ERM in Financial Services: Common Challenges

Enterprise Risk Management (ERM) is no longer optional for financial institutions. The modern risk landscape is complex, blending threats like cybersecurity, regulatory changes, and sustainability demands. While 54% of financial institutions report having integrated ERM programs, many still face critical challenges that limit their effectiveness. Here's what you need to know:

• Top Challenges: Resistance to change, lack of skilled talent, regulatory pressures, outdated technology, and siloed departments.
• Key Insights:
  • 33% of financial institutions feel their ERM systems lack resilience.
  • 60% admit their risk tracking is informal and unstructured.
  • Only 36% have more than five employees dedicated to ERM.
• Solutions: Building risk-aware teams, investing in training, aligning ERM with compliance, adopting modern technology, and integrating data across departments.

ERM isn't just about compliance - it's about protecting assets, ensuring continuity, and aligning risk with long-term goals. Addressing these challenges can help financial institutions strengthen their risk management frameworks and improve decision-making.

Challenge 1: Resistance to Change and Cultural Barriers

Why Organizations Resist Change

When it comes to adopting Enterprise Risk Management (ERM), the toughest hurdle isn’t about technology or regulations - it’s about people. Financial institutions often operate in silos, with departments guarding their own risk data instead of sharing it across teams or with leadership ^[4]. This siloed mentality creates comfort zones that are hard to break.

Many organizations are still tied to outdated models focused solely on traditional financial risks like credit and liquidity. These models often overlook broader, interconnected risks such as geopolitical shifts, cyber threats, and environmental concerns ^[2]. Worse, ERM is often misunderstood as just a compliance checkbox rather than a strategic tool. Shockingly, 60% of organizations admit their risk tracking is informal and unstructured ^[7].

Operational pressures also play a big role. When immediate tasks take priority, long-term ERM initiatives are often pushed aside ^[4]. On top of that, 26% of respondents feel that standard ERM frameworks are overly complex ^[7]. To truly unlock the potential of ERM, organizations need to address these human and cultural barriers and shift their mindset from compliance to strategy.

Building a Risk-Aware Culture

To overcome resistance, financial institutions need to rethink how they approach risk management. The key is to make risk management a shared responsibility across the organization, not just the job of a specialized team. This starts with creating a common risk language - a standardized set of terms and processes that ensures everyone is aligned and working from the same playbook ^[1].

Leadership commitment is crucial. For instance, the Board of Directors should formally approve the organization’s risk appetite statement, signaling a top-down dedication to risk management ^[4]. It’s also essential to elevate the role of the Chief Risk Officer (CRO), positioning them as an equal partner to other business leaders rather than a subordinate function. Alarmingly, 25% of institutions report that their risk teams’ perspectives are often overridden by other departments ^[8].

Risk management should be woven into the fabric of an organization’s strategy. As Boston Consulting Group (BCG) puts it:

Risk and compliance can no longer operate as narrow specialties. They must function as enterprise capabilities - embedded in strategy, linked across functions, and owned by leadership as a whole ^[2].

Integrating risk into strategic planning and everyday decision-making at the executive level is essential.

Practical actions can help bring this vision to life. For example, reverse stress testing can help leaders understand scenarios that might jeopardize the organization’s solvency, turning abstract risks into something more tangible ^[2]. Encouraging a culture of "devil’s advocacy", where the risk team challenges groupthink and offers alternative perspectives during strategic discussions, can also make a big difference ^[8]. Finally, modernizing training programs to include digital tools and agile management techniques will help bridge the gap between traditional and contemporary risk needs ^[6].

Challenge 2: Expertise Gaps and Talent Shortages

Where the Skills Gap Exists

The financial services industry is grappling with a shortage of qualified ERM (Enterprise Risk Management) professionals. But it’s not just about finding people - it’s about finding the right people with the right skills. Traditionally, risk management focused on credit and market exposures. Now, the game has changed. The risks are broader, spanning geopolitics, regulatory shifts, digital transformation, cyber threats, artificial intelligence, and sustainability ^[2]. The pace of innovation is outstripping the workforce’s ability to adapt.

Consider this: only 30% of leaders feel their teams are "extremely well equipped" to handle risks tied to new technologies ^[10]. The rapid advancements in AI alone are challenging current oversight and control mechanisms ^[2]. At the same time, 90% of senior risk leaders say boosting knowledge in non-financial risks - such as cyber resilience and operational stability - is a critical priority ^[10].

