risk-management pain points?

blind: risk ownership is not clear, the complex and Overcoming operational limitations
changing technology and regulatory environments In digital and analytics transformations, the whole
are not well deciphered, and design and test plans organization must be trained to work in new ways
do not consider risks early enough in the process. (such as the agile approach) and be vigilant about
Unlike financial risks, nonfinancial risks are hard mitigating new risks. One common goal of digital
to benchmark, and there is no one standard to and analytics transformations is to better serve
manage them. end users, who are often the weakest link in a risk-
management chain. Low risk-awareness can expose
Managing changes at speed the enterprise to significant risks associated with
Digital and analytics transformations are the new digital and analytics tools and processes.
often delivered rapidly through agile and other Risks may even be generated by the front line
methodologies. If traditional risk-management through user errors, where, for example, cloud
practices are not also transformed along with the buckets have been misconfigured or access rights
new ways of working, they can introduce delays that have been wrongly granted.
threaten ambitious timelines. In some cases, even
complying with new policies can create problems IT infrastructure can be a source of operational
due to unforeseen interdependencies. For example, constraints as well. Digital and analytics
a North American distributor launched an analytics transformations deploy new systems and
transformation and, during the implementation decommission legacy systems, yet organizations
phase, also established a new information security sometimes lack adequate training and experience
policy. Suddenly, all work on the transformation was to manage patches and vulnerabilities of the new
subject to the new policy—which meant that data systems. Legacy systems, if not decommissioned
had to be logged daily, maintained in the cloud, and properly, may additionally leave vulnerabilities that
removed after 30 days. Because of these changes malicious actors can later exploit. For example, a
in data-handling processes, the transformation was company implemented a piece of hardware in a data
delayed by four weeks, triggering a loss of more center for research purposes but did not include the
than $20 million—a financial risk directly connected device in regular production-patching cycles. After
to a new digital way of working. Risk management a vulnerability was exploited on the device, malware
should be designed, implemented, and supported to spread across the whole data center, causing a loss
keep pace with digital and analytics transformation of data and rendering the system unavailable. Cloud
teams and avoid these and other similar risks. migrations can mitigate or even eliminate many of
these risk types, but only if the cloud migration is
Accessing resources done properly with security as a part of its core.
Nearly one-third of respondents cite a lack of
sponsorship or buy-in from executives or other
stakeholders in prioritizing risk-identification and A framework for digital and
management activities. Generating short-term analytics transformations
revenue is prioritized over managing embedded The risks engendered in a digital and analytics
risks. The latter, of course, is critical to preserving transformation may be different from those that
long-term value. More than half of participants companies normally face—or they may be traditional
face resource limitations when improving risk risks that happen with extraordinary frequency
management with needed talent and capacity. and potential for significant impact. Fortunately,
Companies also struggle in putting the right most companies already have a foundation in place
tools and processes in place. For example, some to begin addressing these risks: their existing
organizations still manage digital and analytics enterprise-risk-management infrastructure, which
transformation risks manually using an array is used for financial and regulatory risks. Enterprise
of spreadsheets. Even those that apply more risk management typically consists of several
advanced tools do not do so consistently across common activities, including the following:
organizational boundaries.

