The need to align risk and strategy has intensified amid global shocks that have reshaped the operating landscape for companies across all sectors. Many risks now materialise seemingly overnight—from leaps in AI to successive geopolitical events—triggering cascading impacts with unexpected outcomes.

We call this the NAVI world, defined by risks that are:

• Nonlinear: triggering sudden tipping points
• Accelerated: demanding faster responses
• Volatile: testing agility with frequent shifts
• Interconnected: creating complex downstream effects

Our 2025 EY Global Risk Transformation study—based on interviews and survey responses from 1,200 risk professionals spanning 21 sectors and 12 countries, including 85 banking and capital markets firms (65% with more than $100bn in assets)—identified firms that appear to have cracked the code for navigating turbulence. These firms are half as likely to be surprised by external shocks and a third better at swiftly identifying incidents and mounting a rapid response. These firms are led by “risk strategists”—leaders who integrate risk with strategy and approach uncertainty with a different mindset.

This matters for banks and their boards as much as it does for those in other sectors. According to the 2024 EY/IIF Global Bank Risk Management Survey, cybersecurity remains the top priority for CROs (73%) and boards (72%), with operational resilience second. Geopolitical risk has surged from 12th to a top-three concern. Each of these risk themes share the NAVI characteristics identified in our study.

Firms that embed risk into strategy are better able to unlock both resilience and growth in this environment. Here are five actions to start now:

1. Define a vision and create a roadmap

A shared vision is the foundation of risk transformation. Leading banks are aligning risk and strategy through collaboration between risk leaders and senior executives. In today’s volatile environment, agility matters more than certainty. Some decisions can wait for more data; others must be made and refined over time.

Banks should prioritise ‘no-regret’ investments—those that strengthen financial and operational resilience, reporting accuracy and incident response, regardless of macro conditions. This includes uplifting risk-data quality, hardening cyber and tech recovery capabilities, and expanding stress testing as interconnected financial and non-financial risks manifest and evolve. External partnerships can help close capability gaps, accelerate response and scale efficiently. Embedding the risk vision into strategic and business plans helps guide boards and senior management on turning uncertainty into advantage.

2. Initiate cultural change

Culture drives transformation. While building a strong risk culture takes time, early visible actions set the tone. Risk strategist-led institutions are shifting the narrative from only focusing on risk avoidance to embracing intelligent risk-taking—and from compliance-only thinking to viewing risk as a driver of strategic value. Sharing examples where risk insights improved business decisions reinforces the shift. “Lessons learned” conversations on risk management performance should not just focus on where things went wrong—they should celebrate where things went right as well.

Creating space for challenge and early escalation is critical. Institutions can signal that intelligent risk-taking is evidenced by timely identification, documented challenge and clear outcomes from scenario exercises. Making it safe to question assumptions—and empowering teams through senior management-sponsored scenario planning—embeds resilience into day-to-day business operations.

3. Use incentives and metrics strategically

Metrics and incentives are powerful levers for change, but only when aligned to meaningful outcomes. Banks are setting aside innovation budgets to test new risk methodologies and digital tools as part of a broader shift toward learning-led performance. Risk frameworks are increasingly looked to not just to avoid losses, but for how they enable smart business growth.

Embedding risk metrics into management dashboards—not just within risk reports—ensures that risk vision shapes capital, strategic and technology transformation decisions. When metrics reflect risk’s contribution to financial resilience, compliance and sustainable growth, they become a catalyst for long-term value.

4. Prepare for technology adoption

Emerging technologies—especially AI—are reshaping risk management. According to the EY/IIF survey, CROs are already using AI, including generative AI, to identify, assess and report on operational fraud (59%), compliance (44%) and credit (40%) risks.

Bank risk functions are also critical to guiding on broader responsible adoption of AI across financial institutions. Risk serves as a key partner to the business where AI deployments are authorised where model risk controls and data lineage are verifiably in place, with formal validation and post-implementation monitoring. Responsible AI adoption also requires closing the training-data visibility gaps flagged by many risk teams and addressing the top enabler of AI success: data quality. With data quality remaining the most cited data-usage risk for banks, governance is a prerequisite for scaling AI with confidence.

Many leading organisations seek early engagement of key stakeholders on responsible AI planning—enhancing alignment and reducing execution risks.

5. Find and foster the people who drive success

Even with powerful technology, risk transformation is a human endeavour. Banks are targeting a new skills mix: combining generative AI-oriented digital acumen, adaptability to a shifting risk environment, and deep domain expertise in specific risk stripes such as credit or cyber. Many plans measured growth in both first- and second-line risk teams over the next three years. Rotations are also being used to build bank-fluent risk professionals and risk-fluent bankers.

Attracting and developing this talent means broadening recruitment and upskilling strategies. Banks are looking beyond traditional profiles to bring in individuals with financial acumen, curiosity and strategic thinking—especially from data science, analytics and strategy backgrounds. Training risk professionals to speak the language of business, and embedding them in revenue-generating units, integrates risk thinking enterprise-wide.

Transformation must be human-centric. That means listening to employee concerns, communicating transparently, and empowering teams with clear roles, continuous learning and decision-making authority.

Becoming a risk strategist is, above all, a human endeavour—one that depends on the collective commitment of the entire organisation.

Thomas Campanile is global and Americas financial services risk consulting leader at EY.