EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Survey insights from 17 Nordic banks on NFR, ESG and AI risk maturity - and what the market is signalling about resilience priorities.
In brief:
- This survey examines current Nordic banking practices, maturity levels, and emerging challenges in Non‑Financial risk, ESG- and AI risk management
- The survey shows a Nordic market that is progressing well in Non‑Financial Risk, ESG and AI Risk Management, but with discrepreancy in maturity based on size
- Large banks operate broader and more enterprise structured frameworks, while small & medium-sized banks show more consistent but simpler practices.
Across the Nordic banking sector, non-financial risk (NFR) capabilities are evolving at pace, driven by heightened regulatory expectations, accelerating digitalization, and rising exposure to AI-related risk. EY’s survey of 17 Nordic banks highlights a market that is progressing, but with unmistakable differences in maturity between large banks and their small & medium-sized counterparts. While progress is clear, the question remains whether development is occurring fast enough to safeguard resilience in an increasingly complex risk environment.
Nordic banks demonstrate strong fundamentals across cyber, operational resilience, third-party oversight, and digital transformation. Yet beneath the surface, the survey exposes a growing divergence where large banks operate broader and more enterprise structured frameworks, while small and medium-sized banks show more consistent but simpler practices.
Large banks’ expansive operating models naturally demand integrated planning cycles, structured governance layers, and enterprise-wide data and tooling frameworks. These institutions tend to formalize alignment between business strategy and NFR more consistently, embedding risk considerations in operational decision-making, technology enablement, and long-term planning. Their frameworks can absorb and operationalize complex expectations: alignment with global risk taxonomies, AI governance, ESG oversight, and resilience obligations. However, the same complexity creates friction where larger institutions face challenges in harmonizing processes, coordinating between multiple lines of defense, maintaining clear information flow, and ensuring consistent implementation across diverse business areas.
By contrast, small & medium-sized banks often display steadier, more pragmatic execution, leaning on simpler structures with less organizational fragmentation. Their risk processes tend to be easier to operationalize and often benefit from closer connections between the first and second lines. These institutions often show strong adoption of foundational resilience components, well-defined critical functions, and straightforward oversight of operational and compliance risks. Yet their simplicity comes with constraints. Limited resources, narrower tooling capabilities, emerging AI frameworks, and ad hoc ESG structures can leave smaller banks exposed, especially as regulatory expectations tighten across areas like ESG governance, AI risk classification, and scenario-based testing.
These maturity differences extend into specific domains. In non-financial risk alignment, large banks overwhelmingly leverage integrated planning, while small and medium-sized banks depend more on periodic executive reviews or mixed mechanisms. In monitoring, large banks emphasize data, information risk, and third-party oversight, whereas smaller banks prioritize compliance, operational processes, and practical incident management. Operational resilience shows strong foundational adoption across the region, yet significant differences arise in testing frequency, where smaller banks lag in formalized exercises that validate resilience capabilities under stress.
ESG risk governance amplifies these patterns. Large banks have institutionalized ESG oversight with dedicated committees and structured reporting cycles. Smaller banks, while making progress, still rely heavily on informal coordination and are less consistent in integrating ESG risk into decision-making, remuneration, or board-level workflows.
AI risk management, perhaps the most rapidly developing area, reinforces the maturity divide. Large banks show greater advancement in AI-specific controls, model lifecycle management, validation, monitoring, and governance frameworks. Meanwhile, many small & medium-sized banks remain in early development stages, constructing foundational governance layers and adapting general risk frameworks to AI-specific needs. Both groups recognize the urgency of AI governance, but their starting points differ, and with the EU AI Act approaching enforcement, the speed of convergence will matter.
The Nordic region benefits from strong risk culture, high digital readiness, and a strong regulatory environment that rewards early adoption. Yet the survey shows that uneven operational capacity, tooling depth, governance structures, and strategic integration are shaping distinct maturity pathways. Without increased harmonization, these differences risk hardening into systemic disparities, especially as external pressures intensify.
Looking ahead, Nordic banks will need to accelerate development in several areas: strengthening AI risk frameworks, deepening ESG risk oversight, expanding scenario-based resilience testing, progressing toward consistent taxonomies, and tightening strategic alignment between NFR and business priorities. Large banks must continue improving coordination and consistency across their complex organizations, while small & medium-sized banks will need support through tooling, regulatory guidance, and capability uplift to sustain progress at scale.
The Nordic region has long been viewed as a leader in operational resilience, digital transformation, and responsible governance. The survey confirms that the foundations are in place. But it also highlights a pivotal moment: the next stage of NFR maturity will depend on the ability of institutions of all sizes to close structural gaps, accelerate capability building, and embed risk disciplines deeply enough to withstand emerging technological and regulatory demands.
Please find the full report here.
Summary
The survey shows a Nordic banking market progressing in non-financial risk capabilities but developing unevenly. Large banks are advancing through broad, enterprise-wide frameworks, while small and medium-sized banks demonstrate steadier yet simpler approaches. These structural differences influence how each group manages ESG, AI risk, operational resilience, and strategic alignment. Although strong fundamentals exist across the region, widening maturity gaps risk becoming systemic unless institutions accelerate capability building and strengthen governance. The path forward will require cohesion, consistent frameworks, and continued investment to ensure all banks can meet rising regulatory expectations and withstand emerging risks.