But it’s not just technical expertise that’s missing. There’s a shortage of professionals who can think holistically, connecting insights across different areas. Historically, risk management has operated in silos, with specialists focusing narrowly on their domains. This fragmented approach makes it difficult to see the full picture ^[2][4]. To put it in perspective, only 36% of financial institutions have more than five employees dedicated to ERM, compared to 53% of firms in other industries that manage with one or fewer ^[5].

Closing this skills gap is crucial for building a truly integrated ERM framework.

Training Solutions for ERM Success

Just like cultural challenges, a lack of skilled talent can undermine the effectiveness of enterprise-wide risk management. Tackling this shortage is just as critical as breaking down cultural barriers.

One solution? Redeploy and upskill your current workforce. Boston Consulting Group highlights this shift:

Talent once focused on credit and market exposures is being redeployed into technology and AI, bringing analytical discipline to domains that now sit at the center of institutional stability ^[2].

The numbers back this up. 88% of financial institutions are actively strengthening skills across multiple areas ^[10]. The goal? To develop "risk athletes" - professionals who can break out of silos, align with broader business strategies, and manage both financial and non-financial risks ^[10]. Organizations are also shifting to proactive talent strategies, with 56% now describing their approach as forward-thinking rather than reactive ^[10].

Leadership training is another key piece of the puzzle. Programs like Tech Leaders (https://technical-leaders.com) offer tailored training for technical professionals, focusing on leadership and business strategy. These programs help bridge the gap between technical expertise and strategic execution, empowering professionals to lead enterprise-wide risk initiatives in today’s AI-driven landscape.

Practical training methods are also gaining traction. Reverse stress testing, for example, allows teams to identify combinations of pressures that could threaten solvency, turning theoretical risks into actionable insights ^[2]. Case-based learning is another effective tool, using real-world scenarios to teach professionals how to scale and adapt ERM principles ^[9]. Additionally, companies are moving beyond static compliance training, adopting AI-enabled, risk-tiered surveillance training to strengthen operational resilience ^[2].

Challenge 3: Regulatory and Compliance Complexities

Current Regulatory Pressures

Financial institutions are grappling with an avalanche of regulatory demands. Compliance costs for retail and corporate banks have skyrocketed by 60% compared to pre–financial crisis levels. Adding to the strain, data breaches now average a staggering $5.72 million, and violations under GDPR can result in fines as high as €20 million or 4% of global turnover ^[13]. The regulatory environment is constantly shifting - what meets standards today might fail tomorrow. This leaves organizations navigating a maze of ever-changing norms across jurisdictions, heightened scrutiny, and the looming risk that a single human error could lead to a compliance breach ^[11].

Even large compliance teams aren’t immune. Citigroup, for instance, was fined $400 million in 2020 for long-standing deficiencies in enterprise risk management and internal controls, despite employing roughly 30,000 risk and compliance staff ^[13]. Clearly, size alone doesn’t guarantee a solid compliance foundation.

The scope of regulatory requirements has also expanded well beyond traditional financial metrics. Institutions now face intricate demands tied to AI and machine learning, ESG reporting, and stringent data privacy laws. For example, the Net-Zero Banking Alliance represents nearly 40% of global banking assets, underscoring the growing focus on ESG ^[13]. Meanwhile, the European Banking Authority’s 2025 guidelines embed ESG risks into capital and liquidity planning, requiring detailed, time-bound transition plans ^[2]. In the U.S., the Financial Crimes Enforcement Network’s beneficial ownership rule has significantly increased transparency requirements to bolster anti–money laundering efforts ^[2].

Regulators now expect more granular data, thorough documentation, and clear audit trails ^[12]. This can lead to chaos within organizations as departments scramble to coordinate and prepare the necessary materials ^[12]. Andrew Hunt from 360factors captures this tension perfectly:

Compliance might appear to be an impediment for other departments, as while compliance is a need for all departments, it is not the primary aim or target for departments other than risk and compliance ^[12].

In this volatile regulatory landscape, proactive and integrated enterprise risk management (ERM) is no longer optional - it’s essential.

