This report is based on the 2026 ProSight CRO Outlook Survey, which was conducted in August and September of 2025 and prepared in collaboration with Oliver Wyman. Find out more about the survey, including the demographic profile of respondents, here.
In a year defined by economic uncertainty, geopolitical tension, and rapid technological change, chief risk officers are increasingly focused on the intersection of technology, cyber risk, financial crimes, and strategic risk, while maintaining a close focus on financial risk. The 2026 ProSight CRO Outlook Survey, conducted in collaboration with Oliver Wyman, captures insights from more than 140 leading risk practitioners from GSIB, super-regional, regional, and mid-tier banks and illustrates the velocity and interconnectedness of risks. Here are our top three takeaways:
- Technology and Cyber Risk: Seventy-four percent of respondents cited technology and cyber risk as their top risk category. CROs said an increased focus on digitalization and AI gives bad actors more potential entry points into banks and customer accounts, while legacy systems connected to new technologies create potential integration vulnerabilities. One large bank CRO noted that the web of third parties banks rely on for digital banking services is an expanding attack surface for cyber exploits. At the same time, geopolitical risk (cited by 22% of respondents as their top risk) is a key driver of cyber risk, as nation-states attempt to exploit critical infrastructure such as financial services.
- Fraud and Financial Crime (Including Sanctions Risk): While fraud and financial crime was cited by 55% of the respondents as a top-five risk, making it the second-most frequently identified risk category, survey respondents emphasized that it does not exist in isolation, and can interact with cyber risk, AI, and geopolitical risk. Cyber exploits such as phishing, deepfakes, and ransomware enable fraud, while geopolitical tensions drive state-sponsored cyberattacks and sanctions risk. A large bank CRO stated that the combination of cyber, AI, and digital assets will accelerate the proliferation of fraud.
- Use of AI at Financial Institutions: While CROs have been taking a cautious approach to AI, they are transitioning from running many different pilots to adopting the proven use cases in production. This year’s survey deep dive on AI found that 54% of banks have adopted it in production, with 48% expecting to have AI deployed in risk in the next two years. Leading risk use cases include report generation, anti-financial crime automation, quality assurance/quality control, and emerging risk identification. A key challenge for CROs in enabling more advanced AI use cases is the nascence of their AI risk frameworks. For example, only 12% of respondents described their AI governance and approvals framework as “highly developed.”
The survey also highlighted concerns about wholesale (C&I and CRE) credit risk. About a third of respondents cited wholesale credit as a top risk today, and 46% said the possibility of a recession was a top emerging risk—up from 27% in last year’s survey. Credit worries were illustrated recently by the First Brands and Tricolor bankruptcies, tapping into fears about rising credit risk and roiling markets amid continuing macroeconomic and geopolitical uncertainty. Uncertainty also persists in struggling CRE sectors like multi-family and office, where heightened refinancing risk is a fact of life for loans originated during the previous low-interest rate period. Meanwhile, the increased focus on potential core disruption to the banking model from AI, stablecoins, and other non-bank entrants to the market was captured in the selection of strategic risk as a top-three current risk—and as far and away the biggest emerging risk.
Survey Background
The 2026 ProSight CRO Outlook Survey was conducted at a pivotal time for chief risk officers in the financial services industry. As rapidly advancing technology and the potential for deregulation promise a historic opportunity for innovation, they also unleash numerous and novel risks that demand heightened energy and attention. Meanwhile, cybersecurity and fraud threats are being supercharged by AI, and recession fears are rising. With this in mind, this survey report provides vital details on the top current and emerging risks named by CROs, their macro- economic outlook, the regulatory landscape, the evolving use of AI at banks, and risk budgeting. It is informed by the responses of 142 risk leaders who took the survey—conducted in August and September of 2025 by ProSight in collaboration with Oliver Wyman—and by companion interviews with 10 chief risk officers. The most pressing risks and strategic shifts affecting CROs today are covered in the following sections:
- Top Current and Emerging Risks: Cyber and Technology Risk Still Rising—and Helping to Fuel Fraud
- The Macroeconomic Outlook: On the Lookout for a Downturn
- The Regulatory Landscape: In a Time of Change, a Similar Approach to Risk Culture
- Artificial Intelligence: Advancing From Pilots to Production
- Risk Function Budgeting: Banks Are Putting Their Money Where Their Top Risks Are
Top Current and Emerging Risks
Cyber and Technology Risk Still Rising—and Helping to Fuel Fraud
About three-quarters of respondents said cyber- and technology-related risk was among their top five risks, making it the top risk cited in the survey, as shown in Figure 1. Additionally, cyber and technology risk placed No. 2 on the list of top emerging risks (areas most likely to be or remain top risks over the next two years). One large bank CRO noted that the web of third parties banks rely on for digital banking services is an expanding attack area for cyber exploits. If a third party is compromised, the CRO said, banks may need to disconnect so the infection does not spread to the financial institution. Given these threats, it comes as little surprise that a substantial number of CROs are focusing on operational resiliency, with about a quarter identifying it as a top risk.
