Operational risk is no longer a back-office concern — it’s front and center for financial institutions navigating cyber threats, tighter regulations and mounting complexity. Unlike credit or market risk, operational failures can halt services, erode trust and damage reputations overnight.

That’s why operational resilience has become a strategic imperative. Banks must not only respond to disruptions but anticipate and absorb them — keeping critical services running and customer confidence intact.

The message from industry leaders is clear. Recent findings from EY and the Institute of International Finance (IIF) reveal a growing recognition among chief risk officers (CROs) on the need to enhance operational resilience, particularly in response to cybersecurity, data and regulatory risks.

Operational resilience is increasingly being integrated into the broader risk management frameworks of financial institutions, reflecting a shift from reactive recovery to proactive preparedness. Regulators now expect firms to maintain robust strategies that ensure the continuity of critical services during times of disruption, whether caused by internal failures or external shocks.

The distinction is subtle but powerful — risk management identifies vulnerabilities; resilience ensures institutions can withstand and adapt to them. Together, they form the foundation of a stronger, more sustainable financial system.

Manual processes cannot keep pace with today’s digital-first banking landscape. To stay ahead, banks must embed automation, real-time monitoring and predictive insights into their risk frameworks — shifting from reactive controls to proactive resilience.

Digital resilience isn’t just about technological upgrades; it’s about rethinking how risk is managed. By centralizing dashboards, automating controls and applying continuous monitoring, banks gain the agility to respond faster and smarter to disruption.

Banking executives increasingly recognize the transformative power of artificial intelligence, with more CROs applying AI across various aspects of risk management. According to the “EY and Institute of International Finance Bank Risk Management Survey,” CROs acknowledge the growing impact of AI in their transformation and innovation plans, relying on it to generate insights and streamline routine tasks.

Unsurprisingly, the top three use cases within risk management today are related to data analysis, automation of operational tasks and document analysis. Insights from the survey reveal that CROs looking to instill operational agility should consider the following strategic and transformation actions.

The direction is clear — banks that embed AI and digital tools into risk management aren’t just meeting regulatory expectations, they’re future-proofing operations, strengthening governance and building sustainable growth.

Those who move first will do more than manage risk. They will earn trust, safeguard resilience and lead in a digitally-enabled financial ecosystem.

Over the past year, the EY organization has collaborated with multiple banks across Malaysia – from large regional banks to digital banks – to implement ServiceNow GRC module. Whilst the operating environment and business models differ between banks, the foundation for success remains consistent:

By embedding these success factors into ServiceNow GRC implementation, EY teams have helped banks break down silos and move to an integrated and automated environment to strengthen their risk management and governance capabilities.

Case study #1: Local digital bank - transforming operational risk management

EY teams have embarked on a transformative engagement with a local digital bank, to strengthen its operational risk management capabilities. Operational risk is becoming a critical concern in the financial industry, driven by stricter regulations, growing third-party dependencies and the complexities of scaling digital services. Digital banks now face an urgent need to embed integrated risk management at the core of their operations.

As a digital bank operating with a steep curve to compliance governance, the bank encountered significant challenges in establishing effective risk management, primarily due to reliance on manual tracking methods. This affected the accuracy and timeliness of risk records, creating inefficiencies in risk identification, delayed reporting and ultimately impacting the bank’s ability in securing long-term sustainability.

EY in Malaysia collaborated with the bank to map business processes and operational requirements to ServiceNow GRC workflows. This involved defining data structures, user roles and approval paths, in line with the bank’s governance and practices. Based on these requirements, the bank, working with EY, established a platform to support end-to-end lifecycle activities, including loss event data (LED), risk and control self-assessment (RCSA), key risk indicator (KRI) and key control testing (KCT) execution for operational and IT risk and third-party risk management (TPRM).

These improvements have strengthened risk oversight, supporting management and the Board with timely, data-driven insights, ultimately enhancing operational resilience and supporting the bank’s long-term strategic goals.

