2026年英国金融服务业首席风险官调研报告

Foreword Risk and compliance leaders across UK Financial Services are operating in an environment definedless by novelty than by intensity. The risks themselves are familiar–cyber, resilience, conduct and technology change–but the pace, interconnectedness and scrutiny surrounding them have materiallyreshaped the Chief Risk Officer (CRO) role. The response has been pragmatic rather than radical.Over the past year, firms have focused on strengtheningfoundations–updating frameworks, enhancing stress testingand refining measurement. Looking ahead, the emphasis Cybersecurity now sits at the centre of the risk agenda,not as a discrete technology issue but as a persistent operationalthreat with real-world consequences. Alongside it, operationalresilience has moved from a regulatory concept to a practical testofexecution. Firms are no longer judged on whether What defines this moment is not the emergence of new risksbut the expectation that existing risks are managed morevisibly, consistently and with greater impact. Boards andregulators increasingly expect risk functions to influencedecisions, not simply oversee process. The challenge for Taken together, the findings point to a CRO agenda shapedless by transformation programmes and more by executionunder pressure. Success will depend on turning frameworksinto lived practice, combining technology with human This is not the future risk function.It is the one already being tested. Teneo’s survey of 40 UK Financial Services CROs during Q42025 shows a function in transition. Core governancestructures and the three lines of defence remain in place, yetconfidence weakens around embeddedness, first-line ownership and the effectiveness of challenge. At the sametime, risk teams are absorbing growing expectations around Matthew FrancisSenior Managing DirectorFinancial Services Risk and Regulation Key Findings Cybersecurity has become the defining enterprise risk for CROs, shifting the focus fromprevention and frameworks to resilience, response and decision-making under pressure Remit and Team Priorities and Emerging Risks35 Risk Function Mandate 85% Beyond the core remit, CRO scope frequentlyextends to adjacent second-line activities.Compliance(73%),financial crime(65%) andregulatory affairs(43%) are commonly included,while areas such asinformation security(20%),data governance(15%) andlegal(15%) sit withinthe CRO remit less consistently, indicating variationin operating models across firms. % of CROs report clearly defined roles andresponsibilities for risk in their organisations. of UK Financial Services CROs citecybersecurityand incident responseas a top priority for 2026.Operational resilience(28%) andrisk culture(25%) also feature prominently, reflecting acontinued focus on protecting critical servicesand strengthening execution. The risk function’s mandate is generally viewed aswell established. Most CROs report that the mandateis clearly documented and well understood within therisk function itself. CROs report high confidence thatthe first line owns risk(88%), withroles andresponsibilities clearly defined(85%). 73% 50% However, the data also highlights persistentweaknesses in the embedding of the three lines ofdefence model, rather than its design. This indicatesa gap between formal definition and day-to-day of CROs report thatsize,capabilityandcapacityof the risk function meets their firm’s needs. cite advanced cyber threats as the leading emergingrisk over the next three years.Economicstagnation(33%) andgeopolitical tensions(33%)form a clear second tier of concern, indicating a 23% CROs are less confident that the3LoD model isconsistently understood by all stakeholders (40%). They are also less confident thatthe secondline has comprehensively mapped and engagedits internal and external stakeholders(25%),which can weaken effective challenge. of CROs have team members who are basedoutside the UK. Key Findings Risk frameworks and operating models are largely in place, but effectiveness increasinglydepends on embeddedness, first-line ownership and real influence on decisions Transformation of Risk Function Talent Technology45 %of firms currently useautomation or advancedanalyticsinincident and breach reporting, Over the past 12 months, CROs have updatedrisk frameworks(48%),enhanced stressandscenario testing(41%) andrefinedrisk measurement(34%). 76Talent and capability remain a strategic priorityfor CROs as risk expectations continue to expand. % of CROs expect to need to recruit additional skillsetsover the next five years to ensure their risk functionshave the right capabilities. 58% 63% The skills in greatest demand are increasingly non-technical. Over the next five years, the most importantcapability for thefirst lineis the ability tounderstandand use information and technology,while for thesecondline,the strongest consensus centres oncommunication, interpersonal leadership and plan to implement risk technology to automate