— defining a mature enterprise-risk framework it easier for organizations to do this. It consists of
four steps that define, operationalize, embed, and
— developing an effective risk governance with reinforce the elements of the transformation.
taxonomy, risk appetite, reporting, and key risk The framework fosters a dynamic approach, helping
indicators adapt the existing ERM infrastructure for an
increasing flow of risk-mitigating information and
— building a risk organization and operating model actions. Within the framework, organizations design
(including the three lines of defense, where transformation activities and make appropriate
relevant) and assembling the needed resources interventions. The framework is updated as the
and talent activities change ways of working, risk appetites,
risk exposure, and talent needs (Exhibit 5).
— establishing risk-management processes
— Define: In the first step, organizations apply the
— creating a risk culture technology-specific elements of their existing
risk-management framework—in place to
These activities are critically important to digital address traditional categories such as financial
and analytics transformations. They must be and regulatory risk—to the transformation
transformed alongside digital and analytics teams, scenario. Organizations without an ERM
however. This is because risk management will have framework in place will need to start there, ideally
to keep pace with the rapidly changing digital-risk creating one with a transformation-specific
landscape to continue mitigating risks but avoid framework to address digital and analytics
slowing down the business. Our framework makes risks. The objective is to articulate risks and
Web <2020>
Exhibit 5 of <6>
Exhibit <5>
Successful digital
Successful digitaland
andanalytics
analyticstransformations
transformationsneedneedaatailored
tailoredframework
frameworkto
to keep
keep pace
pace with
with a rapidly
a rapidly changing
changing digital-risk
digital-risk landscape.
landscape.
Current state
Cumbersome risk and compliance Challenges from second line are Inadequate tools for risk
reviews lead to frequent delay of perceived as convoluted and do identification, resulting in a lack
product launches not always lead to clear set of actions of appropriate transparency and
for front line guardrails
Transformed state
1 1 Define: articulate risks and hypothetical solutions for a given data and
analytics transformation (via diagnostic risk assessment, interviews,
review of metrics)
2 Operationalize: convert solution hypotheses into action; controls tie

directly to risks, and control program is tracked with both effectiveness
Digital and analytics and efficiency metrics
4 2
risk-management
framework 3 Embed: drive efficient risk management through transformed operating
model, organization design, processes, and governance
4 Reinforce: strengthen and scale risk-management ways of working

3 through cultural and talent changes

hypothesize potential solutions through a relevant Benefits of the framework and
risk matrix with a clear taxonomy, defined risk transformation roles
owners, available controls and resources, and a The framework enables companies to manage
governance structure for the initiative. the risks of a digital and analytics transformation
systematically, so that it keeps pace with an
— Operationalize: In the second step, organization’s innovation. It incorporates lessons
transformation leaders work with risk subject- from the front line to improve the conceptual matrix
matter experts or a risk center of excellence and adjusts risk-management methods along
to convert risk-management hypotheses the transformation journey. It meshes with agile
into solutions. Specific actions could include working models to enable better risk management,
introducing software and data controls, encourages collaboration, and fosters an enhanced
validating algorithmic models, implementing risk culture.
systems and infrastructure patching, teaching
frontline technologists relevant cybersecurity Companies have already seen significant risk-
practices, and validating product resilience mitigation effectiveness and risk-management
through defect and unit testing. As a part of this efficiency benefits from taking this approach.
step, teams also start generating risk reports Although in its early stages, the approach promises
based on clearly defined metrics such as key risk to yield further benefits to risk managers and
indicators and key performance indicators that transformation teams (Exhibit 6).
critically measure not only risk effectiveness but
risk-management efficiency as well. To support the framework and put its approach into
practice, companies will need to also define these
— Embed: This step is designed to embed the roles and responsibilities for digital and analytics
lessons from risk management—including transformation risks:
testing results, risk assessments, incident
reports, and performance measurement—into — Digital and analytics transformation lead: This
existing control implementation operating lead is accountable for delivering the digital and
models, processes, governance, and, if needed, analytics transformation activities.
organizational design. In this step, new derisking
initiatives are generated based on these lessons. — Digital and analytics transformation-risk
Frontline colleagues in the transformation team owner: This role is responsible for all
and in units being transformed are fully trained transformation risks.
on risk awareness, identification, and mitigation.
— Transformation working teams: These groups
— Reinforce: In this final step in the cycle, typically work in agile squads, with risk-
transformation teams strengthen and scale management resources assigned.
risk-mitigation practices by entrenching these
practices in talent management and culture — Transformation-product customers: These are
change. They also feed critical insights, learnings, end users of the transformed-products, services,
and new risks back to core risk teams to update and features; the changes here may affect
risk infrastructure as needed and pull inputs and transformation-risk appetite and risk posture.
feedback back into the “define” step. This keeps
risk management, mitigation, and performance
current with transformation activities.