Fraud and financial crime ranked No. 2 on the list of top risks, named by 55% of respondents. A regional bank CRO said more detection resources and better internal communication could help flag more potential scams—and noted the tension between stopping fraud and the desire to make funds available to customers quickly and conveniently. While some old school exploits like check fraud remain common, a large bank CRO sounded the alarm about AI-assisted scams and a growing frontier for fraud: cryptocurrency. “If you combine cyber, AI, and what will happen in the coin space, you will see a faster proliferation of fraud,” the CRO said. “The threat actors are going to be able to move more nimbly than the governance.” The same CRO said a fraudster had sent an email purporting to be from him to a client, advising the client to move money from an account. The fraud attempt was detected, but the message “read like an email I would send,” the CRO said. “It was near flawless.”
In a separate question, nearly a third of respondents (32%) said the possibility that AI could be used to perpetrate fraud was a top AI-related risk to their institution. With technology like AI-enabled deepfakes making exploits more difficult to detect, even more vigilance is needed in fighting fraud.
Figure 1. Top risks include technology and cyber risk, fraud/financial crime risk, and strategic risk
Issues around the operating model (including cost efficiencies, talent, and change management) tied for No. 3 on the top risks list, noted by 42% of respondents. One large bank CRO said talent in risk management is a particular concern going forward. “I believe the way we manage risk today will fundamentally change by 2029,” the CRO said. “Considering how dynamically differently we have to manage the risk, we are nibbling around the edge. You have to completely rebuild your risk framework.” Some CROs also noted that managing change is always part of a risk leader’s job. As one community bank CRO pointed out in a panel discussion about the survey at the ProSight Risk, Compliance & Fraud Annual Virtual Conference, “CRO also stands for ‘change risk officer.’”
Strategic risk and digital disruption to the business model (including the potential impact of AI) also tied for No. 3 among current risks—and was the clear No. 1 emerging risk. This ranking aligns with CROs’ increasing focus on digital-asset initiatives and AI deployment. CROs said they are carefully monitoring developments that could fundamentally challenge the business of their institutions, which, in addition to AI, include the rise of non-banks, private credit, and digital assets.
In terms of emerging risks, CROs also recognize a need to be ready for low-likelihood but potentially high-impact events. “We are spending more time on what-ifs,” one large bank CRO said. In interviews, CROs also touched on a theme from last year’s survey: the speed of risk. They said that in a post-Silicon Valley Bank world, banks must be ready to respond to the rapid spread of information and its ability to quickly alter market and stakeholder perception of financial institutions. Their comments were borne out a few weeks later when reports of potential borrower fraud at a handful of banks roiled markets.
The Macroeconomic Outlook
On the Lookout for a Downturn
The outlook for next year’s macroeconomic environment, for some, is marked by uncertainty: Thirty-nine percent of respondents said they are less certain about their economic forecasts than at any time since the pandemic. Meanwhile, 46% said the potential for a recession was a top emerging risk, up from 27% last year and putting the category at No. 3 on the emerging risks list.
Related to a potential recession, a major macroeconomic theme of 2025 has been the increasing frequency and impact of geopolitical events. About half of risk leaders (49%) agreed with the statement: “Geopolitical events (e.g., conflicts, trade wars) will significantly increase our organization’s risk profile over the next year.” In interviews, though, some large bank CROs said that tariffs, so far, had not taken a measurable toll on overall risk and credit profiles. “We haven’t really seen an impact in our credit loss numbers,” one said, although the institution “continues to stress test for impacts on the wholesale side, mostly for tariff impacts.” The geopolitical scene is among the reasons for a cautious sentiment toward credit: Wholesale credit, taking in commercial real estate and commercial and industrial loans, ranked No. 5 among top risks (34%) and No. 8 (24%) among emerging risks.
A CRO interviewed for this report expressed confidence that, if a recession does come soon, many banks will be prepared. “All banks including us have learned a lot from past recessions” and have improved underwriting criteria and collateral requirements. “Many things that got banks in trouble in the Great Recession have been shored up today,” the CRO said.
The Regulatory Landscape
In a Time of Change, a Similar Approach to Risk Culture
Several respondents said that the tone from their regulators and examiners did not yet fully reflect changes in direction signaled by supervisory agency leaders. This has been observed both in the number of 2025 supervisory findings that banks have received compared to the same point in 2024—it has stayed the same or increased for two-thirds of respondents—and in the exam process. (See Figure 2.)
Figure 2. Amid a decrease in supervisory findings, respondents expect an increase in regulatory oversight of cybersecurity and AI risks.
Looking ahead, roughly equal percentages of respondents expect regulatory scrutiny to increase somewhat, stay about the same, or decrease somewhat in the next year. As for regulatory focus, respondents were most likely to say they anticipate increases in the areas of cybersecurity risk (49%) and governance/controls related to AI (45%).