Aligning ERM with Compliance Requirements

To tackle these growing challenges, ERM frameworks must be both flexible and closely aligned with compliance standards. One way to achieve this is by adopting standardized frameworks like the OCC’s "Corporate and Risk Governance" handbook, COSO, and ISO 31000. These frameworks provide structured approaches to managing risks and enable boards to oversee strategic, compliance, and operational risks effectively - a mandate for all national banks and federal savings associations ^[11][14][15]. Incorporating technology to automate compliance reporting enhances these frameworks further.

A real-world example of this approach comes from Sterling Bank and Trust. In July 2023, Senior Vice President and Director of ERM Eleni Willis tackled underwriting deficiencies and violations of federal Bank Secrecy Act/Anti–Money Laundering regulations by moving away from siloed practices. The bank introduced a digital system to integrate risk disciplines, improving communication across the three lines of defense - business units, risk/compliance, and audit. This shift helped address compliance issues more effectively ^[14].

Technology is a game-changer in this space. AI-powered automation can streamline onboarding and due diligence processes, reducing resource strain while improving data accuracy. Predictive pre-screening frameworks, bolstered by intelligent analytics, allow institutions to anticipate potential breaches before they occur ^[2].

Regular stress testing and comprehensive risk assessments are also critical to keeping ERM frameworks in line with evolving regulatory expectations ^[11][12]. Reverse stress testing, for example, identifies scenarios that could threaten solvency, turning contingency planning into actionable strategies ^[2]. For smaller institutions, incremental changes and pilot programs can ease the transition to a full ERM framework while building credibility ^[11].

Centralizing risk registers and fostering seamless communication among the three lines of defense on a unified digital platform can transform compliance from a necessary burden into a strategic advantage ^[14]. As Amanda Cohen, Vice President of GRC Products at Resolver, puts it:

Risk management isn't just what could go wrong, but it's what opportunities exist within your organization ^[14].

Challenge 4: Technology and Data Management Limitations

How Technology Supports ERM

Outdated technology can leave financial institutions vulnerable to costly mistakes. Take the example of Citibank in August 2020: a human error, exacerbated by a flawed new software system, led to $900 million being mistakenly wired to Revlon's lenders. The fallout? A $400 million fine and a mandated overhaul of their risk and data governance programs ^[18].

The core issue often lies in fragmented systems. When finance, risk management, and front-office operations run on disconnected platforms, it becomes nearly impossible to aggregate credit, liquidity, and market risks effectively. This fragmentation can obscure emerging threats, leaving institutions exposed ^[16][17]. As Josh Tessaro, Principal Consultant at Workpact, points out:

When you see one of these news articles that looks like reckless risk-taking, it is almost always due to lack of risk data, process definition and governance ^[18].

Manual processes only make matters worse, wasting valuable time and driving up operational costs. Traditional systems often deliver backward-looking reports, meaning risks are identified only after the damage is done ^[17]. According to a global risk management survey, 80% of respondents anticipate automation becoming a higher priority as companies aim for real-time monitoring ^[17].

Modern Enterprise Risk Management (ERM) requires integrated platforms that connect directly with operational data through APIs. This allows for real-time risk surveillance and predictive analytics ^[17]. Technologies like streaming and event processing enable continuous transaction monitoring, moving away from periodic assessments ^[16]. Often referred to as IRM+ (Integrated Risk Management Plus), this approach uses AI, machine learning, and natural language processing to generate actionable insights, helping organizations make proactive decisions ^[17]. These technological gaps highlight the importance of adopting better data management practices.

Better Data Management Practices

While technology integration is key, effective ERM also hinges on robust data management. Poor data quality can further weaken ERM frameworks, especially when data remains siloed. In such cases, risk managers often default to using only the data that’s easily accessible, overlooking critical processes due to the difficulty of obtaining the necessary information. As Josh Tessaro explains:

Risk managers often then settle for the data they have that is easily accessible, ignoring critical processes because the data is hard to get ^[18].

This lack of transparency creates dangerous blind spots. Lyle Stewart, Managing Director at Infina LLC, sums it up:

The biggest challenge is when you have a risk that nobody is aware of ^[3].

Breaking down these silos requires a unified data model that connects all organizational systems ^[17]. Regulatory frameworks like Basel III now demand this integration. For instance, credit risk teams must collaborate with liquidity and treasury units since liquidity ratio calculations depend on data inputs from both ^[20]. A centralized data repository, or "datamart", consolidates risk and finance data, making it possible to meet complex requirements like enterprise-wide stress testing ^[20].

