Skip to main content

Key considerations for modernizing CRO architecture

The evolving role of CRO in the current macro-economic environment is forcing financial institutions to redesign the business and technology architecture under the CRO umbrella


The changing business environment for the financial institutions is forcing the role of Chief Risk Officer to change from risk controller to business partner. To support this change, change in the business and IT architecture under the CRO umbrella is also needed. In the following article we will provide our views on key drivers of CRO IT architecture change, key functional areas requiring IT system change, key principles of modernizing CRO IT architecture and technology considerations for the risk architecture transformation.



The role of Chief Risk Officer has evolved from the guardian of risk to the partner of growth in digital universe and predicting future outcomes of business decisions based on macroeconomic assumptions. In today's VUCA world, there is an increasing trend of senior risk officers partnering in new businesses and helping traditional banks reshape business model in order to compete with emerging threats like fintech and big tech banks. On top of that, today’s CROs face the blow of triple challenge – increased regulatory expectations, increased pressure on Balance Sheet due to credit quality deterioration in stagflation economy and pressure to reduce operational cost. To fight against these challenges, the IT architecture under the chief risk office should take a multidisciplinary approach, not only to face the current challenges, but also to make it flexible enough to evolve quickly and economically to meet any future challenge.


Key drivers of change:

We believe the following key drivers are reshaping the business and IT architecture under the CRO umbrella.

Macro-economy and business model: High inflation, high interest rate and supply chain disruptions due to geopolitical tensions are bringing business model change for banks.

Supervisors and regulators: New regulatory requirements (e.g. SRB related reporting, ESG reporting and integration in business decisions, CSRB and digital operations act like DORA) and pressure on BAU processes to generate ad-hoc reports are driving IT changes. We also see heightened scrutiny in some of the existing areas like overall data management, loan monitoring etc. questioning the efficiency of the current processes.

New competitions: The emergence of fintech and big tech banks in the last few years has changed the competitive landscape of banking and financial institutions. The traditional banks need a complete overhaul of business models supported by IT systems in order to withstand this competitive threat.

Customer expectations: The expectation of Gen Z in this digital world with the emergence of wearable technologies are forcing banks to rethink how they deliver services to the customers.

Persisting fragmented and non-harmonised IT landscapes, with negative consequences for data aggregation and reporting, compounded by slow progress with the remediation programmes drawn up over recent years. This is continuing to hamper the ability of banks to swiftly produce accurate non-standardised reports


Key functional areas under the CRO umbrella requiring IT change:

For the purpose of this discussion we have classified major risk types managed by CROs as traditional financial risk functions, traditional non-financial risk functions, and emerging risk areas. The following table shows probability of change per risk functions due to external factors.

Key principles for modernizing CRO architecture:

The changing business needs is forcing banks to adopt a technology architecture which can meet current business needs and is flexible enough to adapt to future needs quickly and economically. we consider the following principles are important for modernizing IT architecture under the CRO umbrella of a bank:

  1. Performant data platforms with built in resiliency and redundancy: In today's world of uncertainty, resiliency and redundancy of data platforms is of utmost importance to maintain business continuity despite unexpected disruption like cyber-attacks. Data redundance is required for backup and recovery, however unplanned redundancy will hamper the performance of the database.
  2. Loose coupling of systems: Loose coupling is an architectural principle designed to achieve service oriented architecture. Loosely coupled architecture is simple to understand. It does not require understanding and change of other components of the architecture in order to change one component of the architecture. Banks are increasingly adopting loosely coupled microservices based architecture while modernizing their mainframe based legacy systems (e.g., credit risk systems).
  3. Event driven architectures: An event driven architecture is an architectural pattern that transmits event change information among loosely coupled components. This is a very effective architecture for cases where related activities can be performed in parallel rather than in sequence, e.g. EWS.
  4. Leverage opensource technologies and vendor products: Ability to leverage opensource technologies and vendor products helps in fostering innovation. Open-source technologies like python packages for various analytics allows quick development. Vendor products which are already developed for different purposes (e.g. ALM tool, IFRS 9 calculations, regulatory report generators) help to launch the service in a short time and in many cases in a cost effective way. Vendor consolidation helps to integrate different tasks under the same value stream (e.g., risk calculation, stress testing and reporting under the same umbrella).
  5. Business user self service capability: Appropriate level of business user self service capability helps in ad hoc analysis which can be done by the business user without going through IT change process, which has a longer turnaround time. For example, a dashboarding tool where business users can create ad hoc reports and analysis without going through a change in the data model, provides a powerful arm to the business users.
  6. Flexible cost structure and scalability of technology landscape: A flexible cost structure, where cost is incurred based on the complexity and duration of the calculation encourages the institution to perform different analysis without overflowing the budget. Scalability of the model provides the freedom to start small and in a modular way and then scale up while realizing the benefits of already implemented solution.