In interviews and text responses to the survey, some CROs said they and their teams had not detected much change to examinations. But others observed a new approach that did match the tone from the top of the agencies, marked by a shift in attention toward more tangible risks (such as liquidity) and away from less tangible ones (such as reputation risk and ESG risk).
In interviews, many CROs emphasized that any relaxation in regulation will not prompt them to dial back their risk programs. If anything, they said, a time when certain guardrails may be removed—boosting both risks and opportunities—is a time to reinforce a strong risk culture. “Even if regulation might be easing in the future, it doesn’t mean we are going to get lax in our risk management,” one large bank CRO said, adding that “strong risk management helps you grow.”
Artificial Intelligence
Advancing from Pilots to Production
On AI deployment, banks have largely been playing the waiting game, monitoring early adopters for proven impact and value creation. A small subset of respondents (16%) said their institution seeks a position on the leading edge, while the majority (53%) say they prefer to be “fast followers.”
The shift to larger-scale adoption is starting to pick up speed. At this point, a majority of respondents have adopted AI in production (54%). For the risk function specifically, it is clear that AI will be part of the future. About half of respondents (48%) are working to deploy it in risk over the next one to two years to improve their processes—primarily in report generation, anti-financial crime automation, quality assurance/quality control, and emerging risk identification.
While the journey to AI scale is underway, significant constraints are slowing the pace. Survey respondents said the most common reasons their AI projects are held back are limited staff capabilities and training (30%), the quality and availability of suitable data (27%), and the immaturity of their risk management framework (26%), as shown in Figure 3.
Figure 3. AI adoption is most often held back by staff limitations, data quality, and immature controls over AI risk management
CROs are developing AI governance frameworks to support more complex AI implementations bank-wide, but are still in the early stages. For example, only 12% of respondents described their AI governance and approvals framework as “highly developed”—including 10% from banks smaller than $50 billion in assets and 17% from bigger banks. (See Figure 4).
Figure 4. AI governance at larger banks is likely to be more developed than at smaller bank
“We want to make sure everyone in the company understands the risks that may be present in using AI and not doing it blindly, ensuring there is a human in the loop,” one large bank CRO said. That mapped to the survey’s finding that about half of respondents consider the use of AI without adequate verification to be a top AI-related risk to their organization.
Risk Function Budgeting
Banks Are Putting Their Money Where Their Risks Are
With the banking industry under significant cost pressure, CROs are in parallel being challenged to manage more complex risks and aggressive actors. This balancing act has led to a range of outcomes for future risk budgets. While 37% of respondents overall expect their risk budget to increase by more than 5% annually, smaller banks are increasing their risk budgets at a greater rate. Half of respondents at banks below $50 billion expect risk budgets to grow faster than 5% each year, compared to one-fifth of respondents at banks greater than $50 billion.
When it comes to risk budgeting and projects, responding institutions are—not surprisingly—putting their money when their top risks are. Across discrete risk types, respondents were most likely to foresee budget increases of 5% or more focused on cyber/technology risk (47%) and compliance/financial crimes (38%), as shown in Figure 5.
Figure 5. Banks were most likely to have increased their risk budgets by 5% or more in the area of cyber/technology risk
Closing Thoughts
As technology reshapes the financial services landscape, CROs are at the forefront of both innovation and defense. The rise of AI, digital assets, and increasingly sophisticated cyber and fraud threats demands new levels of agility and technical fluency. In fact, within a few short years, these forces may transform the way risk is managed. In the meantime, the potential for a long-anticipated recession looms larger for risk leaders, with geopolitical events and a weakening credit market as potential tipping points. In the face of these and other factors, chief risk officers—or “change risk officers,” if you will—are eager to reap the benefits of advancements that strengthen their risk functions, paving the way for growth at their own institutions and a more robust industry overall.
By Frank Devlin and Sam Knox
About This Report
In August and September 2025, ProSight surveyed chief risk officers and equivalents at financial institutions primarily in the United States and Canada for its annual CRO Outlook Survey. This year’s survey and report were prepared in collaboration with Oliver Wyman.
The CRO Outlook Survey explores the top trends in bank risk management, the most urgent priorities of CROs, and how they plan to address them.
For this year’s report, we received 142 survey responses. Survey respondents’ institutions represent a broad spectrum of sizes, and their primary regulators vary:
% Respondents by Asset Size, USD
- Less than $25 billon – 53%
- $25 billion-$50 billion – 8%
- $50 billion-$100 billion – 9%
- $100 billion-$250 billion – 9%
- $250 billion-$500 billion – 5%
- $500 billion-$1 trillion – 8%
- More than $1 trillion – 8%
% Respondents by Regulator
- U.S Federal Reserve – 33%
- Office of the Comptroller of the Currency – 23%
- Federal Deposit Insurance Corporation – 19%
- Other – 25%