Embedding strong data governance within ERM processes is critical. This involves implementing a Data Risk Management (DRM) framework with six core components: policy and accountability, risk identification, data testing and validation, issue management, monitoring and reporting, and training ^[19]. Capturing detailed, transactional data further enables real-time risk monitoring ^[20].

Moving away from static spreadsheets to integrated Governance, Risk, and Compliance (GRC) platforms can automate controls testing and monitoring. This not only reduces technical debt but also improves data accuracy ^[17]. Self-service visualization tools empower business users to analyze data directly, eliminating the need for constant manual data transfers between teams ^[16]. Charles Stewart, Senior Director at Moody's Analytics, underscores the importance of accurate data:

No investment in solutions to these pressures will work without good data... the ERM framework [must] be underpinned by increasingly accurate, relevant and timely data ^[20].

sbb-itb-8feac72

Challenge 5: Breaking Down Silos for Better Integration

How Silos Affect Risk Management

When compliance, IT, and finance teams operate independently, critical information gets trapped within individual departments. This fragmented structure prevents organizations from gaining a full, enterprise-wide view of risks and obscures potential cross-functional threats ^[4]. For example, a 2010 evaluation of a major financial regulator revealed that much of the risk data was managed separately by different divisions, which made it nearly impossible to understand the organization’s overall exposure.

Using different tools, taxonomies, and metrics across departments leads to inconsistent risk assessments. Even small missteps can escalate into larger, organization-wide problems. These issues highlight the importance of a unified strategy - one that aligns with earlier discussions on technology and data management.

Take the FDIC’s efforts as a case in point. The agency attempted to address silos by creating dedicated risk management offices and later consolidating them under a single branch. However, a 2020 review showed that silos still persisted, emphasizing the need for clearly defined, enterprise-level risk priorities ^[4].

Creating Cross-Functional Governance

To tackle the challenges created by silos, organizations need to adopt cross-functional governance models. Drawing from earlier insights on managing cultural and technological risks, integrated governance can effectively address the isolating effects of departmental silos.

This shift requires moving away from rigid, siloed structures and toward agile, cross-functional teams ^[6]. Gerold Grasshoff and his colleagues at Boston Consulting Group highlight the importance of this transformation:

Risk and compliance can no longer operate as narrow specialties. They must function as enterprise capabilities - embedded in strategy, linked across functions, and owned by leadership as a whole ^[2].

One way to achieve this is by establishing a centralized governance hub, such as a Risk Management Council or a central risk committee, to coordinate risk-related activities across all departments. However, coordination alone won’t solve the problem. Organizations also need to develop a shared risk language and standardize terminology, ensuring everyone operates from the same playbook. This includes formalizing meeting documentation, such as detailed minutes, and clearly defining how different risk committees interact to prevent information gaps ^[4].

Technology plays a key role in this transformation. Integrated regtech platforms and compliance control towers can align global policies and eliminate redundant efforts across regions ^[2]. Some institutions are even replacing manual onboarding processes with continuous, AI-driven due diligence to maintain seamless integration of compliance data ^[2]. Ultimately, embedding Enterprise Risk Management (ERM) into strategic planning, budgeting, and performance management is critical. ERM should not be treated as a standalone compliance task but as an integral part of the organization’s core operations ^[1].

The table below highlights the differences between siloed and integrated ERM approaches, showcasing the advantages of full integration.

Comparison Table: Siloed vs. Integrated ERM

Feature	Siloed ERM Approach	Integrated ERM Approach
Risk Visibility	Limited view confined to individual departments	Comprehensive, enterprise-wide view of interconnected risks
Mitigation Speed	Reactive, addressing issues only after they arise	Proactive and agile, enabling quick decision-making
Cost Efficiency	Inefficient due to duplicated efforts and static processes	Streamlined through harmonized policies and automated compliance
Data Management	Disjointed, with data siloed in separate systems	Unified data environment with shared access and strong oversight
Strategic Alignment	Risk management operates in isolation from strategic planning	Risk considerations fully integrated into strategic planning and execution

Conclusion: Addressing ERM Challenges in Financial Services

Key Takeaways

The challenges and solutions outlined here provide a clear path for effective enterprise risk management (ERM) in financial services. Successfully implementing ERM requires addressing five key obstacles: resistance to change, talent shortages, regulatory complexity, technology gaps, and departmental silos. The way forward demands a technology-centered and collaborative mindset, treating risk management as a core enterprise capability rather than a mere compliance task.