Key achievements:

• Regulatory compliance: Achieved compliance readiness ahead of regulatory deadlines, bolstering audit confidence.
• Consistent processes: Established uniform risk assessment processes across risk event reporting, risk and control self-assessment (RCSA) and third-party risk management (TPRM).
• Centralized data: Developed a single, centralized source of risk data, enhancing cross-department collaboration.
• Efficiency improvement: Reduced manual reporting time and minimized reporting errors, streamlining operations.

Case study #2: Large regional banking group – enhancing operational resilience

In collaboration with EY, a large regional bank has embarked on a multi-phase implementation of ServiceNow GRC’s operational risk management module to strengthen their operational resilience. This multi-phase implementation approach gives business units time to adopt, test and optimize each operational risk management module prior to full deployment.

To meet the growing demands and complexity of its operational risk landscape, the bank transitioned to ServiceNow GRC as their legacy risk management system was no longer able to cater for their continued regional expansion as well as heightened regulatory expectations.

Given the bank’s diverse regional footprint, which includes distinct processes across different countries, consolidation and standardization of processes at the group level became essential. Guided by EY’s technology experience, the transition to ServiceNow GRC enables the bank to adopt a more integrated, centralized and automated approach to risk management, offering greater flexibility, real-time visibility and the ability to manage complex operational scenarios across multiple entities and jurisdictions.

The implementation of ServiceNow GRC has delivered measurable improvements in efficiency, governance and risk oversight.

Key achievements:

• Centralized risk management: Established a single source of truth for operational and compliance risks, enhancing data consistency.
• Real-time insights: The platform enables customizable reporting and real-time risk identification, empowering proactive decision-making.

A key achievement is the establishment of a single source of truth across all regions and departments, facilitating the integration of stakeholders into a centralized, user-configurable risk management platform. This consolidated view of operational and compliance risks enhances data consistency, traceability and transparency.

Additionally, the ServiceNow GRC allows for user-configurable scoring, notification capabilities, issue management and real-time insights, empowering risk owners to take ownership and control to proactively make key decisions. Covering end-to-end risk lifecycle, the system supports customizable real-time integrated reporting, audit trails and automated workflows to streamline risk management and facilitate internal and regulatory compliance.

The platform also enables real-time aggregation and analysis of risks using advanced analytics and AI/ML, with interactive dashboards and drill-down capabilities for detailed risk data. This supports the bank in performing real-time risk identification and leveraging AI-powered insights to improve visibility and responsiveness.

Overall, this implementation has strengthened the bank’s ability to manage operational risk in a more data-driven, integrated and scalable manner. The implementation has been enabled by EY’s strategic support, ensuring a fit-for-purpose platform that aligns with risk management aspirations, meets regulatory expectations and drives broader business outcomes that meets risk management aspiration.

Case study #3: Local cooperative bank – building a comprehensive risk framework

The local cooperative bank has initiated its implementation of ServiceNow GRC with the primary goal of establishing a comprehensive risk library, focusing on technology risk. With EY’s guidance, the bank has implemented a structured framework to strengthen oversight, standardize processes and create a single source of truth for risk-related activities, enabling proactive management of technology risks while aligning with regulatory and governance requirements.

The implementation covers key risk components critical for effective risk governance. EY teams supported the bank in deploying ServiceNow GRC’s risk and compliance module to consolidate scattered policies into a central repository, facilitating clear linkages between policies, entities and controls, while introducing compliance scoring for each policy

Key achievements:

• Standardized processes: EY teams helped consolidate policies into a central repository, improving oversight and compliance.
• Integrated framework: The implementation transformed fragmented oversight into a cohesive, data-driven risk management approach

Furthermore, EY teams collaborated with the bank to establish a robust risk framework, including risk statements, risk assessment methodologies, risk and control self-assessment (RCSA), key risk indicators (KRIs) and key control testing (KCT).

Together, these capabilities have transformed fragmented oversight into an integrated and data-driven framework, enhancing the bank’s ability to manage technology risks effectively