Web <2020>
Exhibit <6> of <6>
Exhibit 6
Improved technology risk management better mitigates risk while significantly
Improved technology-risk management better mitigates risk while significantly
increasing efficiency and reducing costs.
increasing efficiency and reducing costs.
Reductions from improved technology-risk governance and management, range, %
Number of Cost reduction Number of Cost reduction from
risk-related from fewer risk-related technology-risk- fewer technology-
technology defects technology defects related processes risk-related processes
–40
–45
–75
–85
–90 –90 –90
–97
— Enterprise-risk-management and control In most cases, defining such roles will not require
partner organizations: Transformation-risk adding head count. Companies have found that
leads will work closely with the enterprise- existing team members are ready and eager to take
risk-management group and individual control on these responsibilities. They may need some
partner groups to ensure transformation training to become fully effective, but generally most
risks are accounted for at the enterprise level, team members are motivated to take on such training
and enterprise risks are considered at the simply because they know about the risks being
transformation level. generated or exacerbated in transformation activities.
— Transformation-risk manager: Risk managers Finally, companies will have to raise awareness
specialize in change risks and risks arising in of digital and analytics risks in the organization,
digital and analytics transformations. They work including with the executive team and board.
closely with transformation teams on the front Likewise, they must adequately incorporate digital
line and take part in designing risk controls from and analytics risk management into their formal
the early planning phases of the transformation. risk-governance models (see sidebar, “Snapshot of
a successful transformation”).
— Transformation sponsors: The sponsors of the
overall transformation should be on board during
the entire change process.

Snapshot of a successful transformation
What does successful risk management formal risk assessment to identify and with a single source. Competencies, skills,
in a digital transformation look like? One mitigate risks using a best-of-breed risk- and qualifications are clearly defined for
bank successfully integrated risk controls management tool that covers different each risk-management role to inform the
into its digital transformation through a risk taxonomies. That tool digitally feeds requirement needed to build and retain a
systematic approach. A number of aspects derisking interventions into the work- strong risk-management talent pool.
in its approach stand out. management software backlogs of
product teams. Risk interventions then are In this bank example, risk management
The bank clearly defines all roles and pulled forward into product-team sprints is deeply embedded in all phases of
responsibilities, accountabilities, as capabilities and features in and of product development, including product
and oversight related to digital and themselves that enhance the product and road map planning, business review,
analytics risk management and creates extend its impact. release planning, and deployment. Other
a governance model across the lines of companies implementing digital and
defense. Risk generalists are involved early A risk and cybersecurity resource is analytics transformations should consider
in design processes—even sitting with integrated into the transformation-delivery adopting a similar model.
agile development teams as necessary. hub to ensure that risk is always part of the
Those leading the project conduct a conversation and that all risks are tracked
In the current business environment, digital and become more pervasive, the companies that will
analytics transformations are core to success. If capture the most long-term value from their digital
transformations go forward without the right risk- and analytics transformations are those that
management approach, however, companies simply manage to accomplish their target objectives while
trade one set of problems for another, potentially also systematically identifying, understanding, and
larger, set. As digital and analytics capabilities mitigating the associated risks.
Jim Boehm is a partner in McKinsey’s Washington, DC, office, and Joy Smith is an expert in the Philadelphia office.
The authors wish to thank Liz Grennan, Arun Gundurao, Grace Hao, Kathleen Li, and Olivia White for their contributions to
this article.

Risk & Resilience Practice leadership
Cindy Levy
Global
[email protected]
Fritz Nauck
Americas
[email protected]
Maria del Mar Martinez

Europe
[email protected]
Gabriel Vigo
Asia
[email protected]
Gökhan Sari
Eastern Europe, Middle East, North Africa
[email protected]
Kevin Buehler
Risk Dynamics, Cyberrisk
[email protected]
Marco Piccitto
Risk People
[email protected]
Luca Pancaldi, Olivia White