Building a risk-aware culture is essential. Shared leadership in risk decisions and a unified risk language across departments can establish what experts call a "single version of the truth" ^[1]. This shared foundation improves communication and speeds up decision-making when risks arise.

Leverage AI-powered tools to stay ahead of threats. For instance, one global bank used machine learning to cut a 96% false-positive rate in anti-money laundering detection, saving 35,000 investigative hours ^[21]. Automating these processes not only conserves resources but also allows teams to focus on more strategic risk priorities.

Cross-functional governance plays a pivotal role. As previously discussed, breaking down silos and fostering collaboration through agile, cross-functional teams is essential. Integrated regtech platforms can streamline policies across regions, reducing duplication and improving efficiency ^[2].

Final Thoughts

These strategies lay the foundation for long-term resilience. Embedding risk management into decision-making processes ensures that ERM not only protects assets but also supports sustainable growth in an increasingly complex landscape. With 54% of financial institutions already running fully integrated ERM programs ^[5], those that fail to adapt risk falling behind both financially and competitively. Success will favor organizations that integrate risk management into their strategic goals, invest in advanced technology, and cultivate talent capable of thinking beyond traditional boundaries. While inaction amplifies vulnerabilities, proactive steps offer the chance to build stronger, more resilient institutions ^[10].

Overcoming the Top 10 Enterprise Risk Management (ERM) Challenges

FAQs

Why do financial institutions hesitate to adopt Enterprise Risk Management (ERM) frameworks?

Financial institutions often face hurdles when considering the adoption of Enterprise Risk Management (ERM) frameworks. One major issue is the perception that ERM doesn't deliver immediate, tangible benefits. This mindset can push executives to focus on other priorities, leaving risk management underfunded and under-resourced.

Another challenge lies in the significant organizational changes ERM demands. Implementing it often requires overhauling long-standing policies, procedures, and even the company culture. Understandably, such shifts can meet resistance - whether deliberate or unconscious - which can slow progress or even halt the initiative. On top of that, many institutions lack the necessary expertise, such as a dedicated chief risk officer or skilled risk managers, to effectively lead and sustain the program.

Adding to the complexity is the constantly evolving regulatory landscape. Financial institutions often find it difficult to align their ERM frameworks with compliance requirements without incurring high costs. This further dampens enthusiasm for adopting ERM.

What can financial institutions do to address the shortage of skilled ERM professionals?

To address the shortage of skilled ERM professionals, financial institutions can prioritize growing talent from within by upskilling their current workforce. Experts emphasize the need to focus on building key skills like data analytics, AI literacy, and agile risk governance to navigate the changing risk environment effectively. Structured learning initiatives and cross-functional training programs can play a big role in closing these skill gaps.

Incorporating generative AI into workflows can also boost efficiency by automating repetitive tasks like risk analysis and reporting. This allows smaller teams to take on more responsibilities without being overwhelmed. Partnering with specialized training organizations such as Tech Leaders, which provides courses in areas like engineering leadership and AI-driven business strategy, can further equip ERM professionals with the modern skills they need. By blending internal talent development, AI-driven tools, and collaboration across departments, financial institutions can craft a lasting solution to this talent shortage.

How does technology improve Enterprise Risk Management (ERM) in financial services?

Technology is reshaping Enterprise Risk Management (ERM), shifting it from a manual, compliance-heavy task to a proactive, data-driven strategy. Modern tools bring together data from trading, compliance, cybersecurity, and operations into a single, real-time dashboard. This gives financial institutions the ability to quickly spot risks and gauge their potential impact.

Technologies like artificial intelligence (AI) and machine learning (ML) take risk detection to the next level. They can identify unusual patterns, forecast potential losses, and even suggest ways to mitigate risks. This not only speeds up decision-making but also moves institutions away from outdated spreadsheet-based methods.

Cloud-based platforms add another layer of flexibility by allowing banks to adjust governance frameworks and risk thresholds in response to changing market conditions. Tools for simulations and scenario analysis help leaders explore "what-if" scenarios - like cyberattacks or economic disruptions - and prepare for the potential fallout. By centralizing risk data, technology transforms risk management into a strategic asset, boosting accuracy, transparency, and compliance with regulations.