Risk controls testing and monitoring is moving from a “nice to improve” function to a cost, capacity, and consistency challenge. A recent PwC and ProSight survey suggests most institutions agree on the direction: standardized protocols, supported by automation, are the path to “centralized, updatable, and cost-effective” testing and monitoring.
But the starting point is messy. One respondent said, “We are undertaking an overhaul of our three lines of defense, and our first line of defense does not have a testing protocol currently.” Another noted that even a mature first-line program can still be “very manual,” with “opportunities for automation and efficiency.”
Here are some takeaways:
Get the operating model right first. The report highlights banks’ transition from mostly decentralized testing and monitoring to centralized or hybrid models (hub-and-spoke). Institutions already using centralized or hybrid approaches credit them for efficiency, standardization, and workload sharing. PwC also stresses that clearer roles and responsibilities reduce redundancies and close gaps.
Know that automation is still uncommon. More than 73% of respondents reported no automation, relying on manual processes across the testing and monitoring lifecycle. Some institutions are experimenting with generative AI or watching third-party tools that could automate parts of the workflow, but most banks report selective approval, continued pilots, or minimal use.
Target high-friction steps for early wins. Survey participants pointed to practical use cases that could matter quickly. One compliance leader highlighted “increasing the percentage of controls that are automated and leveraging gen AI to facilitate testing, especially script-based controls.” PwC adds that gen AI-supported applications might help with control validation, sample selection, test script generation, and narrative drafting. For monitoring, AI models might be leveraged for real-time analysis and strategic data collection.
Practical takeaway: If your program is still heavily manual, the report implies a sequencing logic: standardize the methodology and ownership, shift toward centralized or hub-and-spoke execution, then automate targeted steps. The goal is not automation for its own sake, but cleaner data output and reporting, and more flexibility to refine testing and monitoring as risks and regulatory requirements evolve.