Risk Knowledge
[email protected]
[email protected]
Thomas Poppensieker
Corporate Risk; chair, Risk & Resilience Editorial Board
[email protected]
In this issue
The emerging resilients: Achieving ‘escape velocity’
Resilience in a crisis: An interview with Professor Edward I. Altman
Meeting the future: Dynamic risk management for uncertain times
A fast-track risk-management transformation to counter the COVID-19 crisis
Strengthening institutional risk and integrity culture
When nothing is normal: Managing in extreme uncertainty
A unique time for chief risk officers in insurance
The disaster you could have stopped: Preparing for extraordinary risks
How the voluntary carbon market can help address climate change
Derisking AI by design: How to build risk management into AI development
The next S-curve in model risk management
Applying machine learning in capital markets: Pricing, valuation adjustments, and market risk
Derisking digital and analytics transformations
This McKinsey Global Publication meets the Forest

Stewardship Council® (FSC®) chain-of-custody
standards. The paper used in this publication is certified
as being produced in an environmentally responsible,
socially beneficial, and economically viable way.
Printed in the United States of America
January 2021
Designed by McKinsey Global Publishing
Copyright © McKinsey & Company
McKinsey.com

McKinsey On Risk Number 10

Uploaded by

Copyright:

Available Formats

McKinsey On Risk Number 10

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

McKinsey On Risk Number 10

Uploaded by

Copyright:

Available Formats

McKinsey

Number 10, January 2021

Risk and resilience

5 The emerging resilients:

18 Meeting the future: Dynamic risk

39 Strengthening institutional risk

54 A unique time for chief risk

63 The disaster you could have

81 Derisking AI by design: How

97 Applying machine learning

Copyright © 2021 McKinsey & Company. All rights reserved.

18 Meeting the future:

4 McKinsey on Risk Number 10, January 2021

by Cindy Levy, Mihir Mysore, Kevin Sneader, and Bob Sternfels

© Henrik Sorensen/Getty Images

6 McKinsey on Risk Number 10, January 2021

2009 Q1–Q2 2020

Experiencing Gray Good Experiencing Gray Good

Good 6 27 67 100% Good 8 25 68 100%

Gray 38 55 7 100% Gray 41 55 5 100%

Experiencing 92 7 1 100% Experiencing 94 6 1 100%

The emerging resilients: Achieving ‘escape velocity’ 7

8 McKinsey on Risk Number 10, January 2021

2007–09, % Q2 2020 vs Q2 2019, %3

RESILIENTS NONRESILIENTS EMERGING EMERGING

¹Earnings before interest, taxes, depreciation, and amortization.

The emerging resilients: Achieving ‘escape velocity’ 9

9 59 A A A Top performer (A in at least 2 metrics)

(B in all metrics; A in 1 metric

(B or below in all metrics,

¹A: top 20%; B: top 20–40%; C: bottom 60%.

10 McKinsey on Risk Number 10, January 2021

Companies that are behind the top Z-Score

Copyright © 2021 McKinsey & Company. All rights reserved.

The emerging resilients: Achieving ‘escape velocity’ 11

Resilience in a crisis: An interview with Professor Edward I. Altman 13

14 McKinsey on Risk Number 10, January 2021

Resilience in a crisis: An interview with Professor Edward I. Altman 15

16 McKinsey on Risk Number 10, January 2021

Copyright © 2021 McKinsey & Company. All rights reserved.

Resilience in a crisis: An interview with Professor Edward I. Altman 17

by Ritesh Jain, Fritz Nauck, Thomas Poppensieker, and Olivia White

Meeting the future: Dynamic risk management for uncertain times 19

Detect risks and

Ability to anticipate, predict, and

Delimit risk appetite Decide on risk-

20 McKinsey on Risk Number 10, January 2021

Meeting the future: Dynamic risk management for uncertain times 21

22 McKinsey on Risk Number 10, January 2021

Meeting the future: Dynamic risk management for uncertain times 23

5 actions to establish capabilities needed for dynamic risk management

24 McKinsey on Risk Number 10, January 2021

Beyond today’s travails, a strong risk culture is a

Copyright © 2021 McKinsey & Company. All rights reserved.

Meeting the future: Dynamic risk management for uncertain times 25

Then COVID-19 happened and threatened to — Redesign underwriting to streamline processes

When banks shut branches and corporate offices, — Enhance monitoring.

McKinsey had previously found that risk managers

A fast-track risk-management transformation to counter the COVID-19 crisis 27