The shift from financial resilience to operational resilience — and what it demands of banking leadership in 2026
A Record Industry Facing a New Class of Risk
By any financial measure, global banking has never been stronger. Between 2019 and 2024, funds intermediated by the global banking system grew by $122 trillion — approximately 40% — propelled by the global wealth of households and institutions. Banks’ revenues after risk cost reached a record $5.5 trillion in 2024, pushing the sector’s net income to $1.2 trillion, the highest total ever recorded.
Yet the risk landscape that threatens these record earnings has shifted in character. The risks that keep banking CROs awake in 2026 are not primarily financial — they are operational, technological, and systemic in ways that traditional risk frameworks were not designed to address.
According to McKinsey’s operational resilience survey of leading banks in Asia-Pacific and Australia, nearly three-quarters of respondents cite cybersecurity as their top nonfinancial risk. The emergence of digital resilience risks — cybercrime, technology failure, business disruption, third-party dependencies, and data integrity — as the defining risk category of the current cycle represents a fundamental shift in what it means to run a safe bank.
The New Anatomy of Banking Risk
The 2024 CrowdStrike incident is the most instructive recent case study in operational risk materialising at systemic scale. A single software update caused 8.5 million Windows workstations and servers to crash simultaneously, resulting in an estimated $5.4 billion in damage and costs for Fortune 500 companies. Financial institutions were among the most severely affected. The incident was not a cyberattack. It was a routine operational dependency — a third-party software update — becoming a catastrophic point of failure.
This is the nature of modern operational risk in banking. The threats are not always adversarial. They are often structural: dependencies on third-party technology providers, concentration in cloud infrastructure, legacy core banking systems that cannot be updated without operational disruption, and data architectures that were not designed for the velocity of regulatory reporting now required.
According to ORX’s Horizon 2025 report, digital resilience risks — cybercrime, technology failure, business disruption, third parties, and data — are now the top five operational risks in banking, displacing the compliance and conduct risks that dominated the post-financial-crisis decade.
Meanwhile, the fraud environment continues to deteriorate. The U.S. Federal Trade Commission reported that consumers lost more than $12.5 billion to fraud in 2024 — a 25% jump over the prior year. The average cost of a data breach now exceeds $6 million per incident, a figure that understates the total cost when regulatory penalties, reputational damage, and customer attrition are included.
The Regulatory Response: Operational Resilience as a Supervisory Priority
Regulators globally have moved from guidance to mandate on operational resilience, creating a new compliance architecture that banks must now embed into their operating models.
The European Union’s Digital Operational Resilience Act (DORA) came into force in January 2025, establishing harmonised requirements for ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management across the EU financial services sector. In Australia, the Prudential Standard CPS 230, which took effect in July 2025, sets formal requirements for operational risk management, business continuity, and third-party governance.
PwC’s Global Banking Risk Study 2025, drawing on interviews with CROs and risk leaders from 50 institutions worldwide, found that leading banks are targeting more than 50% automation of GRC (governance, risk, and compliance) processes within the next five years — enabling a fundamental redesign of control and assurance models.
This is not compliance for its own sake. It is a recognition that the traditional GRC model — built on manual controls, periodic testing, and reactive incident response — cannot operate at the speed that modern digital risk requires.
AI as Both the Risk and the Solution
Banking’s AI adoption creates a paradox that every CRO must navigate: the same technologies driving operational efficiency are simultaneously introducing new operational risks.
ECB supervisory analysis published in late 2025 identified a critical vulnerability in AI-deployed banking models: several banks lack full transparency into the internal processes of some AI models they operate, noting that models inherently operate with a degree of autonomy — a characteristic that could introduce “black box” behaviour into risk-critical decisions.
The regulatory response to this is tightening. Banks are increasingly required to demonstrate explainability — the ability to articulate why an AI model made a specific credit decision, fraud flag, or risk assessment — as a condition of supervisory approval.
Yet the evidence on AI’s contribution to resilience, when properly governed, is compelling. The global AI in banking market, valued at $23.6 billion in 2024, is projected to grow to $299 billion by 2033 at a CAGR of 32.6%, driven by AI’s demonstrated impact on fraud detection, risk assessment, and operational efficiency.
McKinsey’s Global Banking Annual Review 2025 identifies two factors that will determine AI’s ultimate impact on banking: the extent to which banks can become fully agentic and radically lower the cost of operations, and the extent to which customers adopt AI to manage their financial affairs.
The banks that invest in agentic compliance infrastructure now — systems that monitor regulatory changes across jurisdictions, automatically update documentation, and flag emerging compliance gaps before they become violations — will carry a structural cost and risk advantage over those building this capability reactively.
What Resilient Banks Are Doing Differently
The institutions that are building genuine operational resilience — not compliance theatre — share four characteristics.
They have redefined resilience from a risk function to an enterprise capability. Operational resilience is not a property of the risk management function. It is a property of the entire operating model. The institutions leading in this dimension have elevated resilience to a board-level strategic priority with dedicated leadership accountability.
They are investing in real-time risk visibility. The shift from periodic risk assessments to continuous monitoring — using AI systems that can process transaction data, operational signals, and external threat intelligence in real time — is the defining capability investment of the current cycle. Banks are moving beyond productivity to reimagine risk processes using GenAI, including next-generation scenario analysis capabilities and digital twins that create operational replicas of the organisation’s processes and controls.
They are stress-testing third-party dependencies, not just internal systems. The CrowdStrike event proved that the most dangerous vulnerabilities in modern banking are not internal. They are in the network of technology providers, cloud platforms, and data vendors that banks depend on for critical services. Leading banks now conduct regular concentration-risk assessments of their third-party technology stack and maintain documented contingency arrangements for critical provider failure.
They are treating AI governance as a resilience investment. The banks that will avoid the supervisory interventions that AI opacity will inevitably trigger are those building AI governance frameworks now — before the incidents that make them compulsory.
The Leadership Question
McKinsey’s 2025 Banking Review characterises the current moment precisely: “Macro-focused, scale-driven strategies once promised resilience but no longer suffice. Precision is the decisive differentiator, separating leading banks from slow movers.”
The CRO of 2026 is not managing a risk register. They are co-designing an operating model resilient enough to function under conditions of simultaneous financial, technological, and geopolitical stress — while complying with a regulatory framework that is evolving faster than most banks can respond.
The institutions that thrive in this environment will not be those with the largest capital buffers. They will be those with the most adaptive operating models, the most transparent AI governance, and the clearest leadership accountability for operational outcomes.
Quantility AI Perspective: We work with financial services leaders on operational resilience strategy, AI governance frameworks, and risk operating model design. Our approach is outcome-focused: the measure of resilience is not the quality of the framework document, but the organisation’s demonstrated ability to absorb disruption and maintain critical services.