Technology consideration for risk architecture transformation:

Based on the above principles, we believe the following technology themes will lead the risk architecture transformation in the coming days.

  1. Automation through RPA: With increased cost pressure in the current macroeconomic scenario, we believe RPA will help the banks to perform many tasks with reduced human intervention but more importantly, without the investment for a structural IT system development. RPAs are cost effective but scalable (to some extent) way to reduce operation risks. RPA can be used for faster credit assessment, operational efficiency in report generation and automation of  other risk management processes.
  2. Data platform modernization: Even though BCBS 239 was launched many years ago, banks are still struggling and getting comments from regulators for poor data quality and inability to produce ad hoc reports. On top of that the increasing need to use huge amount of structured and unstructured data for different analytics and forecasting purposes (e.g., news sentiment analysis for EWS) is forcing banks to re-assess their current data platforms and data governance. Regulatory semantic data model like BIRD is catching attention of the banks. Commonalities of data (e.g. Anacredit and SRB valuation data) should be considered to avoid reconciliation issues. Along with data warehouse and data lakes, newer concepts like data mesh and data fabric is gaining popularity to remove bottlenecks from central data team. Data mesh helps to decentralize data ownership to domain teams and treats data as a product.
  3. Cloud: The on-demand scalability is a big advantage provided by cloud services that helps to manage huge data and run complex AI/ML driven predictive calculations in a cost effective way. Heavy calculations like multiple scenario based stress testing, which is run only a limited number of times in a year (e.g. once in a quarter or on ad hoc basis) can be done without allocating huge on-premise resources full time. The low-code platforms offered by cloud service providers enable quick development and foster innovation. Models for customer analytics or analysis of unstructured data can be quickly deployed in cloud. Increasing database size is handled easily in cloud storage along with optimized data resiliency and redundancy.
  4. API and shared services: The API (both internal and external) and shared services helps in following loosely coupled architectural principle. APIs can help in using external credit score, API based KYC, payment data analysis and climate data. Usage of model library and common data model servicing multiple reports with data commonalities are example of shared services.
  5. AI/ML: The use of AI/ML driven models in financial services will increase like all other industries. AI/ML models are already heavily used in AML, customer analytics and predictive models. Now AI/ML models can be used for regulatory capital calculations also. AI/ML models can also be used for making sense out of unstructured data for credit monitoring. However, the increased use of AI models will also increase the importance for AI explainability to avoid black box conundrum and maintain transparency.

Some key areas to focus:

Early Warning system for Loan Monitoring

Early warning system (EWS) for loan monitoring remained as a compliance report for many banks for the last few years without creating any real business value. But modernizing EWS is gaining popularity due to current macro-economic scenario. Key questions often discussed:

  • How to incorporate unstructured data sources (e.g. news sentiment, customer feedback)?
  • How to overcome the operational challenges maintaining a good balance of false positives and false negatives?

Recovery and Resolution Planning reports

Banks are now preparing for the new datasets (bail in data, valuation data set) required by SRB, Key considerations:

  • How  to extend current LDR data to create bail-in-dataset?
  • How to create valuation dataset from multiple domains (e.g., LGD as per IFRS 9 and LGD as per CRR for same credit)?
  • How to meet non-functional requirement of generating the reports within 24 hours?

Reporting infrastructure Modernisation

Generating regulatory reports covering risk and finance without data quality issue is a major concern for many banks. Key discussion points in this aea are:

  • How to distribute data ownership and manage DQ issues?
  • How to produce good quality regulatory reports on time?



Choosing the right systems for modernization under the umbrella of chief risk officer will depend on the maturity of the system and its business priority. For example, data management systems are not mature enough for most of the banks and are still drawing regulatory attention. Systems for fraud detection are being used for quite some time but cannot be considered high maturity as it needs to be constantly adapted in order to cope with the newer tricks used by perpetrators. The importance and urgency of a system transformation depend on regulatory deadlines like the case of SRB and ESG reports. Business implications can make a use case rise on the priority list for modernization. E.g., early warning system for loan monitoring is gaining importance because of the current macroeconomic scenario. An agile business process and modern system architecture will help the CRO to protect the bank from known risks, face emerging threats and adapt quickly when faced by unknown challenges.


AI/ML – Artificial Intelligence and Machine Learning
BAU – Business as usual
CRO – Chief Risk Officer
DORA – Digital Operational Resilience Act
DQ – Data Quality
ECB – European Central Bank
ESG – Environment Social and Governance
EWS – Early Warning Signal
SRB – Single Resolution Board
VUCA – Volatile, uncertain, complex, and ambiguous*This webpage is not optimized for mobile view.